Backtrack Manual Part5


Published on

njoy...For any query contact:

Published in: Education, Technology, Career
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Backtrack Manual Part5

  1. 1. Project Report<br />-459105253365on<br />-22459952540<br />Project by - Nutan Kumar Panda<br />Technology Evangelist ISEH<br />R&D - ATL Guwahati<br />BeEF is the browser exploitation framework. A professional tool to demonstrate the real-time impact of browser vulnerabilities. Development has focused on creating a modular structure making new module development a trivial process with the intelligence residing within BeEF. Current modules include the first public Inter-protocol Exploit, a traditional browser overflow exploit, port scanning, keylogging, clipboard theft and more. The modules are aimed to be a representative set of current browser attacks - with the notable exception of launching cross-site scripting viruses. You can download BeEF from<br />Goorecon<br />In the Information Gathering stage of a pentest, we are interested in finding out the various sub-domains of our target domain. As we have seen in previous videos, querying DNS servers using zone transfer requests or trying to retrieve entries using a dictionary / brute-forcing attack, is a good start, but fails in most cases. Another alternate technique to figure out sub-domains is to query google and check if it has found any sub-domains during its web mining exercise on the target. Goorecon is just the tool we need in order to do this.<br />The syntax of Goorecon is very simple. Lets have a look at the options:<br />root@666:/pentest/enumeration/goorecon# ./goorecon.rb<br />Goorecon .01<br />By Carlos Perez<br />Email:<br />This is a simple tool writen for subdomain enumeration and email gathering<br />during authorized penetration test engaments using Google.<br />USAGE:<br />ruby goorecon.rb <type> <target><br />TYPES:<br />-s Subdomoin Enumeration<br />-e Email gathering<br />As you can see there are really only 2 options. One is to look for sub domains and the other is to look for emails.<br />Here is a example of using the tool to gather sub domains:<br />root@666:/pentest/enumeration/goorecon# ./goorecon.rb -s<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />,<br />And here is a example of using Goorecon to grab email address’s:<br />root@666:/pentest/enumeration/goorecon# ./goorecon.rb -e<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />Dmitry<br />Dmitry or Deepmagic Information Gathering Tool is an all in one host information tool included in Backtrack 4’s Information Gathering section. Personally I prefer doing most info gathering using tools built into Linux however it is nice to run a tool like this in the background and come back later if you are multi-tasking. <br />Dmitry – Deepmagic Information Gathering Tool Details:<br />So Dmitry can perform numerous tasks based on the switches provided including a couple whois lookups, data (OS info, uptime info, web server info), subdomain search, email address search, and various TCP port scan options. As you can see letting this fly against a target host will return various information in one swoop. Below is an example using Dmitry against the domain/host.<br />Dmitry Example Against Domain/Host:<br />root@bt:/usr/local/bin# dmitry -winsepffb -o hosts.txt<br />Deepmagic Information Gathering Tool<br />"There be some deep magic going on"<br />Writing output to 'hosts.txt'<br />HostIP:<br /><br />Gathered Inet-whois information for<br />---------------------------------<br />OrgName: SoftLayer Technologies Inc.<br />OrgID: SOFTL<br />Address: 1950 N Stemmons Freeway<br />City: Dallas<br />StateProv: TX<br />PostalCode: 75207<br />Country: US<br />ReferralServer: rwhois://<br />NetRange: -<br />CIDR:<br />OriginAS: AS36351<br />NetName: SOFTLAYER-4-3<br />NetHandle: NET-75-126-0-0-1<br />Parent: NET-75-0-0-0-0<br />NetType: Direct Allocation<br />NameServer: NS1.ARPA.GLOBAL-DATACENTER.COM<br />NameServer: NS2.ARPA.GLOBAL-DATACENTER.COM<br />Comment:<br />RegDate: 2006-05-12<br />Updated: 2009-08-26<br />RAbuseHandle: ABUSE1025-ARIN<br />RAbuseName: Abuse<br />RAbusePhone: +1-214-442-0605<br />RAbuseEmail:<br />RNOCHandle: IPADM258-ARIN<br />RNOCName: IP Admin<br />RNOCPhone: +1-214-442-0600<br />RNOCEmail:<br />RTechHandle: IPADM258-ARIN<br />RTechName: IP Admin<br />RTechPhone: +1-214-442-0600<br />RTechEmail:<br />OrgAbuseHandle: ABUSE1025-ARIN<br />OrgAbuseName: Abuse<br />OrgAbusePhone: +1-214-442-0605<br />OrgAbuseEmail:<br />OrgTechHandle: IPADM258-ARIN<br />OrgTechName: IP Admin<br />OrgTechPhone: +1-214-442-0600<br />OrgTechEmail:<br /># ARIN WHOIS database, last updated 2010-06-10 20:00<br /># Enter ? for additional hints on searching ARIN's WHOIS database.<br />#<br /># ARIN WHOIS data and services are subject to the Terms of Use<br /># available at<br />#<br /># Attention! Changes are coming to ARIN's Whois service on June 26.<br /># See for details on the improvements.<br />Gathered Inic-whois information for<br />---------------------------------<br /> Domain Name: APPINONLINE.COM<br /> Registrar: NET 4 INDIA LIMITED<br /> Whois Server:<br /> Referral URL:<br /> Name Server: NS3.IP01-DNS.NET<br /> Name Server: NS4.IP01-DNS.NET<br /> Status: ok<br /> Updated Date: 18-feb-2010<br /> Creation Date: 30-may-2004<br /> Expiration Date: 30-may-2018<br />>>> Last update of whois database: Fri, 11 Jun 2010 08:31:21 UTC <<<<br />The Registry database contains ONLY .COM, .NET, .EDU domains and<br />Gathered Netcraft information for<br />---------------------------------<br />Retrieving information for<br />No uptime reports available for host:<br /> Information gathered<br />Gathered Subdomain information for<br />---------------------------------<br />Searching<br /><br />HostIP:<br /><br />HostIP:<br /><br />HostIP:<br /><br />HostIP:<br />Searching<br />Found 4 possible subdomain(s) for host, Searched 0 pages containing 0 results<br />Gathered E-Mail information for<br />---------------------------------<br />Searching<br />Searching<br />Found 0 E-Mail(s) for host, Searched 0 pages containing 0 results<br />Gathered TCP Port information for<br />---------------------------------<br /> Port State<br />21/tcp open<br />>> 220 FTP Server ready.<br />25/tcp open<br />>> 220 ESMTP<br />53/tcp open<br />80/tcp open<br />110/tcp open<br />>> +OK <18937.1276245286@pop3><br />143/tcp open<br />>> * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STA@î<br />Portscan Finished: Scanned 150 ports, 128 ports were in state closed<br /> <br />0trace<br />0trace is a security reconnaissance / firewall bypassing tool. This tool enables the user to perform hop enumeration ("traceroute") within an established TCP connection, such as a HTTP or SMTP session. This is opposed to sending stray packets, as traceroute-type tools usually do. The important benefit of using an established connection and matching TCP packets to send a TTL-based probe is that such traffic is happily allowed through by many stateful firewalls and other defenses without further inspection (since it is related to an entry in the connection table). <br />A good example of the difference is ( - a regular UDP/ICMP traceroute and tcptraceroute both end like this: <br />14 ( ... <br />15 ( ... <br />16 * * * <br />17 * * * <br />18 * * * <br />Let's do the same using 0trace: we first manually telnet to to port 80, then execute: './ eth0', and finally enter 'GET / HTTP/1.0' (followed by a single, not two newlines) to solicit some client-server traffic but keep the session alive for the couple of seconds 0trace needs to complete the probe. <br />The output is as follows: <br />10 <br />11 <br />12 <br />13 <br />14 <br />15 <br />16 <br />17 <--- <br />18 <--- new data <br />19 <--- <br />Target reached. <br />The last three lines reveal firewalled infrastructure, including private addresses used on the inside of the company. This is obviously an important piece of information as far as penetration testing is concerned. <br />Of course, 0trace won't work everywhere and all the time. The tool will not produce interesting results in the following situations: <br />- Target's firewall drops all outgoing ICMP messages, <br />- Target's firewall does TTL or full-packet rewriting, <br />- There's an application layer proxy / load balancer in the way (Akamai, in-house LBs, etc), <br />- There's no notable layer 3 infrastructure behind the firewall. <br />The tool also has a fairly distinctive TCP signature, and as such, it can be detected by IDS/IPS systems. <br />Usage: /usr/local/sbin/ iface target_ip [ target_port ]<br />root@bt:~# ./ eth0 80<br />bash: ./ No such file or directory<br />root@bt:~# / eth0 80<br />bash: / No such file or directory<br />root@bt:~# /usr/local/sbin/ eth0 80<br />0trace v0.01 PoC by <><br />[+] Waiting for traffic from target on eth0...<br />[+] Traffic acquired, waiting for a gap...<br />[+] Target acquired: -> (2989104564/3240623664).<br />[+] Setting up a sniffer...<br />[+] Sending probes...<br />TRACE RESULTS<br />-------------<br />1<br />2<br />Probe rejected by target.<br />Autoscan Networks<br />AutoScan-Network is a network scanner (discovering and managing application). No configuration is required to scan your network. The main goal is to print the list of connected equipments in your network.AutoScan is an application designed to explore and to manage your network. Entire subnets can be scanned simultaneously without human intervention. The objective of the program is to post the list of all equipment connected to the network. A list of ports preset is scanned for each equipment.1. Fast multithreaded scanning2. Automatic network discovery3. Extreme Low Bandwidth4. Entire subnets can be scanned simultaneously without human intervention5. Addition time-reality of the new machines put on the network6. Monitoring of equipment (router, server, firewall, ...)7. Monitoring of network services (smtp, http, pop, ...)8. Detection of the OS, brand and model known (Possibility to add an unknown equipment in the database) <br />Sslscan<br />SSLScan is a fast SSL service scanner. It determines which ciphers are supported, the preferred ciphers, and the service certificate. The project is also possible to supply a certificate and private key to use with a connection.Build:sslscan can be built manually using the following command:gcc -lssl -o sslscan sslscan.cThe command line arguements for SSLScan are:sslscan [Options] [host:port | host]Options:--targets=< file > A file containing a list of hosts to check. Hosts can be supplied with ports ( List only accepted ciphers (default is to listing all ciphers).--ssl2 Only check SSLv2 ciphers.--ssl3 Only check SSLv3 ciphers.--tls1 Only check TLSv1 ciphers.--pk=< file > A file containing the private key or a PKCS#12 file containing a private key/certificate pair (as produced by MSIE and Netscape).--pkpass=< password > The password for the private key or PKCS#12 file.--certs=< file > A file containing PEM/ASN1 formatted client certificates.--xml=< file > Output results to an XML file.--version Display the program version.--help Display the help text you are now<br />Example<br />root@bt:~# sslscan -xml=/etc/lloo.txt<br /> _<br /> ___ ___| |___ ___ __ _ _ __<br /> / __/ __| / __|/ __/ _` | '_ <br /> __ __ __ (_| (_| | | | |<br /> |___/___/_|___/_____,_|_| |_|<br /> Version 1.6<br /><br /> Copyright (C) 2007-2008 Ian Ventura-Whiting<br />Testing SSL server on port 443<br /> Supported Server Cipher(s):<br /> Accepted SSLv2 168 bits DES-CBC3-MD5<br /> Accepted SSLv2 56 bits DES-CBC-MD5<br /> Accepted SSLv2 40 bits EXP-RC2-CBC-MD5<br /> Accepted SSLv2 128 bits RC2-CBC-MD5<br /> Accepted SSLv2 40 bits EXP-RC4-MD5<br /> Accepted SSLv2 128 bits RC4-MD5<br /> Rejected SSLv3 256 bits ADH-AES256-SHA<br /> Accepted SSLv3 256 bits DHE-RSA-AES256-SHA<br /> Rejected SSLv3 256 bits DHE-DSS-AES256-SHA<br /> Accepted SSLv3 256 bits AES256-SHA<br /> Rejected SSLv3 128 bits ADH-AES128-SHA<br /> Accepted SSLv3 128 bits DHE-RSA-AES128-SHA<br /> Rejected SSLv3 128 bits DHE-DSS-AES128-SHA<br /> Accepted SSLv3 128 bits AES128-SHA<br /> Rejected SSLv3 168 bits ADH-DES-CBC3-SHA<br /> Rejected SSLv3 56 bits ADH-DES-CBC-SHA<br /> Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA<br /> Rejected SSLv3 128 bits ADH-RC4-MD5<br /> Rejected SSLv3 40 bits EXP-ADH-RC4-MD5<br /> Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA<br /> Accepted SSLv3 56 bits EDH-RSA-DES-CBC-SHA<br /> Accepted SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA<br /> Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA<br /> Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA<br /> Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA<br /> Accepted SSLv3 168 bits DES-CBC3-SHA<br /> Accepted SSLv3 56 bits DES-CBC-SHA<br /> Accepted SSLv3 40 bits EXP-DES-CBC-SHA<br /> Accepted SSLv3 40 bits EXP-RC2-CBC-MD5<br /> Accepted SSLv3 128 bits RC4-SHA<br /> Accepted SSLv3 128 bits RC4-MD5<br /> Accepted SSLv3 40 bits EXP-RC4-MD5<br /> Rejected SSLv3 0 bits NULL-SHA<br /> Rejected SSLv3 0 bits NULL-MD5<br /> Rejected TLSv1 256 bits ADH-AES256-SHA<br /> Accepted TLSv1 256 bits DHE-RSA-AES256-SHA<br /> Rejected TLSv1 256 bits DHE-DSS-AES256-SHA<br /> Accepted TLSv1 256 bits AES256-SHA<br /> Rejected TLSv1 128 bits ADH-AES128-SHA<br /> Accepted TLSv1 128 bits DHE-RSA-AES128-SHA<br /> Rejected TLSv1 128 bits DHE-DSS-AES128-SHA<br /> Accepted TLSv1 128 bits AES128-SHA<br /> Rejected TLSv1 168 bits ADH-DES-CBC3-SHA<br /> Rejected TLSv1 56 bits ADH-DES-CBC-SHA<br /> Rejected TLSv1 40 bits EXP-ADH-DES-CBC-SHA<br /> Rejected TLSv1 128 bits ADH-RC4-MD5<br /> Rejected TLSv1 40 bits EXP-ADH-RC4-MD5<br /> Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA<br /> Accepted TLSv1 56 bits EDH-RSA-DES-CBC-SHA<br /> Accepted TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA<br /> Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA<br /> Rejected TLSv1 56 bits EDH-DSS-DES-CBC-SHA<br /> Rejected TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA<br /> Accepted TLSv1 168 bits DES-CBC3-SHA<br /> Accepted TLSv1 56 bits DES-CBC-SHA<br /> Accepted TLSv1 40 bits EXP-DES-CBC-SHA<br /> Accepted TLSv1 40 bits EXP-RC2-CBC-MD5<br /> Accepted TLSv1 128 bits RC4-SHA<br /> Accepted TLSv1 128 bits RC4-MD5<br /> Accepted TLSv1 40 bits EXP-RC4-MD5<br /> Rejected TLSv1 0 bits NULL-SHA<br /> Rejected TLSv1 0 bits NULL-MD5<br /> Prefered Server Cipher(s):<br /> SSLv2 168 bits DES-CBC3-MD5<br /> SSLv3 256 bits DHE-RSA-AES256-SHA<br /> TLSv1 256 bits DHE-RSA-AES256-SHA<br /> <br />SSL Certificate:<br /> Version: 2<br /> Serial Number: 966173<br /> Signature Algorithm: sha1WithRSAEncryption<br /> Issuer: /C=US/O=Equifax/OU=Equifax Secure Certificate Authority<br /> Not valid before: Jan 10 18:50:39 2010 GMT<br /> Not valid after: Feb 11 14:22:03 2011 GMT<br /> Subject: /serialNumber=mVSeVz4nkJ-qQhthu31BiNHsyKIrLvpX/C=US/ (c)10/OU=Domain Control Validated - RapidSSL(R)/<br /> Public Key Algorithm: rsaEncryption<br /> RSA Public Key: (1024 bit)<br /> Modulus (1024 bit):<br /> 00:ba:1d:b7:04:73:23:d3:e7:de:29:46:90:6b:99:<br /> 79:4f:c2:53:23:63:73:8d:e9:d7:2f:58:a5:96:d9:<br /> 4c:80:ca:31:48:c9:d1:4c:b9:4c:7c:08:7c:74:85:<br /> de:53:1a:a3:99:38:89:35:74:20:17:eb:4b:6d:e6:<br /> b9:ff:3a:8c:e2:40:e5:b7:3c:9d:84:3d:0f:87:5b:<br /> f7:a8:b4:22:2b:88:bc:f9:52:35:ba:7b:75:49:b1:<br /> d7:2a:f8:65:a3:ce:87:4b:fe:0a:30:53:2c:32:ed:<br /> 8c:37:f4:c9:c7:3c:a7:3c:c1:00:65:c4:49:eb:bd:<br /> 02:75:90:b2:c3:71:8f:f2:6d<br /> Exponent: 65537 (0x10001)<br /> X509v3 Extensions:<br /> X509v3 Key Usage: critical<br /> Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment<br /> X509v3 Subject Key Identifier:<br /> FF:6C:2E:6C:1F:22:B7:15:9C:1A:8F:8B:7A:69:FF:3C:A8:70:10:C0<br /> X509v3 CRL Distribution Points:<br /> URI:<br /> X509v3 Authority Key Identifier:<br /> keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4<br /> X509v3 Extended Key Usage:<br /> TLS Web Server Authentication, TLS Web Client Authentication<br /> Verify Certificate:<br /> unable to get local issuer certificate<br />NBTScan <br />NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address.NBTscan compiles and runs on Unix and Windows. I have tested it on Windows NT 4.0, Windows 2000, FreeBSD 4.3, OpenBSD 2.8 and RedHat Linux 7.1 and 7.3. It should also compile and run on Solaris and other Linuxes as well.This program is a successor of a perl script with the same name and does essentially the same thing, being much faster though. NBTscan produces a report like that: IP address NetBIOS Name Server User MAC address-------------------------------------------------------------- MYCOMPUTER JDOE 00-a0-c9-12-34-56192.168.1.5 WIN98COMP RROE 00-a0-c9-78-90-00192.168.1.123 DPTSERVER ADMINISTRATOR 08-00-09-12-34-56First column lists IP address of responded host. Second column is computer name. Third column indicates if this computer shares or is able to share files or printers. For NT machine it means that Server Service is running on this computer.Most often it means that this computer shares files. Third column shows user name. If no one is logged on from this computer it is same as computer name. Last column shows adapter MAC address.If run with -v switch NBTscan lists whole NetBIOS name table for each responded address. The output looks like that: NetBIOS Name Table for Host Service Type----------------------------------------DPTSERVER < 00 > UNIQUEDPTSERVER < 20 > UNIQUEDEPARTMENT < 00 > GROUPDEPARTMENT < 1c > GROUPDEPARTMENT < 1b > UNIQUEDEPARTMENT < 1e > GROUPDPTSERVER < 03 > UNIQUEDEPARTMENT < 1d > UNIQUE??__MSBROWSE__? < 01 > GROUPINet~Services < 1c > GROUPIS~DPTSERVER < 00 > UNIQUEDPTSERVER < 01 > UNIQUEAdapter address: 00-a0-c9-12-34-56<br />Unicornscan<br />Unicornscan is a new information gathering and correlation engine built for and by members of the security research and testing communities. It was designed to provide an engine that is Scalable, Accurate, Flexible, and Efficient. It is released for the community to use under the terms of the GPL license. <br />Benefits:<br />Unicornscan is an attempt at a User-land Distributed TCP/IP stack. It is intended to provide a researcher a superior interface for introducing a stimulus into and measuring a response from a TCP/IP enabled device or network. Although it currently has hundreds of individual features, a main set of abilities include: <br />Asynchronous stateless TCP scanning with all variations of TCP Flags. <br />Asynchronous stateless TCP banner grabbing <br />Asynchronous protocol specific UDP Scanning (sending enough of a signature to elicit a response). <br />Active and Passive remote OS, application, and component identification by analyzing responses. <br />PCAP file logging and filtering <br />Relational database output <br />Custom module support <br />Customized data-set views <br />chntpw <br />chntpw is a Linux utility to (re)set the password of any user that has a valid (local) account on your WinNT or Win2000 system, by modifying the crypted password in the registry's SAM file. You do not need to know the old password to set a new one. It works offline (i.e., you have to shutdown your computer and boot off a linux floppy disk). The bootdisk includes stuff to access NTFS partitions and scripts to glue the whole thing together. This utility works with SYSKEY and includes the option to turn it off. After thats all done u need to get into the...<br />Code:<br />cd /mnt/Your hard folder/Windows/System32/configWhile your still in your Windows/system32/config directory type this command this is how mine looked like<br />Code:<br />root@Expl0it3:/mnt/sda1/Windows/System32/config# chntpw -i sam<br />Ettercap<br />Another great tool is Ettercap, the Swiss army knife of ARP Poisoning and password sniffing. I usually use it in non-interactive mode, but by default it has a ncurses interface that some may find easier to use. If you would like to use Ettercap for ARP poisoning instead, the following commands should serve as good examples. If we wanted to target all hosts on the network and sniff traffic between every node, we would use the following command: ettercap -T -q -M ARP // //<br />Or<br />ettercap -T –q -p -M ARP // //    Be careful with the above command, having all of the traffic on a large network going though one slow computer can really bog down network connections. If we had a specific victim in mind, let's say a host with the IP, we would use this command:ettercap -T -q -M ARP / //<br />or<br />ettercap -T -q –p -M ARP // //If is the gateway, we should be able to see all outgoing traffic. Here are what the command line option flags do:-T tells Ettercap to use the text interface, I like this option the best as the more GUI modes are rather confusing.-q tells Ettercap to be more quiet, in other words less verbose.<br />-p not to change interface.-M tells Ettercap the MITM (Man in the Middle) method we want to use, in this case ARP poisoning.<br />DNS Spoofing with Ettercap & BackTrack<br />Fire up a terminal (little black box in the bottom left) and enter:/etc/init.d/networking start<br />Prepare Apache<br />BackTrack is now online and ready to go, but we need to get the webserver ready to accept whatever domain we throw at it using our DNS Spoofing.<br />You’ll need to run pico /etc/apache2/sites-available/default in the terminal and add a line below ‘ServerAdmin webmaster@localhost’:<br />ServerAdmin webmaster@localhost <br />ServerAlias *DocumentRoot /var/www/ <br />This is specifying that whatever domain pointed to the webserver is to show the default web content at /var/www.<br />We just need to restart Apache for it to take effect:<br />/etc/init.d/apache2 restart<br />Apache is ready.<br />Mounting the Attack<br />Open the little BackTrack icon in the bottom left (start menu type situation) and pick BackTrack –> Privilege Escalation –> Sniffers –> Ettercap GTK: <br />Select Sniff –> Unified Sniffing:<br />Then click ‘OK’ on the interface it selects<br />Next select Hosts –> Scan for hosts. It will scan your local network for active machines. Then select Hosts –> Hosts List.<br />Now we need to know the IP of the network’s gateway and your victims IP address. These are reasonably simply found.<br />To figure out the network gateway head back to the terminal and enter route -n:<br />You’ll notice gateway is, now to find our target.<br />To track them down you’ll need to know some defining feature, particular OS or service (maybe with a banner you could check?)<br />In my case the target is a Windows XP machine. I used Zenmap (nmap GUI) on each of the IPs to OS fingerprint them and find my target:<br />Target established we need to setup the DNS Spoof plugin in Ettercap to behave how we’d like, back in the terminal enter pico /usr/share/ettercap/etter.dns.<br />Head down to where it starts mentioning Microsoft’s domains and enter something like the below, where is the domain you want to spoof and is the BackTrack machine’s IP (ifconfig in terminal to find out):<br />Now then, back to Ettercap.<br />Make the gateway ‘Target 1′ and the target machine ‘Target 2′, then click Plugins –> Manage Plugins and double click on the Spoof DNS plugin:<br />Next go to Mitm –> Arp Poisoning, tick ‘Sniff Remote Connections’ and click ok. Then click Start –> Start Sniffing.<br />Head to the victim machine and try going to your DNS Spoofed domain, in my case<br />