105,698 views
Backtrack 4 cheat sheet
Download backtrack from http://www.remote-exploit.org/backtrack_download.html. Current version at the time of writing is BT4 Pre-Final.This document is based on BT4 pre-final. Ergo, some of the instructions below may not work with other versions of BT.
FYI : An excellent guide about Backtrack4 can be found at BackTrack 4 – The Definitive Guide
1. Installing Backtrack to a harddrive (using Ubiquity)
- Boot from the Backtrack DVD and choose “Start Backtrack in Text Mode”
- Backtrack will boot and will automatically end up at a root prompt.
- Launch the GUI by running ‘startx’.
- Open a konsole and run ‘ubiquity’.
- At the “Language crashed” dialog, choose “Continue anyway’”
- Set timezone and choose keyboard layout.
- Let backtrack partition the disk. (‘Use entire disk’)
- Enter new user account information. (Pick a strong password, as this will be the user account used to log on into Backtrack)
- Review the installation summary and press “install” to start the installation.
- Reboot when installation has completed
- Log in with the newly created user
- change the password for root (sudo passwd root)
Installing VirtualBox guest additions (if you have installed BT on VirtualBox) :
- In Virtualbox, select “Devices – Install Guest Additions”)
- open Konsole, mount cdrom (“mount cdrom”) and run “sudo /media/cdrom/VBoxLinuxAdditions-x86.run”
- reboot (“sudo reboot”)
2. Running Backtrack from USB (with support for persistent changes)
Check out Backtrack 4 USB Install – Offensive Security and http://forums.remote-exploit.org/backtrack-4-howto/23652-bt4-usb-installation-noob-proof-tutorial.html
This procedure only works for Backtrack 4 Pre-final. You need a 4Gb (or bigger) USB stick to run BT4 Pre-Final.
- Boot Backtrack and insert the USB. In my test environment, I’m running BT on VirtualBox. Let’s say the USB was detected as sda (run ‘dmesg’ to see system messages after you have connected the USB) .
- Mount the Backtrack CDRom
- mount /dev/cdrom /media/cdrom
- Run fdisk :
- fdisk /dev/sda
- Verify that there are no partitions : ‘p’ (or use ‘d’ to remove any existing partitions, ‘w’ to write the changes, and run fdisk again)
- create a new partion : ‘n’
- p (primary)
- Partition number 1
- First cilinder : use default 1
- Last cylinder : +1500M
- create another new partition : ‘n’
- p (primary)
- Partition number 2
- First cilinder : use default value
- Last cylinder : +1500M
- Set first partition active and set partition type of first partition to FAT32
- fdisk /dev/sda
- Format the 2 partitions :
mkfs.vfat -F 32 -n BT4 /dev/sda1 mkfs.ext3 -b 4096 -L casper-rw /dev/sda2
Use the default journal size (8192 blocks)
- Mount the USB key and copy the file structure from the CDRom to USB stick
mkdir /mnt/sda1 mount /dev/sda1 /mnt/sda1 rsync -avh /media/cdrom/ /mnt/sda1/
(don’t forget the backslashes after ‘cdrom’ and after ‘sda1’ !)
- When all files are copied (1,32Gbytes, may take a little while) , run grub-install
- Edit boot menu
vi /mnt/sda1/boot/grub/menu.lst
Set ‘default’ to 5Find the entry with title “Start Persistent Live CD”. Change the title to for example “Start Persistent Live USB”.Edit the line below the title (“kernel” line) and add the following statement at the end of the line :vga=0x317Save the changes - Unmount the USB key
cd / umount /mnt/sda1
- Boot a computer from this newly created USB and verify that BT works, and that changes are written onto the USB.
Alternatively, you can create a USB based BT from Windows by using UNetbootin (Windows).
Partition the USB drive (as explained above), run UNetbootin, select the BT4 Pre-final ISO file, select the USB drive and install.
After the installation, find syslinux.cfg in the root of the first partition on the USB. Edit the file and add the vga=0x317 parameter after “Start Persistent Live CD” (under label ubnentry4)
At the top of the file, set default to ubnentry4. Save the file and you’re all set
3. Networking and Network Services
Networking
By default, DHCP (or networking for that matter) is disabled. You need to run ‘/etc/init.d/networking start’ to start networking. If you want to load networking at boot (on a HD install or USB with persistent changes), add that command into /etc/init.d/rc.local or run “sudo /usr/sbin/update-rc.d networking defaults”
Wireless networking can be started with Knetworkmanager (run “sudo /etc/init.d/NetworkManager”)
SSH
Edit ssh config and disable root logon via ssh :
sudo vi /etc/ssh/sshd_config and set “PermitRootLogin” to no.
If you get an error about the ssh_host_dsa_key or ssh_host_rsa_key not being found, generate the keys and try again
Starting OpenBSD Secure Shell server: sshd
Could not load host key: /etc/ssh/ssh_host_dsa_key
Could not load host key: /etc/ssh/ssh_host_rsa_key
Generate host keys :
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
Start sshd (“sudo /etc/init.d/ssh start”)
If you want to enable ssh to start at boot time, run update-rc.d ssh defaults
4. Keeping Backtrack up-to-date
/usr/bin/apt-get -y update /usr/bin/apt-get -y upgrade
To download and install all new updates, run apt -get dist- upgrade
The first time you run the apt-get update, you may get an error “GPG error : http://ppa.launchpad.net intrpid Release: The following signatures couln’t be verified because the public key…”
Quick fix :
wget http://apt.pearsoncomputing.net/public.gpg sudo apt-key add public.gpg rm public.gpg
(Then run the apt-get update again and it should work)
Upgrading the distro to the lastest version :
apt-get update && apt-get dist-upgrade -y
Warning : an “upgrade” in BT4Beta will also upgrade KDE to 3.5.. If KDE is not working anymore after update/upgrade ? (a.k.a. ‘startx’ does not seem to work) :
root@bt:~# cd /etc/alternatives/ root@bt:/etc/alternatives# mv x-session-manager x-session-manager-broken root@bt:/etc/alternatives# ln -s /opt/kde3/bin/startkde x-session-manager root@bt:/etc/alternatives# startx
(this issue should be fixed in the final version)
Updating security components
/pentest/exploits/fast-track.py -i
First update fast-track, then update other individual components (Metasploit, Aircrack, nikto, etc; or choose ‘9’ to update all)
If updating nikto doesn’t work :
Updating Nikto... cd: 1: can't cd to /pentest/scanners/nikto/ /bin/sh: ./nikto.pl: not found
Fix :
root@bt:~# mkdir /pentest/scanners/nikto/ root@bt:~# ln -s /usr/bin/nikto /pentest/scanners/nikto/nikto.pl root@bt:/pentest/exploits/~# ./fast-track -c 1 2
5. Change keyboard layout
dpkg-reconfigure console-setup
6. Installing Nessus
First, download the Nessus and NessusClient installation packages from the Nessus (Tenable Network Security) website : http://www.nessus.org/download/
(Choose ‘Nessus for Linux’) and download the packages for Ubuntu. Put the .deb files in /tmp
Install Nessus Daemon
root@bt4-1:/tmp# ls Nessus* -al -rw-r--r-- 1 root root 3002846 Jul 4 15:46 Nessus-4.0.1-ubuntu810_i386.deb -rw-r--r-- 1 root root 500624 Jul 4 15:46 NessusClient-4.0.1-ubuntu810_i386.deb root@bt4-1:/tmp# root@bt4-1:/tmp# dpkg --install Nessus-4.0.1-ubuntu810_i386.deb Selecting previously deselected package nessus. (Reading database ... 183074 files and directories currently installed.) Unpacking nessus (from Nessus-4.0.1-ubuntu810_i386.deb) ... Setting up nessus (4.0.1) ... nessusd (Nessus) 4.0.1. for Linux (C) 1998 - 2009 Tenable Network Security, Inc. - Please run /opt/nessus/sbin/nessus-adduser to add a user - Register your Nessus scanner at http://www.nessus.org/register/ to obtain all the newest plugins - You can start nessusd by typing /etc/init.d/nessusd start root@bt4-1:/tmp#
Install Nessus Client
Before installing the client, you will need to install some dependencies :
root@bt4-1:/tmp# apt-get install libqt4-core libqt4-gui libqtcore4 libqt4-network libqt4-script libqt4-xml libqt4-dbus libqt4-test libqtgui4 libqt4-svg libqt4-opengl libqt4-designer libqt4-assistant Reading package lists... Done Building dependency tree Reading state information... Done libqtcore4 is already the newest version. libqtcore4 set to manually installed. libqt4-network is already the newest version. libqt4-network set to manually installed. libqt4-script is already the newest version. libqt4-script set to manually installed. libqt4-xml is already the newest version. libqt4-xml set to manually installed. libqt4-dbus is already the newest version. libqt4-dbus set to manually installed. libqt4-test is already the newest version. libqt4-test set to manually installed. libqtgui4 is already the newest version. libqtgui4 set to manually installed. libqt4-svg is already the newest version. libqt4-svg set to manually installed. libqt4-designer is already the newest version. libqt4-designer set to manually installed. libqt4-assistant is already the newest version. libqt4-assistant set to manually installed. The following NEW packages will be installed: libqt4-core libqt4-gui libqt4-opengl 0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded. Need to get 176kB of archives. After this operation, 762kB of additional disk space will be used. Get:1 http://archive.offensive-security.com pwnsauce/main libqt4-core 4.4.3-0ubuntu1.2 [7562B] Get:2 http://archive.offensive-security.com pwnsauce/main libqt4-opengl 4.4.3-0ubuntu1.2 [161kB] Get:3 http://archive.offensive-security.com pwnsauce/main libqt4-gui 4.4.3-0ubuntu1.2 [7554B] Fetched 176kB in 1s (114kB/s) debconf: apt-extracttemplates failed: Bad file descriptor Selecting previously deselected package libqt4-core. (Reading database ... 183131 files and directories currently installed.) Unpacking libqt4-core (from .../libqt4-core_4.4.3-0ubuntu1.2_i386.deb) ... Selecting previously deselected package libqt4-opengl. Unpacking libqt4-opengl (from .../libqt4-opengl_4.4.3-0ubuntu1.2_i386.deb) ... Selecting previously deselected package libqt4-gui. Unpacking libqt4-gui (from .../libqt4-gui_4.4.3-0ubuntu1.2_i386.deb) ... Setting up libqt4-core (4.4.3-0ubuntu1.2) ... Setting up libqt4-opengl (4.4.3-0ubuntu1.2) ... Setting up libqt4-gui (4.4.3-0ubuntu1.2) ... Processing triggers for libc6 ... ldconfig deferred processing now taking place
Now you can install the client :
root@bt4-1:/tmp# dpkg --install NessusClient-4.0.1-ubuntu810_i386.deb Selecting previously deselected package nessusclient. (Reading database ... 183150 files and directories currently installed.) Unpacking nessusclient (from NessusClient-4.0.1-ubuntu810_i386.deb) ... Setting up nessusclient (4.0.1) ...
Create Certificate
root@bt4-1:/tmp# /opt/nessus/sbin/nessus-mkcert ------------------------------------------------------------------------------- Creation of the Nessus SSL Certificate ------------------------------------------------------------------------------- This script will now ask you the relevant information to create the SSL certificate of Nessus. Note that this information will *NOT* be sent to anybody (everything stays local), but anyone with the ability to connect to your Nessus daemon will be able to retrieve this information. CA certificate life time in days [1460]: Server certificate life time in days [365]: Your country (two letter code) [FR]: BE Your state or province name [none]: WVL Your location (e.g. town) [Paris]: Deerlijk Your organization [Nessus Users United]: Corelan Congratulations. Your server certificate was properly created. The following files were created : . Certification authority : Certificate = /opt/nessus//com/nessus/CA/cacert.pem Private key = /opt/nessus//var/nessus/CA/cakey.pem . Nessus Server : Certificate = /opt/nessus//com/nessus/CA/servercert.pem Private key = /opt/nessus//var/nessus/CA/serverkey.pem root@bt4-1:/tmp#
Create a Nessus user
root@bt4-1:/tmp# /opt/nessus/sbin/nessus-adduser Login : MyGreatNessusAdminUser Authentication (pass/cert) : [pass] Login password : Login password (again) : Do you want this user to be a Nessus 'admin' user ? (can upload plugins, etc...) (y/n) [n]: y User rules ---------- nessusd has a rules system which allows you to restrict the hosts that peter has the right to test. For instance, you may want him to be able to scan his own host only. Please see the nessus-adduser manual for the rules syntax Enter the rules for this user, and enter a BLANK LINE once you are done : (the user can have an empty rules set) Aborted by end-user.
Register/update plugins
Get yourself a key that will provide access to the free home update feed : Register a HomeFeed
You will receive an email that contains the feed code.
Install/Register the code with the following command (and update the plugins at the same time) :
root@bt4-1:/tmp# /opt/nessus/bin/nessus-fetch --register PUT-YOUR-CODE-HERE Your activation code has been registered properly - thank you. Now fetching the newest plugin set from plugins.nessus.org... Your Nessus installation is now up-to-date. If auto_update is set to 'yes' in nessusd.conf, Nessus will update the plugins by itself.
Verify that “auto_update” in /opt/nessus/etc/nessus/nessusd.conf is set according to the behaviour you want to achieve. If you want to manually update the plugins, you can run :
root@bt4-1:/tmp# /opt/nessus/sbin/nessus-update-plugins Fetching the newest updates from nessus.org... Done. The Nessus server will restart when its scans are finished
Make sure Nessus does not start at boot
root@bt4-1:/tmp# update-rc.d -f nessusd remove Removing any system startup links for /etc/init.d/nessusd ... /etc/rc0.d/K20nessusd /etc/rc1.d/K20nessusd /etc/rc2.d/S20nessusd /etc/rc3.d/S20nessusd /etc/rc4.d/S20nessusd /etc/rc5.d/S20nessusd /etc/rc6.d/K20nessusd
Launch Nessus daemon
root@bt4-1:/tmp# /etc/init.d/nessusd start Starting Nessus : . root@bt4-1:/tmp#
Install additional plugins
http://www.alienvault.com/free_feed_for_nessus.php
Nessus/OpenVAS wrapper for ike-scan
7. Wireless auditing
Crack WEP : Cheatsheet – Cracking WEP with Backtrack 4 and aircrack-ng
Crack WPA2 PSK : Cheatsheet – Cracking WPA2 PSK with Backtrack 4, aircrack-ng and John The Ripper
Wepbuster : Download from http://code.google.com/p/wepbuster/. Installation procedure (assuming that wepbuster was downloaded into /tmp) :
root@bt:/# cd /tmp root@bt:/tmp# tar xvfz wepbuster.tgz wepbuster-1.0_beta/ wepbuster-1.0_beta/README.TXT wepbuster-1.0_beta/wepbuster root@bt:/tmp# mv wepbuster-1.0_beta/wepbuster /usr/local/bin root@bt:/tmp#
Modify parameters :
edit wepbuster and change the $airodumpwait and $scan_duration parameters (and set them to a value higher than 20):
# Time to wait before reading the airodump output. 23 seconds/sleeps should be safe on default aircrack -ng installation which updates ] # .csv files every 20 seconds; my $airodumpwait = 23 ; # Initial airodump scan duration (sleeps) when trying to build target AP list my $scan_duration = 23;
8. Installing/Running in VMWare, but KDE resolution is bad ?
Run “fixvmware”
9. Log on in KDE with root (dangerous ! But if you still want to do it…)
Edit /etc/kde3/kdm/kdmrc and set the following parameters :
AllowRootLogin=true AutoLoginEnable=true AutoLoginUser=root AutoLoginPass=secret
Reboot
© 2009 – 2021, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.