Thursday, August 12, 2010

Extracting MetaData from photos using exiftool in BT4

This guide is about using exiftool, this tool is used to strip Meta data from photos. This can be used from both a Forensics standpoint as well as for doing reconnaissance work on a given target. Especially if this target is very generous when it comes to giving away too much information, in it's photos.
As a warning, it's not cool to stalk people so don't be doing it.
I mean really if you have to stalk someone you probably will never have a relationship with them anyway loser!

So the tools is located in the menu structure under Digital Forensics, or through the
/pentest/misc/exiftool/ directory.

This screen shot shows the default output when calling the command.
root@bt:/pentest/misc/exiftool# ./exiftool

From exiftool

You will need to read the README in order to learn more information.

If you want to just test the tool out, you can use the provided .jpg to do so.
The command would be
root@bt:/pentest/misc/exiftool# ./exiftool t/images/ExifTool.jpg

From exiftool

The above photos only shows a portion of the output. To see the rest you will need to run the tools yourself.
There is a lot of information that could be gained from this test, but in reality the tool author has already sanitized anything of value.
The only thing that is really left is camera information. Boring at best. So let's grab a few photos from the web and see what they can give us.

Ok so to help keep the innocent that way, I won't be linking or giving away too much on the actual photos, I downloaded.
But they are easy to find thanks to social media 2.0.
From the next photo we can parse quite a lot of data out of it.

root@bt:/pentest/misc/exiftool# ./exiftool /tmp/1444432405-37422182c96b551a67f534ead5532.4c63f758-scaled.jpg

From exiftool

So photos 3 shows some generic information on from the camera, we can determine roughly the type of phone in this case a Motorola Droid X

From exiftool

But, in photo 4 bingo, we now have the information from the GPS. So we now know exactly where our target is located, at least at the time of the photo being taken. But by looking at the same information from several photos we maybe able to determine patterns in our targets behavior.
So here is the pertinent data given up by our photograph. 28 degrees 26' 26.00" N 81 degrees 28' 26.00" West
There are many websites to include Google maps to help you put this info into something more familiar, like addresses. Depending on the phone or camera being used this information can be turned off. Which is kind of a smart thing to do.

So that's about it. There are several ways to gain this information from photos, and this is one of tools, that is included in BT to do it.

Thursday, August 5, 2010

Setting up Fluxbox in BT4 R1

So this guide is for those that choose to upgrade from BackTrack 4 final to the R1.
This does not really apply if you are downloading the R1.iso. Please keep in mind that this is this a new release and there may be bugs (please report them)! This post will also assume you have backtrack-dragon installed. You can use this to setup the rest.
root@bt:~# apt-get install backrack-dragon
Once this finishes run dragon, select desktop and finally desktop fluxbox

From Fluxbox setup BT4 R1

Once this finishes then you need to run flux-for-back
root@bt:~# flux-for-back
From Fluxbox setup BT4 R1

You will see several options to choose from. We are concerned with the -s option so
root@bt:~# flux-for-back -s
From Fluxbox setup BT4 R1

This will bring us a bunch of new choices. In order to build the menu choose either 1 or 2 based on if you want the icons.
Depending on your setup this may take a bit of time. Mine took about 6 or 7 minutes.
Once it is finished it will exit the script and return you to the prompt. At this point you can consider yourself done.
So now you should have the pretty new menu setup for BT
Looking like this.
From Fluxbox setup BT4 R1

At this point you can exit the script. If you want to change the background then you can use the new menu right click by the way is how to access it. So right click and select "flux menu" at the bottom. Then "Backgrounds" "Set BackTrack default Background".

From Fluxbox setup BT4 R1

To change the style to a BT one select "flux menu" then "Styles" "Fluxbox BackTrack Styles"
From Fluxbox setup BT4 R1

Then select one of the 3 choices from the following:
"Centurion_BackTrack_blue, Centurion_BackTrack_red, and flux_bactrack_eeepc"

This last image show the red theme.
From Fluxbox setup BT4 R1

So that's pretty much it. Now you have a new light weight window manager.
Remember that there may be bugs in these new tools so please be patient and report them if you do find them.

Have fun.

Saturday, July 24, 2010

Remove duplicate entries in a file W/O sorting.

This is mainly for my own reference, however you may find it useful as well.

Remove duplicate entries in a file without sorting.

$ awk '!x[$0]++' FILE where FILE is the name of the file to run on.

One can also use sort | uniq or sort -u however this will sort the files into an order.
With awk we are simply removing all the duplicates.

MySQL Security Assesment Script in BT4

So this is a short write up on using the MySQL security Assessment Script
by Carlos Perez

Of course you will need a mysql database to target.
If you want a pre-made setup then get the metasploitable package.

Grab some shell and navigate to the /pentest/database/mysqlaudit/ directory.
Then just run the command with no options.



MySQL Security Assesment Script Version 1.0

By: Carlos Perez, carlos_perez[at]
python ./ Targer IP User Password Report

Target : The system you whant to do the assement on, port 3306 should be open.
User : User account with DBA privelages on the server to use for the assesment.
Password : password for the user account.
Report : Name of text file to wich to write the report.


Simple enough the only thing you will need of course is the log-on credentials.
This time we will run the scan against our metasploitable setup and see what happens.


root@bt:/pentest/database/mysqlaudit# ./ root root /tmp/msqlauditreport.txt


So in order to see what our report shows we can either open it with a text editor or we can cat the output back to the screen.
Since the report is quite long I will only show a little of it here.

root@bt:/pentest/database/mysqlaudit# cat /tmp/msqlauditreport2.txt | less

Severity: High


MySQL authentication is based on usernames and passwords stored in a table

called mysql.user. To create a user, a row is added to this table. MySQL
also supports wildcards and blank values in the USERNAME and HOST fields of
the table. By indicating a blank username and a blank password, you allow
anonymous access to the MySQL database.

To remove the anonymous user, run the following commands:
shell> mysql -u root [password]
mysql> DELETE FROM mysql.user WHERE User = '';

Anonymous user was found

User Connection Location
anonymous ---->localhost
anonymous ---->ubuntu804-base


As you can tell there is a high level flaw in our setup.
So this tool will allow the Penetration tester to target mysql databases and will determine some basics when it comes to the security of the system.

Have fun.

Friday, July 23, 2010

Converting Metasploitable for Virtualbox

So this is not a typical Back Track post, but one on converting the Metasploitable VMware image to one that will work with Virtualbox. There are other ways of converting .vmdk files to .vdi ones but none of them seemed to work for me. This was all done on an Ubuntu machine. You could do the same on others though. If you don't have or know about metasploitable check the above link. So grab a copy here and then extract the zip archive.

Go to a shell and then grab qemu, this is another virtualization product but we don't care about it, once we are done you can remove it.

amael@ubuntudork:~$ sudo aptitude install qemu

Once this is done run the following commands.
NOTE: This may take some time to complete.

amael@ubuntudork:/tmp/Metasploitable$ qemu-img convert /tmp/Metasploitable/metasploitable.vmdk metasploitable.bin

This will convert the .vmdk to a binary then we will convert the .bin to a Virtualbox .vdi file.

amael@ubuntudork:/tmp/Metasploitable$ VBoxManage convertdd metasploitable.bin metasploitable.vdi

Sun VirtualBox Command Line Management Interface Version 3.0.14
(C) 2005-2010 Sun Microsystems, Inc.
All rights reserved.
Converting from raw image file="Metasploitable.bin" to file="Metasploitable.vdi"...
Creating dynamic image with size 8589934592 bytes (8192MB)...

Once this is finished you are now ready to use Metasploitable in Virtualbox.

So go ahead and set up a new machine. You can find many guides on doing this on the net.
But basically you just need to point Virtualbox to the newly created Metasploitable.vdi file.
From Virtual Box Metasploitable

You may want to edit some of the settings. For my setup I had to ensure that the Extended Features Enable PAE/NX box was checked. This is located under Settings>System>Processor. The first time I booted without this it did not work.
From Virtual Box Metasploitable

It might also be a good idea to ensure that this machine is configured for "Host Only" networking so that it is not facing the internet.

So there you have it.
From Virtual Box Metasploitable

That's pretty much it. Have fun.

Wednesday, July 21, 2010

Update script

So after someone noticed on the forums that the script needs to be edited in order to work with the new .iso, I decided to make this post with what needs to be changed.

First grab the script and open it with your favorite editor.
# nano
Then at the top around line 3 change
To the new .iso name.
So for the BT4 final you will need bt4-final.iso
So btisoname-bt4-final.iso

Save, exit and that's it.

Have fun.

Monday, July 19, 2010

how-to, in BT4

Fast and simple guide to using in BT 4

Standard disclaimer applies, Don't be stupid and do things that will get you put in jail etc.

Ok as the name implies is a python based brute force tool for ssh
So what it does is takes target data on the command line and uses a dictionary to try and brute ssh. Pretty simple.

Grab a shell


Check out the readme for more info.

root@bt:/pentest/passwords/brutessh# cat README

An easy and safe way to run the tool is to simply make a small dictionary in the same directory put a few words and your ssh password into the list.

Now run it.
root@bt:/pentest/passwords/brutessh# python -h localhost -u root -d dict

*SSH Bruteforcer Ver. 0.2 *
*Coded by Christian Martorella *
*Edge-Security Research *
* *

HOST: localhost Username: root Password file: dict
Trying password...
Times -- > Init: 0.15 End: 3.35
Auth OK ---> Password Found: 123abc$$
Of course that's not the real password!

It obviously didn't take that long, 3.35 seconds.

So there you have it. Quick, fast, and easy. Actually I don't believe it gets easier than that.

Monday, June 28, 2010

Bug and Fix in in BT4

While trying to learn more about BT and it's many tools, I discoverd a small bug in one of them
This lead to trying to find a fix for it. I suppose that I was successful.

The tool in question is locate in ~./pentest/misc/
Upon trying to run the default command one will get the following
root@bt:/pentest/misc/isp# python
Traceback (most recent call last):
File "", line 10, in
conf.verb = 0
NameError: name 'conf' is not defined

So to fix open up the in a text editor and locate the following line near the top from scapy import * and change it to from scapy.all import* and exit.

Now try running again.

root@bt:/pentest/misc/isp# python
WARNING: No route found for IPv6 destination :: (no default route?) "I Spoof Packets with my ISP", by Sebastien Raveau
Usage: [alternate DNS server on the Internet]

WARNING: this gives false-positives when run behind some NAT
routers! If anybody has an idea of how to prevent that, please
leave a comment under the blog post explaing how this tool works:

Failed to reach DNS server at
Try again or try

There you have it.

Tuesday, May 25, 2010

Adding and using hostmap.rb to BT4

The next is hostmap.rb a ruby script for DNS
This tool is available at

So to get started visit the above link, download and save the tarball.

root@dorkness:/tmp/# tar xvf hostmap-0.2.2.tar

Remove the tarball, move the directory to /pentest/enumeration/hostmap-0.2.2/

root@dorkness:/tmp/# rm -rf hostmap-0.2.2.tar*

root@dorkness:pentest/enumeration/hostmap-0.2.2# ruby hostmap.rb -h

Usage: hostmap.rb [options] -t [target]
Target options:
-t, --target [STRING] set target domain
Discovery options:
enable DNS zone transfer check
disable DNS bruteforcing
disable DNS TLD expansion
--bruteforce-level [STRING]
set bruteforce aggressivity, values are lite, custom or full (default is lite)
don't check the results consistency
--http-ports [STRING]
set a comma separated list of custom HTTP ports to check
passive discovery, don't make network activity to the target network
--timeout [STRING]
set plugin timeout
--threads [STRING]
set concurrent threads number
Networking options:
-d, --dns [STRING] set a comma separated list of DNS servers IP addresses to use instead of system defaults
Output options:
set output formatted for Maltego
-v, --verbose set verbose mode
Misc options:
skip update check
-h, --help show this help message


Note: You will need to give an IP address, you can not use domain names.

An example of usage is as follows:

root@dorkness:/pentest/enumeration/hostmap-0.2.2# ruby hostmap.rb --only-passive --without-update -t
hostmap 0.2.2 codename truppola
Coded by Alessandro `jekil` Tanasi

[2010-05-25 22:41] Skipping SSL because only passive checks are enabled
[2010-05-25 22:41] Found new hostname
[2010-05-25 22:41] Found new domain
[2010-05-25 22:41] Found new hostname
[2010-05-25 22:41] Found new domain
[2010-05-25 22:41] Found new nameserver
[2010-05-25 22:41] Found new hostname
[2010-05-25 22:41] Found new hostname
[2010-05-25 22:41] Found new nameserver
[2010-05-25 22:41] Skipping DNS Zone transfer because it is enabled only passive checks.
[2010-05-25 22:41] Skipping DNS Zone transfer because it is enabled only passive checks.
[2010-05-25 22:41] Skipping DNS bruteforce because it is enabled only passive checks
[2010-05-25 22:41] Found new mail server
[2010-05-25 22:41] Found new mail server
[2010-05-25 22:41] Found new mail server
[2010-05-25 22:41] Found new nameserver
[2010-05-25 22:41] Found new nameserver
[2010-05-25 22:41] Skipping DNS Zone transfer because it is enabled only passive checks.
[2010-05-25 22:41] Skipping DNS bruteforce because it is enabled only passive checks

Results for
Served by name server (probably)
Served by mail exchange (probably)

Note: I used the --only-passive flag, the --without-update flags this should be self explanatory. -t is for target

As you can see there are several other options to work with. Those I will leave up to you to work with.


Adding more DNS tools to BT4 part 3

The next tool is

To get it, download the .tar here
Again you can save it wherever, I chose /pentest/enumeration/
untar the package cd to the directory chmod +x the subdomainer.pyand then you are set to go.
To untar the package tar xvf subd*
Deleted the tarball rm -rf subdomainer.tar

Generic usage is:

root@dorkness:/pentest/enumeration/subdomainer# python

*Subdomainer Ver. 1.3b *
*Coded by Christian Martorella *
*Edge-Security Research *
* *

usage: options

-d: domain to search
-l: limit of results to work with. (msn and yahoo goes in 10 to 10
google in 100's, and pgp does not need this option)
-m: data source (msn, yahoo, google, pgp-veridis, all)

-o: output to html file. (optional, good for long lists.)

Example: -d -l 200 -m google -d -l 100 -m all -o microsoft.html


Due to the length of the results I will leave it to you to run them.

Adding more DNS tools to BT4 part 2
Ok again this is a simple copy and paste.
Get the source here:

EDIT: Since the above google doc seems to no longer be valid, I will leave it to the user to find it by searching google. Frankly as I stated in the comments below if you can't find this or any other tool I write about then you probably shouldn't be using them since it's obvious you don't know what you are doing.

Copy and paste to wherever you want. I used the same directory as before.
The name is The purpose of the tools is to use DNS and find hostnames in a subnet.
save and give execute permissions.

Generic usage with no flags set.

root@dorkness:/pentest/enumeration/dnsenum# ./

* program created by t0ka7a *
* *
* under GNU 3.0 licence *
* v0.2 02/13/2010 *
* using dns, find hostnames in a subnet *

begin search...

wrong number of arguments

exemple: ./


This time we have some targets to scan.
root@dorkness:/pentest/enumeration/dnsenum# ./

* program created by t0ka7a *
* *
* under GNU 3.0 licence *
* v0.2 02/13/2010 *
* using dns, find hostnames in a subnet *

begin search...

end of search
511 ip tested, 33 names found, in 11 s


So there you go another cool tool to add to BT for your
reconaissance efforts.

Adding more DNS tools to BT4 part 1

So here is a write up on adding some tools to the BT4 DNS collection.
I will first show how to install and give a brief usage of each tool.
They are not hard to install and are simple to use. The power lies in what they can do.
These tools are ones that I found, and credit goes to their authors. Also note that since the tools are not included in BT by default you are on your own if something goes wrong. However since they are simple python and or ruby scripts with no real dependencies things should work just fine.
NOTE: Most output info has been slightly modified.

So without further delay the first up is
Code is here:

So copy and paste the code from the link to a file named and make the file executable. I added these tools to the following directory to keep things somewhat organised.
The script will need a dictionary when running. A good one and the one the author recommends is located in the dnsenum directory.


Again executable is
root@dorkness:/pentest/enumeration/# chmod +x

Generic run with no options:


* program created by t0ka7a *
* *
* under GNU 3.0 licence *
* v0.1 02/14/2010 *
* dns dictionnary search of hostnames in a subnet *

begin search...

wrong number of arguments

exemple: -f ./dico.txt

Ok now a run with some actual usage and results.

root@dorkness:/pentest/enumeration/# python -f ./dns.txt

* program created by t0ka7a *
* *
* under GNU 3.0 licence *
* v0.1 02/14/2010 *
* dns dictionnary search of hostnames in a subnet *

begin search... [''] [''] [] [''] [] [''] [''] ['']

end of search
95 names tested, 4 hostnames found, in 16.110284 s


Sunday, May 23, 2010

SSLScan in BT

SSLScan in BT4

No need to write a description since the intro below already has one as well as usage details.
In order to use grab some shell or find it in the menu structure under:
BT> NetworkMapping> ALL> sslscan

Running the command without any options returns the following.
root@dorkness~:# sslscan

___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|

Version 1.6
Copyright (C) 2007-2008 Ian Ventura-Whiting

SSLScan is a fast SSL port scanner. SSLScan connects to SSL
ports and determines what ciphers are supported, which are
the servers prefered ciphers, which SSL protocols are
supported and returns the SSL certificate. Client
certificates / private key can be configured and output is
to text / XML.

sslscan [Options] [host:port | host]

--targets= A file containing a list of hosts to
check. Hosts can be supplied with
ports (i.e. host:port).
--no-failed List only accepted ciphers (default
is to listing all ciphers).
--ssl2 Only check SSLv2 ciphers.
--ssl3 Only check SSLv3 ciphers.
--tls1 Only check TLSv1 ciphers.
--pk= A file containing the private key or
a PKCS#12 file containing a private
key/certificate pair (as produced by
MSIE and Netscape).
--pkpass= The password for the private key or
PKCS#12 file.
--certs= A file containing PEM/ASN1 formatted
client certificates.
--xml= Output results to an XML file.
--version Display the program version.
--help Display the help text you are now

Ok here is a generic run without any flags, against our target website.
Of course the output has been truncated and a little bit munged.

root@bt:~# sslscan

Testing SSL server on port 443
Supported Server Cipher(s):
Rejected SSLv2 168 bits DES-CBC3-MD5
Rejected SSLv2 56 bits DES-CBC-MD5
Rejected SSLv2 40 bits EXP-RC2-CBC-MD5
Rejected SSLv2 128 bits RC2-CBC-MD5
Rejected SSLv2 40 bits EXP-RC4-MD5
Rejected SSLv2 128 bits RC4-MD5
Rejected SSLv3 256 bits ADH-AES256-SHA
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Rejected SSLv3 256 bits DHE-DSS-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Rejected SSLv3 128 bits ADH-AES128-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Rejected SSLv3 128 bits DHE-DSS-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Rejected SSLv3 168 bits ADH-DES-CBC3-SHA
Rejected SSLv3 56 bits ADH-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Rejected SSLv3 128 bits ADH-RC4-MD5
Rejected SSLv3 40 bits EXP-ADH-RC4-MD5
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Rejected SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA
Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Rejected SSLv3 56 bits DES-CBC-SHA
Rejected SSLv3 40 bits EXP-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-RC2-CBC-MD5
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Rejected SSLv3 40 bits EXP-RC4-MD5
Rejected SSLv3 0 bits NULL-SHA
Rejected SSLv3 0 bits NULL-MD5
Rejected TLSv1 256 bits ADH-AES256-SHA
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Rejected TLSv1 256 bits DHE-DSS-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Rejected TLSv1 128 bits ADH-AES128-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Rejected TLSv1 128 bits DHE-DSS-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Rejected TLSv1 168 bits ADH-DES-CBC3-SHA
Rejected TLSv1 56 bits ADH-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-ADH-DES-CBC-SHA
Rejected TLSv1 128 bits ADH-RC4-MD5
Rejected TLSv1 40 bits EXP-ADH-RC4-MD5
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Rejected TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA
Rejected TLSv1 56 bits EDH-DSS-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Rejected TLSv1 56 bits DES-CBC-SHA
Rejected TLSv1 40 bits EXP-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-RC2-CBC-MD5
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Rejected TLSv1 40 bits EXP-RC4-MD5
Rejected TLSv1 0 bits NULL-SHA
Rejected TLSv1 0 bits NULL-MD5

Prefered Server Cipher(s):
SSLv3 256 bits DHE-RSA-AES256-SHA
TLSv1 256 bits DHE-RSA-AES256-SHA

SSL Certificate:
Version: 2
Serial Number: -4294967123
Signature Algorithm: sha1WithRSAEncryption
Issuer: /OU=Extended Validation CA/O=GlobalSign/CN=GlobalSign Extended Validation CA
Not valid before: Sep 16 16:14:35 2009 GMT
Not valid after: Sep 17 16:14:32 2010 GMT
Subject: /, Clause 5.(b)/serialNumber=32123374/ Djurs/L=Oerum Djurs/streetAddress= Main 6/OU=FairSSL/O=Not Yours v/Some Name /
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit): truncated
Exponent: 65421 (0x10001)
X509v3 Extensions:
X509v3 Authority Key Identifier:
keyid:34:B1:E0 truncated

Authority Information Access:
CA Issuers - URI:

X509v3 CRL Distribution Points:

X509v3 Subject Key Identifier:
87:D2:7C:2B:D1:B0 truncated
X509v3 Basic Constraints:
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, Microsoft Server Gated Crypto, Netscape Server Gated Crypto
X509v3 Certificate Policies:

Netscape Cert Type:
SSL Client, SSL Server
X509v3 Subject Alternative Name:,
Verify Certificate:
unable to get local issuer certificate


So a generic run returns a lot of information. We learn the properties such as validity, CN CDP OSCP even the EV attributes are returned.

Note: This information is all publicly available. This tool just presents said info in a nice format such as .xml files, using the --xml=file flag, where file is the name to save as.

The other flags above can be used to further refine the output. One of the more important ones is the --no-failed flag which only lists accepted ciphers (see output above), the default of course is to list them all. The ssl2, ssl3, and tls1 flags of course will check for and list only those ciphers defined. If you have several servers to check on then you can also pass a list to sslscan using the --targets=file flag. The other flags are pretty self explanatory.

So the question become "Why is any or all of this important?" Well easy. When auditing servers you may find ones that use weak cypher or protocols, think NULL cipher, or SSLv1.

Well that's about all there is to it, have fun and enjoy.

Wednesday, May 19, 2010

Remove and Renew Gnome Panels

So your messing around with your panels in gnome and maybe you did like me and biffed them.
Well here is a quick way to remove and renew them.
Get a shell opened up and type the following commands in succession and then you will kill the panels, delete them and create the default panels when you first installed gnome.


aa@dork:~# gconftool --recursive-unset /apps/panel

aa@dork:~# -rf ~/.gconf/apps/panel

aa@dork:~# pkill gnome-panel


So that's pretty much it. Again this will kill your panels and then recreate the defaults for you.

Friday, April 30, 2010

Install WhatWeb 0.4.2 in BT4

Quick guide to get Whatweb going in BT4
WhatWeb is a "Next generation web scanner. Identify what websites are running."

First and foremost grab some shell in BT, and get the tar.gz:

root@dorkbox:/pentest/enumeration# wget

Next unpack the archive:

root@dorkbox:/pentest/enumeration# tar xvf whatweb*

Remove the archive, and change into the new directory:

root@dorkbox:/pentest/enumeration# rm -f whatweb-0.4.2.tar.gz
root@dorkbox:/pentest/enumeration# cd whatweb*

Next read the Install file.

root@dorkbox:/pentest/enumeration/whatweb-0.4.2# cat INSTALL | less

As you can see by the install file it mentions using ruby 1.9
Well BT4 comes with Ruby 1.8.7 I am not sure if this will make a difference since there is no mention in the documentation nor the website of any type of dependencies. So far during my experiments with WhatWeb, I have not seen any problems. YMMV. There is also mention to a couple other packages but these are already included in BT4 so no problems there.

As for using the program see also the readme.

The readme will contain a good bit of info on using whatweb.

root@dorkbox:/pentest/enumeration/whatweb-0.4.2# cat README | less

But as an example of some generic output:

root@bt:/pentest/enumeration/whatweb# ./whatweb [301] title[301 Moved Permanently], server-header[Apache], redirect-location[], md5[0670664f17b872398a96c6a58e812c2d], header-hash[0671564f07b972398a96c6a58e812c2d] [200] Google-Analytics-GA[791888], Joomla[1.4], server-header[Apache], meta-generator[Joomla! 1.4 - Open Source Content Management], title[Example Websites Design], md5[fcb3ec0df12e54dfdef2e991a24f1c1], footer-hash[a19d726fa5771113aceaec0c61b1bf8ea7], div-span-structure[e56dd07d6f482ee11342e4ea99a9e6a8], header-hash[4379923363b07114470bde23484214e3f]

As a side note the above is not a real website.

Thanks to and Andrew Horton aka urbanadventurer
Have fun and remember don't mess with networks that you don't have permission for.

TCPDump Flags

I was trying to capture some data the other day and was using TCPDump. This is really for my own needs but I like to share when I can.
Here are a few flags to use when trying to capture certain data types in TCP.
There are more and you can read online to find more if needed.

Sniff all SYN flagged packets:

root@bt:~# tcpdump 'tcp[13] & 2 != 0'

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
ctrl+c: Indicates that I stopped the capture.
0 packets captured
0 packets received by filter
0 packets dropped by kernel

With the above resulting output.

Sniff all PSH flagged packets:
root@bt:~# tcpdump 'tcp[13] & 8 != 0'

Sniff all URG flagged packets:
root@bt:~# tcpdump 'tcp[13] & 32 != 0'

Sniff all RST flagged packets:
root@bt:~# tcpdump 'tcp[13] & 4 != 0'

Sniff all ACK flagged packets:
root@bt:~# tcpdump 'tcp[13] & 16 != 0'

Sniff all FIN flagged packets:
root@bt:~# tcpdump 'tcp[13] & 1 != 0'

Sniff all SYN-ACK flagged packets:
root@bt:~# tcpdump 'tcp[13] = 18'

Wednesday, March 3, 2010

VGA Resolutions Codes

I was looking for a VGA Resolution Code and needed to look in several places to find a complete list. Or at list the ones that I wanted.
So here is a list of all the ones I collected.
Width-Height-Depth VGA Codes HEX Codes
80x25 (TEXT)----------- 3840------------0xF00
80x50 (TEXT) 3841 0xF01
80x43 (TEXT) 3842 0xF02
80x28 (TEXT) 3843 0xF03
80x30 (TEXT) 3845 0xF05
80x34 (TEXT) 3846 0xF06
80x60 (TEXT) 3847 0xF07

320x200x8 816 0x330
320x200x16 782 0x30E
320x200x24 783 0x30F

320x240x8 820 0x334
320x240x16 821 0x335
320x240x24 822 0x336

320x400x8 817 0x331
320x400x16 818 0x332
320x400x24 819 0x333

640x400x8 768 0x300
640x400x16 829 0x33d
640x400x24 830 0x33e

640x480x8 769 0x301
640x480x16 785 0x311
640x480x24 786 0x312

Width-Height-Depth VGA Codes HEX Codes
768x480x8 866 0x362
768x480x16 ??? ????
768x480x24 ??? ????

800x600x8 771 0x303
800x600x16 788 0x314
800x600x24 789 0x315

1024x768x8 773 0x305
1024x768x16 791 0x317
1024x768x24 792 0x318

1280x800x8 864 0x360
1280x800x16 ??? ????
1280x800x24 865 0x361

1280x1024x8 775 0x307
1280x1024x16 794 0x31a
1280x1024x24 795 0x31b

1440x900x8 868 0x364
1440x900x16 ??? ????
1440x900x24 869 0x365

1600x1200x8 796 0x372
1600x1200x16 798 0x374
1600x1200x24 799 0x375

Note to self : The vga code for the eeepc 701 series = 311

Saturday, February 27, 2010

Adding SwiftFox to BT4

Ok so a quick guide on adding another browswer to BT4
Swiftfox is based off of Firefox and it is designed to be faster.
There are different builds to take advantage of different processors.
Use at your own discretion.
First add the repo to your sources.list.
root@dorktest:~# nano /etc/apt/sources.list
add the following :
deb unstable non-free
Then install it:
root@dorktest:~# apt-get update && apt-get install swiftfox-yourprochere
where yourprochere is your processor.
The different versions available are:
swiftfox-i686 (Older AMD & Intel)
swiftfox-athlon64 (AMD64 users on a 64bit OS)
swiftfox-athlon64-32bit (AMD64 users on a 32bit OS)
swiftfox-prescott (Intel Prescott and newer)
If you are not sure use this chart for more info.

Friday, February 26, 2010

Install Airdrop-ng

So the TheX1le released (to the general populace) airdrop-ng today.
You can visit the aircrack-ng site for more info. There is a video of the talk here.

So this one is so easy a itard can do it.
Grab a shell in BT4
root@dorktest:~# cd /pentest/wireless/
root@dorktest:/pentest/wireless# svn co
Second line above should be all on one line.
Once it completes then:
root@dorktest:~# cd /pentest/wireless/airdrop-ng/
root@dorktest:/pentest/wireless/airdrop-ng/ cat README
And Read it.
to run the installer.
See how easy that was.

Friday, February 5, 2010

Installing ecryptfs in BT4.

Installing ecryptfs in BT4.
This guide is a simple one to get encryption setup. This is not the best way of doing things
However it is probably the quickest and easiest to do.
First things:
root@bt:~# apt-get install ecryptfs-utils
Reading package lists... Done
The following NEW packages will be installed:
ecryptfs-utils libecryptfs0 libtspi1
0 upgraded, 3 newly installed, 0 to remove and 19 not upgraded.
Need to get 331kB of archives.
After this operation, 1212kB of additional disk space will be used.
Do you want to continue [Y/n]? y
After the install is complete before you go on READ THE MAN PAGE and the faq
root@bt:~# man ecryptfs
root@bt:~# /usr/share/doc/ecryptfs-utils/ecryptfs-faq.html
See also the web page at
This is important for your security.
Next run the setup
root@bt:~# ecryptfs-setup-private
Enter your log in passphrase: enter your actual log in info here
Enter your mount passphrase [leave blank to generate one]:
Done configuring.
Testing mount/write/umount/read...
Testing succeeded.
Once this is done there will be a new directory created called Private
Since I did this with the root user account it is stored in /
Inside this directory is a readme read it before proceeding.
So in order to use your new encrypted directory you will need to log out and back in.
Now your log in passphrase along with the aforementioned mount passphrase will be used to mount the directory Private. There are caveats to using this type of system. Only data you store in Private is encrypted. Any data saved or collected while browsing the internet that is stored elsewhere on the system will be not be encrypted. If you have a swap partition it will not be encrypted either. As with most encryption systems if you leave physical access or access to the encrypted container open (suppose you leave the computer and go out for a coffee, without logging out) then again the data would be accessible. Also when you log out the folder will show that there is encrypted data in the directory.

Monday, January 18, 2010

Google Chromium in BT4

This is a small guide to adding the Google browser Chromium to Back Track 4.

Note: Following this guide may break your system and no one will take responsibility for it but you.
OK the first thing you need to do is add the PPA's to your apt sources list.
root@dorkbox:~# nano /etc/apt/sources.list
Add the following to the list
# Chromium browser PPA
deb intrepid main
deb-src intrepid main
Save and exit.
Next get the key
root@dorkbox:~# apt-key adv --keyserver --recv-keys FBEF0D696DE1C72BA5A835FE5A9BF3BB4E5E17B5
Note the above should be one line.
Next update apt
root@dorkbox:~# apt-get update
Last apt-get the browser.
root@dorkbox:~# apt-get install chromium-browser
Three other packages should get pulled as well.
chromium-browser chromium-browser-inspector chromium-codecs-ffmpeg

Important links for basic linux

I have added this post from the Back | Track Linux Forum to my Blog for some reason.

Many people who are new to Back Track may also be new to Linux. Learning BT can be a daunting task, while also trying to learn Linux. As such if you are new to Linux we highly encourage you to learn the basics first. There are literally millions of pages of resources available on the internet to do this.

Since we can't really assess a given user's knowledge, skills, and attribute levels we suggest to everyone starting out to learn to use something like Ubuntu since BT is based on it. One of the reasons is the amount of information available to support the new user. In addition Ubuntu is designed to be as easy as possible for a user with zero Linux knowledge to get up and running. Now while most of us will not really care if you persist on using BT as your starting platform, please note that we can't possibly be expected to teach you those basics. Furthermore using BT may cause you to get side-tracked in learning. Many people have trouble with those basics and then make a post immediately on using one of the many Penetration Testing tools without having resolved the previous problem. This shows that those tools, can be a distraction to the beginner.

The following is a collection of resources to help aid others to learn those basics. There is no real order of importance in the list and it is not all inclusive. Feel free to make a post in this thread and add links to resources that you find or found helpful. Please do not use this thread to add "warez" etc., say "hello" or ask a question, as those will just be deleted/moved.

How To Forge
How To Geek
Linux Home Networking
Linux Journal
Linux Basics
Open of Course
ss64 Bash commands
ComputerHope Unix
Ubuntu Guide
UNIX and Internet Fundamentals
Quick Reference Cards
IPTables HowTO
TCP/IP Concepts Video

Monday, January 11, 2010

Back Track 4 Final is out.

That's right Back | track 4 Final is now out.
With a new release comes a new website with a new forum and a new irc channel as well, channel #backtrack-linux


Saturday, January 2, 2010

Using apt-Cacher

I was doing a bit of research and came across this today.

Apt-Cacher is a method by which you can centrally cache and share packages already stored within your network. It also allows the option of caching any downloaded packages in the future. This allows me to download a package once and transparently share it with an unlimited number of machines within my network. This way I only use my Lanwidth (LAN-bandwidth), and not my limited WAN connection."
Setup would be:
# aptitude install apt-cacher
To have auto startup
# sed -i.orig 's/AUTOSTART=0/AUTOSTART=1/' /etc/default/apt-cacher
# /etc/init.d/apt-cacher restart
Configure the acl for access (default is allow access to any IP)
it is located in /etc/apt-cacher/apt-cacher.conf.
To import the packages in your box to the cache
# /usr/share/apt-cacher/ -s /var/cache/apt/archives/
To give other machines on the network access to the cache edit the apt-conf file in /etc/apt to reflect the machines IP address:

Friday, January 1, 2010

Installing gnome-do in BT4

If you have not heard of gnome-do it is basically a launcher. But it can do alot more.
Warning: Adding Repos or PPA's that are outside of the control of Remote-Exploit may cause problems, as such me( and the remote-exploit team)are not responsible. I may be able to help but then again I may not. Gnome-do is very new and as such all of the issues (bugs) have not been worked out.

Ok to install Gnome-do you will need to add the PPA's to your repos list using your favorite text editor.
root@dorkbox:# nano /etc/apt/sources.list
Add the following two lines.
deb intrepid main
deb-src intrepid main
The key should be added to your keyring as well.
root@dorkbox:# gpg --no-default-keyring --keyring /tmp/gnome-do.keyring --keyserver --recv


root@dorkbox:# gpg --no-default-keyring --keyring /tmp/gnome-do.keyring --export --armor

A5D19FDCAA6ABB440CD3464628A8205077558DD0 | apt-key add -

root@dorkbox:# rm /tmp/gnome-do.keyring
root@dorkbox:# apt-get install gnome-do
Gnome-do will add some packages that it needs in order to run. We will need to add a compositing manager we will come back to this later. Next add the gnome terminal, this is used to take advantage of any application that will run from a terminal (i.e. Back Track tools)
So to get it:
root@dorkbox:# apt-get install gnome-terminal
Once apt finishes we need to set gnome-terminal as the default terminal emulator (Do not worry you can change this later if you need to.) In order to change it
root@dorkbox:# update-alternatives –-config x-terminal-emulator
You will then see the following.
Selection Alternative
1 /usr/bin/xterm
2 /usr/bin/uxterm
3 /usr/bin/koi8rxterm
4 /usr/bin/lxterm
*+ 5 /usr/bin/gnome-terminal.wrapper
6 /usr/bin/konsole
7 /usr/bin/xfce4-terminal.wrapper

Press enter to keep the default[*], or type selection number:
Before you type a number make note of your default in case you need to change back later on. Ok you can find gnome-do in the menu under Utilities. An easy way to work with it is to pull it to the desktop or panel to make a short-cut.
From Gnome-Do
Now click on it and it should open a window on the desktop in the upper right hand corner should be a little drop down arrow. Click it to bring up the preferences dialog. Under plugins look for gnome-terminal and check it and then refresh and close it.
From Gnome-Do
You can mess with the other preferences on your own. Ok now that you have everything setup click on the purple gnome-do icon or use the "super key" plus the space bar. Superkey may also be a windows key. This should bring up the basic gnome-do sceen. From there you can start typing commands or the names of applications. Try typing msfconsole. It should then give you options after a few letters. If you find run then tab over to the other side of the screen and hit enter. It should start the msfconsole running.
From Gnome-Do
If you tab to the second half of the screen and use the up down arrow keys to cycle through the other options. There should be a copy to clipboard as well as a few others. If a command does not work then re-type it and look for the "run in terminal" command. Another feature of Gnome-do is that of Docky. Docky is basically a front-end of Gnome-do and it allows you to create a launcher panel on your desktop. Using Docky you can drag and drop items onto the panel or drag off of the panel to delete.
From Gnome-Do
There is a lot you can do with both Gnome-do and Docky I will leave it up to you to explore it. If you don't have a Compositing Manager then you will need one to take advantage of all the cool features. Now if you run the "classic" mode of Gnome-do then you won't need one.The easiest way to do this would be to add xcompmgr. There are other managers but xcompmgr is light on resources in the background. In order to set it up use aptitude to grab it.
root@dorkbox:#aptitude install xcompmgr
Of course this will also pull other dependecies along. You can then start compositing manually via the ‘xcompmgr‘ command. With basic compositing enabled you should now be able to use the enhanced features of Gnome-Do, including the Mini Interface, Docky, Glass Interface and Nouveau. So now that you have everything needed start xcompmgr using the command above, then open the preferences for gnome-do again and this time go to the appearance tab and select docky. Now you should see the launcher panel at the bottom. If it does not show up then you may need to change the appearance themes a couple of times. Now go into your menu and find yourself a few tools that you would want to add to docky and drag them over. Some of the icons may show as up as an "X" I have not found a fix for this yet.

That's it. Again remember that gnome-do is new software and as such things may not work right. But with a little fun you can now launch your applications in a new way.
I encourage everyone who tries this to add their tips and tricks to this thread.

Change the Default Terminal Emulator

Changing the default Terminal Emulator or tty is something that is easy to do, but most people never need to. One of the reasons that you may need to change the terminal is because some programs may not work with your systems default.
So in order to do this on Debian based systems open a shell and use the update-alternatives command.
root@dorkbox:# update-alternatives –-config x-terminal-emulator
This will return the following:
There are 7 alternatives which provide `x-terminal-emulator’.

Selection Alternative
1 /usr/bin/xterm
2 /usr/bin/uxterm
3 /usr/bin/koi8rxterm
4 /usr/bin/lxterm
*+ 5 /usr/bin/gnome-terminal.wrapper
6 /usr/bin/konsole
7 /usr/bin/xfce4-terminal.wrapper

Press enter to keep the default[*], or type selection number:
So as you can see the * represents the current default terminal and entering a number from the list above will change to the one you want.
Make a note of your current one so that you can change back if you later need to.

Well that's it. Not hard to do.