eslimasec's blog: Backtrack 3/4 on Acer Aspire One

Introduction

After getting my netbook what to do next? Hmmm maybe taking advance of its great Atheros card to "play" for a while?? alright!! In this post I will write tips and tricks and howtos to take advance of the Backtrack security distro http://www.remote-exploit.org/backtrack.html for fun.

Contents

Backtrack 3/4 on Acer Aspire One
1. Introduction
2. Links

Installation on a Hard Drive

You can run Backtrack3 from a pendrive as a live cd system without problems but you can also copy it to your hard drive and keep the changes after every reboot.

To do so just follow this howto which I find great: http://kin.calvin.free.fr/blog/?p=16. In my case I kept the boot loader that comes with the Linpus distro installed originally. As you can see in my post about this netbook, Grub has a weird behaviour when you want to boot more than one system (check AspireOnePost).

Having this in mind go to the Grub configuration file that should be on /boot/grub/grub.conf and add the following lines after the Linpus Linux booting parameters, I will also show the parameters for booting Windows in case you also want to install it. Take care with the partition numbers as they dont have to be the same as mine.

default=0
timeout=5
splashimage=(hd0,0)/boot/grub/cbg2.xpm.gz
hiddenmenu

title Linpus Linux
        rootnoverify (hd0,0)
        kernel /boot/bzImage ro root=LABEL=linpus vga=0x311 splash=quiet loglevel=1 console=tty1 nolapic_timer
        initrd /boot/initrd-splash.img

title Backtrack 3
        rootnoverify (hd0,1)
        kernel /boot/vmlinuz ro root=/dev/sda2 vga=0x0F05

title Windous XP
        root (hd0,2)
        makeactive
        chainloader +1

Keep an eye on the grub syntax ((hd0,0) refers to the first partition on the first disk). Thus you can see how Backtrack was installed on the second partition.

Installing Nessus

Fulfill the requirement that you are a home user you can use the Vulnerability Scanner Nessus by doing the following:

Download the Nessus and NessusClient Fedora Core 8 RPM’s from the Nessus website, it's important to choose the Fedora 8 binaries.
Convert them to TGZ

rpm2tgz Nessus-3.2.x-fc8.i386.rpm
rpm2tgz NessusClient-3.2.x-fc8.i386.rpm

Use the pkgtool (in that same directory where you downloaded the client and server) to have a ncurses interface that will install those two packages:

pkgtool

Configure things a bit (put the libraries where appropriate and so on):

cd /opt/
export PATH=$PATH:/opt/nessus/sbin:/opt/nessus/bin:
cp /usr/lib/libssl.so /lib
cp /usr/lib/libcrypto.so /lib
cp /opt/nessus/lib/libnessus.so.3 /lib
cp /opt/nessus/lib/libnessusrx.so.0 /lib
cp /opt/nessus/lib/libpcap-nessus.so.3 /lib
cd /lib
ln libssl.so libssl.so.6
ln libcrypto.so libcrypto.so.6

echo "/opt/nessus/lib" >> /etc/ld.so.conf

ldconfig

Then add your users that can use Nessus (it requires authentication).

/opt/nessus/sbin/nessus-mkcert /opt/nessus/sbin/nessus-adduser

Finally register Nessus and with the key that they will provide you update the plugins this way (note: it takes some time to update all plugins).

cd /opt/nessus/etc/nessus
nessus-fetch  –register XXX-YYY-ZZZ-VVV

To run the server just type

/opt/nessus/sbin/nessusd

The client should be located on your Internet applications menu or in this path:

/opt/nessus/bin/NessusClient

Playing with Wireless

First steps

Aspire one comes with a nice Atheros wireless card and Backtrack3 has the drivers needed to put the card in monitor mode (sniff) or to reinject packets. To use all this functionality you should get used to wlanconfig,airmon-ng, aircrack-ng and aireplay-ng tools.

Starting kismet

First you have to edit its config file and modify the follogin line:

vi /usr/local/etc/kismet.conf
source=madwifi_ag,wifi0,madwifi-ng
#afterwards just launch kismet:
kismet

Kismet will create a dedicated new interface, If you are capturing packets on certain channel with another interface kismet will make trouble and start channel hopping on the other interfaces in use, so take care when running kismet and for example airodump-ng.

Create a new interface with monitor mode enabled

airmon-ng stop ath0
airmon-ng start wifi0

Capturing packets focusing on one AP

airodump-ng --bssid <victim_router_mac> -c <channel_used_by_victim_router> -w <file> <wireless_iface>

Send disasociation frames to a specific client (connected)

aireplay-ng -0 5 -e <ESSID> -a <router_mac> -c <connected_client_mac> <wifi_iface>

Replaying arp packets

In order for the replay to be effective you have to be associated with de ap, you can achieve this by issuing, where fake mac is the mac of an already connected user. Otherwise if you are replaying packets of a non associated client the AP will discard them.

aireplay-ng -1 30 -e '<ESSID>' -a <BSSID> -h <Fake MAC> ath0

Some APs like this format of association

aireplay-ng -1 6000 -o 1 -q 10 -e '<ESSID>' -a <BSSID> -h <Fake MAC> ath0

Where:

6000 - Reauthenticate every 6000 secs
-o 1 - Send only one type of packet each time, by default different types of association frames are sent that could mislead the AP.
-q 10 - Send keepalive packets every 10 secs. keepalive <> reauthentication

Debuggin network traces with tcpdump

tcpdump -n -e -s0 -vvv -i <iface>

11:04:34.360700 314us BSSID:00:14:6c:7e:40:80 DA:00:0f:b5:46:11:19 SA:00:14:6c:7e:
40:80 DeAuthentication: Class 3 frame received from nonassociated station

Connect to a Wep protected network

iwconfig ath0 key <s:ASCII string of key> essid <essid>
dhclient ath0

Startup a fake access point to share your internet access

Modify it for your needs (networks, essid, ips, gw, etc).

LAN == ETH0 (ethernet)
WAN == ATH0 (wireless)
10.0.0.0/24 == ATH0 LAN
192.168.1.0/24 == ETH0 LAN
192.168.1.1 == ETH0 GATEWAY
10.0.0.1 == ATH0 GATEWAY (the Aspire one)

Note: from Backtrack 4 release wlanconfig command to put the wireless card in master or ap mode won't work as by default it will load ath5k driver which doess not support ioctl calls. You can still manage to get a fake ap by using airbase-ng script. Otherwise install by hand the madwifi ath_pci driver http://forums.remote-exploit.org/backtrack-4-non-working-hardware/24348-atheros-ar5007eg-ath_pci-error.html

IPT="/usr/sbin/iptables"
WAN="eth0"
LAN="ath0"

#wifi stuff
echo "destroying atheros ifaces"
wlanconfig ath1 destroy
wlanconfig ath0 destroy
echo "creating ath0 as a master device"
wlanconfig ath0 create wlandev wifi0 wlanmode master
sleep 2
iwconfig ath0 essid HOME
echo "configuring IPs and default route"
ifconfig ath0 10.0.0.1 netmask 255.255.255.0 up
ifconfig eth0 192.168.1.111 netmask 255.255.255.0 up
route add default gw 192.168.1.1
echo "starting dhcp"
/etc/rc.d/rc.dhcpd start
echo "enabling forwarding"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "stablishing IPtables nat rules"
$IPT -t nat -A POSTROUTING -o $WAN -j MASQUERADE

The dhcp server config I used is the following

bt ~ # cat /etc/dhcpd.conf
option domain-name-servers 4.2.2.2;

default-lease-time 60;
max-lease-time 72;

ddns-update-style none;

authoritative;

log-facility local7;

subnet 10.0.0.0 netmask 255.255.255.0 {
  range 10.0.0.100 10.0.0.254;
  option routers 10.0.0.1;
  option domain-name-servers 4.2.2.2;
}

As you can see I used the local7 facility that I will dump to a separate file I will monitor to check when I have dear guests:

bt ~ # cat /etc/syslog.conf
# /etc/syslog.conf
# For info about the format of this file, see "man syslog.conf"
# and /usr
...
...
....

#
#DHCP LOGS
#
local7.*                                                -/var/log/dhcp.log

Software AP with airbase-ng

Airbase-ng aim is to respond to any probe packet from connecting clients, we can use it to start a fake AP that listens to one essid at a time. Maybe this can be useful to do when you just run backtrack 4 final on aspire one and you see that wlanconfig suite of commands do not work.

//we create a monitor mode interface (mon0 will be created)
airmon-ng start wlan0
//start our fake ap listening on channel 5, beaconing each 100 milliseconds, publising a "test" essid
airbase-ng -I 100 -c 5 --essid test mon0
//at0 inteface will be created like in previous post we can setup a dhcp server so that it listens on at0 interface.

Other stuff

To remove an interface (when wlanconfig stop does not work due to ath5k use) we can achieve like this:

iw dev mon0 interface del

To lock the card to a specific mode, use:

    * iwpriv ath0 mode 11a To lock to 11a only.
    * iwpriv ath0 mode 11b To lock to 11b only.
    * iwpriv ath0 mode 11g To lock to 11g only.
    * iwpriv ath0 mode 0 (default) autoselect mode. 

Changing Authentication Mode.

Use:

    * iwpriv ath0 authmode 1 To use open authentication.
    * iwpriv ath0 authmode 2 To use shared key authentication.
    * iwpriv ath0 authmode 3 To use 802.1x authentication. 

Manipulating the MAC white/black list

Use:

    * iwpriv ath0 maccmd 3 To clear the MAC list.
    * iwpriv ath0 maccmd 1 To make the list a whitelist.
    * iwpriv ath0 maccmd 2 To make the list a blacklist.
    * iwpriv ath0 addmac 00:11:22:33:44:55 To add a mac address to the list.
    * iwpriv ath0 delmac 00:11:22:33:44:55 To delete a mac from the list.
    * iwpriv ath0 kickmac 00:11:22:33:44:55 To send a disassociation frame to an associated station.

eslimasec's blog

Saturday, November 27, 2010

Backtrack 3/4 on Acer Aspire One