System Security - Tutorials

[Undertaker]

System Security - Lesson 1

So you want to learn how to use security distro's.... let the fun begin....

We will start within windows

Booting USB Backtrack distro

Shopping list

(1) USB stick - 4 gigs is great
(2) A blank cd
(3) Backtrack 3 from ftp://ftp.cc.uoc.gr/mirrors/linux/ba...bt3b141207.iso
this is the live cd version
(4) Back track 3 http://ftp.heanet.ie/mirrors/backtrack/bt3b141207.rar
this is the usb version
(5) partition magic - or something similar --- grab from torrents or newsgroups

Steps


Burn the cd
(1) First things first we are going to burn the livecd iso, if you can't do this please leave now . Burn and leave to one side. For those that are thinking why are we doing this, well I cant find a way to make a usb bootable under windows

Create partitions
(2) Now we want to create partitions on the usb drive via partition magic. I have three partitions

partition 1 - is fat32 - 1.5 gig
partition 2 - is swap partition - i have 512mb - can be less
partition 3 is ext2 partition - i have the remaining space on the usb ...... If you do not have any space left on the usb you can creat a ext2 partition on your local hard drive... you may be able to use fat32 but im not 100 percent sure...this is for advanced users, do not mess with your local partitions, you may lose everything


Transfer files
(3) once you have created the partition, open the rar file from the usb file and you will see bt3 and boot directories, transfer these files into partition 1. You may need to assign a drive letter to this partition before you can use it. You now have two folders in the root of partition 1

Whilst we are there we might as well transfer some modules,
transfer the following lzm into the module folder found under bt3/modules

http://www.offensive-security.com/modules/kernel.lzm

and

http://www.offensive-security.com/modules/nvidia.lzm



Boot via livecd
(4) Remove the usb and boot via live cd, remember to change your bios settings to do this..... pick the first option and get into live cd. Once fully booted we need to do two things

(a) make the usb bootable - insert your usb and run the following program bootinst.bat found in the boot folder

(b) save changes whenever we install things --- to do this is a bit complicated to explain..... you need to create a changes folder, you create a folder named "changes" in the ext2 partition.... by hovering your mouse over the different partitions you will notice which one to put the changes folder into... there is a file explorer on the taskbar, i dont have my laptop at the moment so cant be specific..

edit: to get into the folder explorer, click on the 3rd icon in the bottom right left hand side... see it

Now we want to be able to boot with changes, open kedit and open boot/syslinux/syslinux.cfg
change the pchanges bit to the following

LABEL pchanges
MENU LABEL BT3 Graphics mode with Persistent Changes
KERNEL /boot/vmlinuz
APPEND vga=0x317 initrd=/boot/initrd.gz ramdisk_size=6666 root=/dev/ram0 rw changes=/mnt/sdb3 load=nvidia,cubez autoexec=xconf;cubez;startx

if you dont want compiz effects then remove - load=nvidia,cubez
my ext2 partition, hence changes folder is in sdb3 thats why i put changes=/mnt/sdb3


once that is done we can set our bios to boot via usb, if you do not have this option then you need to boot via a cd that then boots via usb but I will leave this until someone
says they need this

Boot via usb
remove your live cd and keep for future use
boot into the option that says pc changes and let it load

for those that left compiz on you will notice your borders missing, you need to do the following

open a shell and type

nvidia-xconfig --add-argb-glx-visuals
nvidia-xconfig -d 24

then press ctrl+alt+backspace

and then type startx to go back into bt3





Disclaimer ---- I do not want to see questions on here like I have cracked my neighbours wep key and now want to hack his computer.... word it in a different way and u will get help. You could always check out remote exploit forum but I want to keep things basic in here and help out the new starters and ofcourse be a bit more leniant with people


please discuss any problems you have and I will try to update it accordingly, some sections need more explanation

The great thing about doing it this way is if you screw up just empty the changes folder and everything will be the same as a first boot


What do you want to see next?

i have the following list

wep cracking
wpa cracking with tables
metasploit
arp spoofing, grabbing ssl certificates e.g. hotmail

[Undertaker]

System Security - Lesson 2

WEP cracking


Now that we have backtrack 3 up and running lets see if we can crack a simple wep key, no mac filtering on.....


Shopping list
Wireless card ---- internet/external doesnt really matter, some work some dont.... the one I have is a usb alfa 500mw one..... connect that up to a antenna and you get ap's from over half a mile away


Step 1
Plug in wireless card if you need to

Step 2
Open a terminal... second icon in left hand corner if you havent figured it out yet and type iwconfig.. you should have something like wlan0... Now type ifconfig.... is your wireless card there? if not type ifconfig wlan0 up ..... now type ifconfig again and it should be there. Write down the hwaddress, this is your mac address and you will nead it later.

Step 3
Download airoscript.sh from http://www.megaupload.com/?d=0JQS05GD and place it onto the desktop... open it with kedit and change the following lines

WIFI="" to WIFI="wlan0" or whatever it is, but you can leave it blank

also change

FAKE_MAC="00:01:02:03:04:05" to whatever your mac address from step 2. Some cards do not inject if the fakemac does not match your card mac.... ok some people might say i want to use a fake mac, fair enough use macchanger in terminal to do this then change airoscript accordingly

click file, save and close... you will get a second copy, delete the new one...

Step 4
Right click on airoscript, permissions, make sure there is a cross in executable

Step 5
We need to create a wifi directory, click on the file explorer icon, 3rd from left corner

in location put in "/" without the speechmarks, enter right click new folder, and make a folder named wifi


Step 6
Now open a terminal screen and drag airoscript into it... select paste and then enter..


Step 7
You may choose to do this differently, but this is how i do it

scan
then channel hopping, wait until you find access points
then press control and c on the scanning page, this keypress closes the windows
then select your access point
then no for client
then attack and number 3 --- fragmentation attack
then wait on the green screen and press y when asked
back on the menu select attack then number 11 fragmentation attack

before entering y on the green screen take a look at the capturing screen, notice the data value. we need this in the region of 40-80k..... go ahead press y on the green screen.... hope you are now injecting,,,, keep an eye on the red screen, this is where you are fake authing, it should keep saying auth succesfull

now open another terminal and type aircrack-ng -z

do not press enter, now in file explorer type /wifi

drag the .cap file into the terminal where you just typed aircrack-ng -z

click paste and then enter

wait until you get the key


Step 8
Now that you have the key open terminal and type iwconfig wlan0 mode managed to get it back into normal mode

Step 9
Click start menu, internet then wireless assistant and away you go


if you guys want to try the wesside-ng way then let me know how it goes, I cant get it to work here



I suggest you all learn how to do this manually without scripts, aircrack wiki is a good place to start... also try out the other options

[Undertaker]

System Security - Lesson 3

Grabbing hotmail passwords


This is fairly simple,

Open Kedit and open /usr/local/etc/ etter.conf

go here

# if you use iptables:
#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
#redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"


and then take off the hashes
so you have

# if you use iptables:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"


leave the first hash otherwise you will screw it up
then file and save

then start menu, backtrack, privelige... sniffers and then open ettercap


from here all we do is

select sniff and then unified scanning on your card,
then hosts, scan for hosts, wait, and then hosts again and host list, add your host to target one
then mitm, arp poison, and sniff remote connections then press start sniffing...


now jump over to another pc, preferably windows... try logging into hotmail, wait for the dodgy certificate and accept.... If all goes as planned you will see the login details....

the same can be done for shares, and other logins... for shares there is smb explorer in the backtrack menu somewhere


With Ettercap you can do so much more, if you want to have some fun look into the plugins sections, there are bits on url redirection.... ask away if you get stuck, im no expert but may be able to help, if not i'm sure others will

[Undertaker]

System Security - Lesson 4

Scanning networks


There are many ways to do this, popular methods are nmap and autoscan


for newbies use autoscan, start menu, backtrack, network mapping, all then autoscan... you cant get anything simpler than this

try out nmap if you want to be stealthy, there are plenty of articles on how to use nmap, google these

keep intrusion detection on if you planning on catching someone connecting to your network

[Undertaker]

blank space for future use

[casio]

PARTITIONING TOOL

if you dont want to use warez or pay for a partioning tool theres a non destructive tool thats called gparted, its a live linux distro that does all the stuff the paid versions do and it wont knacker any existing partitions when resize and create new ones

its available from http://gparted.sourceforge.net
if you dont want to waste a cd on a disk you may only use once theres instructions on how to load it on to a usb stick (although only really useful if your partitioning a HDD, usb HDD, or a 2nd flash drive)
http://gparted-livecd.tuxfamily.org/

[casio]

scanning networks in windows

if your following the lessons like i am, and your downloading backtrack theres a windows app thats almost as simple to scan the networks with its called netscan and runs with windows,

its available from here
http://www.softperfect.com/products/networkscanner/

after installing run netscan it opens with a menu at the top of a big white screen
go to options> program options >a window will pop up >select shares and tick the boxes for shared resources, shared write access and in the enumerate section select all and click on ok

go back to options > auto detect external ip> when the box pops up click on go> when its got an ip address click on use and it will vanish

at the top of the menu theres 2 ip address boxes the 1st is the ip you just selected (with a 0 on the end though) change the ip on the rights last 2 sections to 255.255 if you want to scan the interent, if you want to scan your self to check your own security make the ip's match,(this time correct the 0 on the 1st ip range to what your ip is) then click start scan, youll see the ip's pop up and start running down the page, (look for the ones with the + at the side they have shares if youve scanned the internet) your router should pop up if youve scanned your self and then you can see if your sharing anything with the world that you didnt know about

[Undertaker]

anybody want anything specific?

[liaeb]

something to help avoid the work proxy and it's limited ports..
to allow usage of newsgroups or bypass blocked sites (without the continual search for new working web proxies) etc etc

[Undertaker]

these workplaces have everything locked down tight... have you considered looking into tunneling over ssh (vnc )

[casio]

if your on a system thats got a net connection but your not allowed to use it and theyve locked down most things like the browser etc, use your calculator

open the calculator click on help topics, then when the new window pops up right click on the menu bar at the top (above hide back forward etc) and it says move, restore etc click on jump to url and then enter the web address you want to go to, most it depts dont lock that down cos not that many people know of it

hope its of help to someone

cas

as for what id like to learn how about learning to get access to hidden shares (in debian i can view all the shares but cant access them all) is it possible, also maybe learning people how to set up a dun connection so they can use their mobile rather than paying for a usb modem ?


oooh i thought of another theres something called hacksaw? i could be wrong where you plug a ubs key in and it reads from some sw thats on the system and copies keystrokes etc i think i saw it on hak5 a while ago,

[Freddy]

Great work Undertaker. Thank you.

Sticky?

[liaeb]

these workplaces have everything locked down tight... have you considered looking into tunneling over ssh (vnc )

funny you say that as I was reading an article on it only yesterday haven't had the time to give it a go yet but likely will on my next quiet day!


Casio also at XX:XX (time) /interactive XX (command) seems to work well with avoiding group policy

ie;
at 16:01 /interactive mmc
ran at 4.00pm would launch MMC in a minutes time with system credentials

[casio]

and would you be putting that in terminal in windows (or cmd or what ever its called)

[liaeb]

aye sorry,thinking now pretty useless really.. as I expect the poor buggers can't run either lol

[casio]

is there any chance of an updated wep cracking with backtrack 2 or maybe ubuntu (most people i know who are running linux use ubuntu and im not sure but i think is a version of debian)

personally i cant get backtrack 3 to run what ever i do be it burn at 1x etc, ive tried to do the other version in the other thread in backtrack 2 but wesside-ng doesnt seem to work what ever i do and even though ive tried to follow this thread i think its specific to bt3 cos it doesnt seem to be doing the job in bt2, ive got my 2nd router set up and running wep with the dogs name as the password so i know if it cracks it and theres been nothing even close so far

[Undertaker]

exclusive to df

I've got something special for you guys later

a full plug and play system

software needed will be uploaded to a private server -- most likely VIP only

at the moment I am just downloading, configuring that kind of thing...

keep checking back

[DJ OD]

most likely VIP only

Ooooooooowwwwwwwwwwaaaaaaaaaaahhhhhhhhhhhhhh!!!!!!!



DJ OD

[Undertaker]

ok, the iso is 2gig

does anyone know where I can upload it?

[casio]

the ng's if you have an account just password protect the files and share the password in the vip area?