Monday, December 24, 2012

Merry Xmas!

Merry Christmas, and Happy New Year for everyone!

Sorry I didn't have too much time for the blog this year, but hopefully next year will be more.

Also from next year I permanently switch the blog's language to English from Hungarian.

Saturday, December 22, 2012

Backtrack Forensics:

The tool can be reached from:

Forensics -> Forensic Analysis Tools is a Windows event file (*.evt) parser, it generates a text csv output from the event files. It's usage is very simple:

-e - specifiy to parse a file
-d - specify to parse a directory


./ -e /root/Desktop/events/SysEvent.Evt


Friday, December 21, 2012

Backtrack Forensic: hexedit

The tool can be reached from:

Forensics -> Digital Forensics

hexedit is a hexadecimal editor, as it names suggests. You can edit both files or entire drives with it, in exactly the same way. When you start it, it will have 3 different "columns": the location (starting from 00000000), then the hexadecimal values, and in the most right the ASCII values. You can switch with the TAB key between the hex and ASCII representation. Moving in the file can be done with the arrow keys.

There are a whole lot of hotkeys you can use for navigating and editing, which I don't want to cover here, you can find all in the official site, or in the manual of the application. Just a few common ones:

Ctrl-X: save and exit
Ctrl-C: exit without saving
Esc-W:  copy
Ctrl-Y: paste
Esc-Y:  paste into a file
/, Ctrl+S - search forward (in ASCII or in hexadecimal)

Running it:

hexedit filename
hexedit hexedit1.txt

hexedit device
hexedit /dev/sda

If we don't give a filename as an input, then it will ask for it.

--color : color mode
--maximize : maximize display


Tuesday, December 18, 2012

Tip: How to get the list of installed tools in Backtrack?

Here is the command to get the list of all tools, packages installed in Backtrack:

root@bt:~# dpkg --list

I created the list of tools in Backtrack 5 R3, and it's is available here:

Sunday, December 9, 2012

Backtrack Forensics: recoverjpeg & recovermov

recoverjpeg is a tool for recovering deleted jpeg files from a drive. It's very powerful, I managed to recover JPEG even after formatting and writing on the pendrive. It's pair is the recovermov tool, which can restore mov files.

The tools can be accessed from:

Forensics -> Forensic Carving Tools

or from the shell directly.


#locate the drive name:
fdisk -l

#recover jpegs:
recoverjpeg /dev/sdb

The tool has a few options, but works well with the defaults.


Thursday, December 6, 2012

Backtrack Forensics: Hashes

In Backtrack Forensic module we have 6 applications available to compute hashes:

md5deep - Compute and compare MD5 message digests
sha1deep - Compute and compare SHA-1 message digests
sha256deep - Compute and compare SHA-256 message digests
tigerdeep - Compute and compare Tiger message digests
whirlpooldeep - Compute and compare Whirlpool message digests

hashdeep - which is the combination of the above

All of these tools can calculate the given digest of a file, or of a directory, and recursively for all files in it, or even of an entire drive. The syntax is the same for all of the apps.

Examples for runs:

Calculate the hash for all files in the /root/assembly directory, and direct the output to md5hash.txt:

root@bt:~# md5deep -e -r /root/assembly/ > md5hash.txt

root@bt:~# cat md5hash.txt                                                
3d60d85d993892ac6a2005dcecb7de77  /root/assembly/Function3.s
9e0266c8fb62950d0dddb1ad261ce6f0  /root/assembly/Shell
5e9bf2d710fd3b57fa7c41ec2c41255c  /root/assembly/Shell.o

Check if "Shell.o" has a non-matching hash in the file:
root@bt:~# md5deep -x md5hash.txt /root/assembly/Shell.o

Check if "Shell.o" has a matching hash in the file:
root@bt:~# md5deep -m md5hash.txt /root/assembly/Shell.o

Check if files in "/root/assembly" directory has a non-matching hash in the file:
root@bt:~# md5deep -x md5hash.txt -r /root/assembly

Check if files in "/root/assembly" directory has a matching hash in the file:
root@bt:~# md5deep -m md5hash.txt -r /root/assembly

Thursday, November 22, 2012

Microsoft Security Essentials - location of quarantined files

Windows XP:

C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Quarantine

Windows Vista / Windows 7:

C:\ProgramData\Microsoft\Microsoft Antimalware\Quarantine

Sunday, October 28, 2012

ms11_006: Exploit failed: NameError uninitialized constant Rex::OLE

BT5 R3 alatt, Metasploitban a ms11_006 (Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow) exploit nem működik rendesen, az alábbi hibát kapjuk:

Creating ‘msf.doc’ file … 
[-] Exploit failed: NameError uninitialized constant Rex::OLE

A hiba oka, hogy a ruby script fájlból hiányzik két "require" sor:


require 'rex/ole/util'
require 'rex/ole'

Ezt beletéve, már működik.

Friday, February 17, 2012


Privilege Escalation -> Spoofing Attacks -> Network Spoofing -> hexinject

hexinject is capable to inject any packet to the network, which we construct on our own in hex. The tool doesn't do any verification, so it will send even a sentence like 'jaj de finom ez a leves' (this soup is really tasty - in Hungarian). Thus if we screw up the various protocols' structure another software won't be able to understand it. It has a sniffing mode, where we can listen to the network traffic. It's quite hard to use on its own, but using pipes or scripts it can be really useful.


hexinject -s -i eth0 -> sniffing eth0 interface

hexinject -s -i eth0 -r -> output in raw format

hexinject -s -i eth0 -r | strings -> using strings

hexinject -s -i eth0 -r | strings | Host -> filtering on hosts 

echo 'Jaj de finom ez a leves' | hexinject -p -i eth0 -r -> sending a custom string to the network

This will create a packet like this:

The possibilities are unlimited, it's worth to read the documentation and other examples on its webpage:

Thursday, February 16, 2012


Privilege Escalation -> Spoofing Attacks -> Network Spoofing -> yersinia

yersinia is a vulnerability testing tool for LAN protocols (cdp, dhcp, dot1q, dot1x, dtp, hsrp, isl, stp, vtp). For example, we can do:
- CDP flooding
- Trunk port creation with DTP (dynamic trunking protocol)
- VLAN creation / removal with VTP
- Creating fake Spanning Tree root device

It has 2 main modes: command line and GUI based, for using the first one, we need to dig a lot in its manual in order to do something, and the graphical interface is said to be only in beta. In reality both modes has a few bugs. Unfortunately I can't do examples, cause I don't have a switch to test with.

Starting GUI mode:

yersinia -G

We can start an attack at the "launch attack" menu, and stop in the "list attacks" menu.

Protection for the various protocols:

cdp - enable only where needed
dhcp - dhcp snooping
dot1q - configure static access ports towards the hosts
dot1x - use certificate authentication
dtp - turn it off, and use static trunk / access ports
hsrp - use authentication
isl - see dot1q
stp - use spanning tree protection features like BPDU guard, root guard, etc...
vtp - use authentication, or don't use vtp at all

Backtrack basics 12. - Connecting to WPA2 wireless network

Here is a short description, about how to connect to WPA2 protected wireless networks with Backtrack 5. First edit the wpa_supplicant.conf file, where we can set the WiFi parameters:




Then run the following commands:

root@bt:/etc/wpa_supplicant# ifconfig wlan0 up

root@bt:/etc/wpa_supplicant# wpa_supplicant -B -D wext -i wlan0 -c /etc/wpa_supplicant.conf

root@bt:/etc/wpa_supplicant# dhclient wlan0

Wednesday, February 15, 2012

ettercap + example: DNS spoofing

ettercap is a tool for doing LAN based MitM attacks, which based on ARP spoofing. After it succeeded to step in the traffic flow path, we can do several things with it, for example:
- data modification
- extracting passwords
All of these are accomplished by plug ins.

In order to get ARP spoofing work properly we need to turn on IP forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

Ettercap is already installed in the 64bit version, in the 32 bit version we need to install it:

apt-get install ettercap

We can use the tool in 3 modes: text, cursor, graphical:
ettercap -T
ettercap -C
ettercap -G

I will use the graphical.

Once started, choose the Sniff -> unified sniffing menu, and make a device discovery, which will send an ARP message to all IPs in the subnet. We can load the devices from a file.

Then add the two devices, which you want to sniff to the target list. I used the default gateway and my laptops IP here.

Then load the plugin you want to use.

With choosing MiTM -> Arp spoofingot we can perform the attack, and now we are in the traffic's path between the two machines. At the Start -> Start sniffing menu we can actually activate the attack. For the DNS spoofing we can set the fake domain - IP pairs in the following config file:


If all goes well, we can redirect the computer's traffic to a custom target:

The ettercap log:

Stopping can be done in the Mitm -> Stop mitm attack menu.


1. Basically we need to protect against ARP spoofing, which is the same what I described at the arpspoof tool.
2. Don't use DNS - this can be realistic in some cases
3. Use IDS / IPS on the LAN - this is not so common, and not too effective against such attacks like this
4. Use DNSSEC - DNS signed with a certificate, this one also not widely used

Tuesday, February 14, 2012

IPv6 pentesting 7. - trace6

trace6 is a traceroute utility for IPv6. It can do TCP and ICMPv6 based trace, and we can also set the source address.

Basic usage:

trace6 interface destination-ip [port]

If we set the port number it will do a TCP trace, otherwise an ICMPv6.


trace6 eth0 3003::1 80

Monday, February 13, 2012


We can start the tool simple from the terminal. I don't want to go into the details how arpspoof works, there are tons of writing about that on the Internet. In short, we can become a man in the middle between two hosts on a LAN, with overwriting their ARP table with a false entry, which points to us, instead of the real address - this can be done with ARP.

Before we start it, we need to tun on IP forwarfing on Linux:

root@bt:~# echo 1 > /proc/sys/net/ipv4/ip_forward


arpspoof [-i interface] [-t target] host
target - the hosts, whos traffic we want to sniff
host - The host we want to personate

Thus we need to run this from two windows, because running it for a single host we will see only one part of the traffic. We need to personate two hosts.


root@bt:~# arpspoof -i eth1 -t
root@bt:~# arpspoof -i eth1 -t

after that we can see the traffic in Wireshark:

The tool is part of the dsniff package, which is available here:


Most modern switches already have a service, which tracks what MAC address is used on a port, and it allows only valid ARP traffic, which means that only those ARP packets will be allowed, which contains the MAC address of the host on that port. Cisco and Juniper calls it "Dynamic Arp Inspection (DAI)". More information:

Sunday, February 12, 2012


Information Gathering -> Network Analysis -> Service fingerprinting -> httprint

This tool can also identify webservers with cheking fingerprints. It compares the gathered data with its fingerprint database, and assigns a probability to the server type, and it lists them in descending order. The app has a GUI version as well.

Usage of the command line version:

./httprint -h -s signatures.txt
./httprint -h -P0 -s signatures.txt <- turn off ping
./httprint -h -P0 -s signatures.txt -o results.html <- print the output to file

Official website:

IPv6 pentesting 6. - thcping6

With thcping6 we can carft a custom ICMPv6 packet, with being able to configure almost any field in the header, at least the most important ones.

I just did a simple example, without digging into too much:

thcping6 interface source-ipv6 destination-ipv6

IPv6 pentesting 5. - fake_router6

The fake_router6 tool sends RA (router advertisement) packets to the network with highest priority, thus claiming itself a router. It can achieve two things this way:
1. Set the machine as the default gateway, potentially allowing us to be MitM
2. If we give a non-existent link-local address, then it will be a DoS attack, as hosts will send the packets to a black hole
3. If we don't forward anything, only receive the packets as a DG, that is also a DoS

Simple usage:

fake_router6 interface address-prefix/prefix-length


fake_router6 eth0 3003::1/64

After we start to advertise ourselves, the host receive it, and generates an address for itself:

IPv6 pentesting 4. - dos-new-ip6

This tool can be considered as a pair of detect-new-ip6. Similarly it listens for ICMPv6 DAD packets on the network, but if it sees one, it will send a response that this IPv6 address already exists, this way we can reach, that no host will be able to connect to the network - DoS attack.

If you are using BT5 64bit version, as myself, it won't work properly, along with detect-new-ipv6. I managed to get it work only if I started Wireshark, and a capture with it. Unfortunately also Wireshark didn't start properly:

wireshark: error while loading shared libraries: cannot open shared object file: No such file or director

The solution is:
1. Reinstall Wireshark
2. Copy files:

cp /usr/local/lib/ /usr/lib/
cp /usr/local/lib/ /usr/lib/

After that it works properly.

Usage of the tool is similar:

dos-new-ip6 interface

dos-new-ip6 eth0

Part of the related Wireshark output:

And finaly the message on Windows 7, a successful DoS attack:

Update: On BT5 32bit version you also need to run Wireshark in order to get it worked. I suppose it starts a module or process, which the tool doesn't.

Saturday, February 11, 2012


Information Gathering -> Network Analysis -> Service fingerprinting -> httsquash

Httsquash is a http scanner, banner grabber and data retriever. It can scan large IP ranges for webservers. It supports IPv6, various HTTP requests and fingerprints based on httrecon signatures.

Official website:


./httsquash -r [IP address range]


./httsquash -r

Friday, February 10, 2012

IPv6 pentesting 3. - alive6

The second tool from the package is alive6. This is actually scnas the network for active IPv6 addresses. It uses multiple packets for scnanning:
- ICMPv6
- IPv6 packet w/ unknown header
- IPv6 packet w/ unknown hop-by-hop options
we can set this with the "-s" option.
We can select from many options but the basic run is quite simple:
alive6 [interface]

Thursday, February 9, 2012

IPv6 pentesting 2. - detect-new-ip6

The tools found in thc-ipv6 package are located at the /usr/local/bin/ directory on BackTrack 5. The complete program listing and the package itself is available for download from here:

The first tool I check is the "detect-new-ip6" tool. This is essentially detects the new hosts, which are connected to the network and continuously prints them to the screen. This is based on IPv6's DAD (Duplicate Address Detection) function. Each IPv6 host, when it connects to the network sends an ICMPv6 packet to a multicast address associated with its IPv6 address, and waits for a reply, with this verifying whether this address is already used by another device on the network or not. These messages are watched by the tool. The usage is very simple:

detect-new-ip6 eth0

IPv6 pentesting 1. - ping6

I'm starting a series about IPv6, since not much published about it. This is understandable, because it is still not as common, but it will not always be the case. I won't describe the IPv6 protocol, everyone can look after that.

There are not a lot IPv6 testing tools, the most widely used is the thc-ipv6 package, which contains a lot of different utilities. The goal is to go through them one by one. But before proceeding, let's look at how to ping IPv6, because the ping command does not work. What we need is a "ping6". Use it the same way as ping.

ping6 [ipv6 cím]

Wednesday, January 18, 2012


Information Gathering -> Network Analysis -> Service fingerprinting -> amap

amap is good for detecting applications / services on a given port. We can reveal the app name and even its version number. It works by sending a trigger message to the port, and compares it's database with the response.

The location of the amap trigger files and response database in BackTrack5:


root@bt:~# amap <- prints the available options

root@bt:~# amap -b 21 <- examining port 21, with printing the banner

root@bt:~# amap -bq 21 80 <- scanning port 21, 80, prints banner, but if a port is closed it doesn't give any information about that. If we want to scan multiple ports we need to list them with a space delimiter.

Official website:

Monday, January 16, 2012

Backtrack basics 11. - Installing Backtrack 5 under Virtualbox

I installed Backtrack5 R1 64bit GNOME version, here are the steps:

1) Make a new VirtualPC, select Ubuntu 64bit version, and set the other parameters (RAM, HDD - min 8GB, network)
2) Select the downloaded ISO file into the CD drive.
3) Boot Backtrack from CD
4) Start the GUI (startx)
5) Click the icon on the desktop
6) Follow the installation wizard (Step 7) - at 99% it will linger for a while, but it does not freeze, so wait patiently
7) Reboot the system, and if you want, remove the CD
8) Login (root / toor is the default)
9) run "fix-splash" script
10) Start the GUI (startx)
11) Delete the icon
12) If you want, you can install the VirtualBox apps