Skip to content

Posts tagged ‘backtrack’

8
Sep

Reverse SSH over Tor on the Pwnie Express

The Pwnie Express (PwnPlug) is a great little tool for hackers, pentesters and social engineers alike. While I don’t advocate the use of a Pwnie for illicit purposes, I was intrigued about using it as an untraceable tap into a network. Out of the box the Pwnie allows you to configure reverse SSH connections, exfiltrated over a number of different protocols including HTTP, SSL, ICMP and DNS.

While these are great for getting out of controlled networks, they all require the Pwnie to be configured with the IP address of your SSH server, which could potentially be traced back to you. It also requires your SSH server to be able to directly receive connections at the IP/hostname configured on the Pwnie. While one could run an SSH server on a proxy box somewhere, I felt that was too primitive, so I installed Tor on my Pwnie and configured a Tor Hidden Service on my SSH server.

Note: For the purposes of this tutorial, the SSH server will be running on BackTrack 5. I’m assuming you’ve already performed the initial Pwnie Express setup steps on the server! Check out my PwnieScripts to help speed up and automate the Pwnie setup.

These instructions do not yet work on Pwn Plug software >= 1.1 as they’ve changed the layout of things! Will update this post when I get the time.

Read moreRead more

8
Sep

PwnieScripts for Pwnie Express

The Pwnie Express (PwnPlug) is a purpose-built penetration testing device in a plug form factor. A key feature is its ability to exfiltrate from a network and connect back to your SSH server using HTTP, SSL, ICMP or DNS tunnels. Check out my tutorial on how to hack your Pwnie to make untraceable reverse SSH connections over Tor.

There are a number of steps required to set up the computer on which the Pwnie’s reverse SSH connections will be received (setting up the listeners). To simplify and automate this process, I’ve put them together into a set of very simple bash scripts. I’m hoping to turn two of these into a proper init.d script, but haven’t yet had the time. The PwnieScripts set contains the following five bash scripts, and are designed to be used on BackTrack 5 (although they can easily be adapted to work on any other distro):

  • pwnsetup.sh: Automates the Pwnie Express setup process by enabling SSHD, generating SSH keys, creating a ‘pwnplug’ user, installing HTTPTunnel, generating an SSL certificate, configuring stunnel, and configuring DNS2TCP.
  • pwnstart.sh: Kills any existing listeners, and then starts SSHD as well as new HTTPTunnel, stunnel (SSL tunnel), DNS2TCP (DNS tunnel) and ptunnel (ICMP tunnel) listeners.
  • pwnwatch.sh: One-line script to monitor netstat for incoming connections from Pwnie Express.
  • pwnconnect.sh: aka. the Lazy Script – initiates an SSH connection to the first available established connection from Pwnie Express, so you don’t have to check which ones are active. It’ll use the more secure/relible ones first (SSL, HTTP) where available. Use the -t flag to only connect over Tor.
  • pwnstop.sh: Kills all existing HTTPTunnel, stunnel, DNS2TCP and ptunnel listener processses.

Download PwnieScripts (tgz 4kb)

Any feedback or tweaks are welcome. Leave a comment below, send me an email, or message me on Twitter.

[Changelog]

v0.1: Initial release.

14
May

Fwknop in BackTrack 5 Repository

Just a quick update to say that fwknop (Single Packet Authorization tool) has made it into the BackTrack 5 repository. Although it’s not installed by default, it’s a few keystrokes away, and can be installed by typing the following into the terminal:

apt-get install fwknop-client

apt-get install fwknop-server (if you want to use the server on your BackTrack install)

Note that it’s still version 1.9.12 of the Perl implementation, as the the C++ port (v 2.0) is still in the Release Candidate stage. Those of you who have been meaning to experiment with Single Packet Authorization and have already downloaded BT5, now’s a good time to install fwknop and give it a try! When installing fwknop-server it brings up an ultra-simple config screen that allows you to set up your initial passphrase.
Read moreRead more

11
May

BackTrack 5 “Revolution” Released

The most popular security and penetration testing Linux distribution has been updated once again, this time built from scratch! BackTrack 5, codenamed “Revolution”, is based on Ubuntu Lucid LTS with kernel 2.6.38, and brings with it full 32 and 64-bit support, an ARM-compatible image, forensics and stealth modes, KDE (4.6) and Gnome (2.6) desktop environments, and (allegedly) over 350 updated security tools including Metasploit 3.7.0. Best of all it’s “aligned with industry methodologies”! Whatever that means ;)

It appears BackTrack 5 will only be available torrents for the time being. The torrents are available in the following flavours: Gnome ISO (32bit, 64bit, ARM img), Gnome 32-bit VMware Image, KDE ISO (32bit, 64bit). Here’s the BackTrack downloads page. Those of you wondering which flavour to get between Gnome and KDE, it’s largely dependent on one’s taste, but the BackTrack guys appear to be favouring Gnome (which was the default Ubuntu graphics environment). If you have no idea what to get, then grab the Gnome 32-bit ISO (or VMware image) using the links above. I recommend Transmission (Mac) or uTorrent (Mac/PC) for BitTorrent clients. For anyone who hasn’t used BT before, the default username and password is root/toor.

BackTrack is a great tool for network security specialists and penetration testers, but it’s an even more valuable resource for people looking at learning more about application and network security (and Linux). Although I do have an Ubuntu install, I tend to use BackTrack more often due to the convenience (when I’m not using OSX that is ;).

It’s not possible to upgrade from BT4r2 to BT5, so those of you with installations of BackTrack 4 will need to reinstall (or download the new VM).

Check out their shiny promotional video below!

[Updated] BackTrack 5 R2 is now available, and brings a new kernel and 42 new tools. You can update your existing BT5 (R1) installation by running:

echo “deb http://updates.repository.backtrack-linux.org revolution main microverse non-free testing” >> /etc/apt/sources.list

apt-get update

apt-get dist-upgrade

22
Feb

BackTrack 5 “Revolution” in Development (Screenshots)

Click to enlarge

BackTrack 5 – codenamed “Revolution” – is currently under development, and the team is working on updating both system and tools. At the moment it’s running a 2.6.38-rc5 kernel, improved wireless drivers, and a new KDE 4 theme is being put together.

An initial release won’t be available for at least a couple months. If you have any requests or recommendations, now’s the time to make them on the BackTrack forums.

Here are a few teaser screenshots of BT5.

[Updated 10/5/2011] BackTrack 5 is out!

29
Nov

Armitage: Metasploit Attack Management GUI

Armitage, by Raphael Mudge, is a great little user interface for Metasploit which allows you to easily discover targets, deliver exploits, and manage your attacks to do things like pivots without any hassles.

Getting started with Armitage in Backtrack 4 R2 is easy. First, start the MySQL DB with /etc/init.d/mysql start (root/toor), and then start the Metasploit RPC daemon:

cd /pentest/exploits/framework3
./msfrpcd -f -U msf -P test -t Basic

Once msfrpcd is running, simply launch Armitage using the script provided and click Connect (you may need to check the Use SSL checkbox).

Armitage is written in Java, and works in Linux, Windows and Mac OS X. Download it here.

[Update] Armitage has been added to the Backtrack repos. Here’s a short tutorial, and check out the video tutorial below.

[Updated 21/01/2011] Hak5 episode 882 features a tutorial with mubix and Mudge (Hak5).

23
Nov

BackTrack 4 r2 “Nemesis” Released

[Update 10/5/2011] BT4r2 is now superceded by the new and improved BackTrack 5!

BackTrack 4 r2 (codename “Nemesis”) has been released and brings a number of updates aimed at improving “desktop responsiveness, better hardware support, broader wireless card support, streamlined work environment”.

Updates include an updated kernel (2.6.35.8) with improved wireless support, USB 3.0, faster responsiveness, pruned and new packages, and a new BackTrack wiki for more documentation and support.

Users with existing BT4 installs/VMs can simply perform an update using:

apt-get update && apt-get dist-upgrade

BackTrack 4 r2 is available as a 2GB ISO, or 2.4GB VMWare image, on the downloads page (the BT4 download links appear to have been removed in favour of BT5).

5
Aug

BackTrack 4 R1 Public Release

Following a limited pre-distribution at BlackHat in Las Vegas, muts and the guys at Offensive Security have released the final version of BackTrack 4 R1. The changes are primarily kernel update (2.6.34) and improved wireless drivers. All packages have been updated, and a full Fluxbox desktop environment has also been added – see screenshot below and others here.

BackTrack is an Ubuntu-based Linux distribution geared towards hackers/penetration testers, and comes with a variety of pre-installed security tools. The distro can be used as a Live-DVD, or installed like a normal Linux install. BackTrack 4 was released 6 months ago, on the 9th January 2010. The roadmap for the project can be found here.

The R1 ISO weighs in at 2GB and the VMWare image is 2.5GB. Both downloads are available here.

[Update] BackTrack r2 (Codename: Nemesis) is now available

css.php
WordPress Themes
WordPress Themes