Showing posts from April, 2009

Backtrack 4 Beta and Nessus 4.0.0

I recently installed Nessus 4.0.0 on a vmware install of BackTrack 4 Beta. Below are the steps I took.

Download the following linux packages from the nessus website.


You will also need to register in order to obtain the activation key.

Before installing we will need to install some missing dependencies

apt-get install libqt4-core libqt4-gui libqtcore4 libqt4-network libqt4-script libqt4-xml libqt4-dbus libqt4-test libqtgui4 libqt4-svg libqt4-opengl libqt4-designer libqt4-assistant

Install the server.

# dpkg -i Nessus-4.0.0-ubuntu804_i386.deb

Configure the certificate

# /opt/nessus/sbin/nessus-mkcert

Add the admin user

# /opt/nessus/sbin/nessus-adduser

# /opt/nessus/bin/nessus-fetch --register 'your_registration_key'

# dpkg -i NessusClient-4.0.0-ubuntu804_i386.deb

# /etc/init.d/nessusd start

And start the client from the Menu>Intenet>NessusClient or use the CLI

Social Engineering Investigations

Below is a general outline for investigating social engineering style attacks. This article is meant for discussion purposes only.

One thing you need to be aware of is that social engineering is not just limited to IT systems it is an issue for the entire organisation.

Social engineering attacks can vary from low tech to high tech.

There are many factors that can lead to a successful social engineering attack.

Normally an attacker would first take a look at the company website as these are normally filled with lots of useful information, such as the names, positions and phone numbers of staff.

Organisations need to be aware of just how much information they are giving away on their websites.

Its also common practice in organisations that a users email address will be the same as their network user name. The password for email may also be the same as the network logon, this is normally true in situations where a organisation is using Microsoft Exchange.

Armed with this information an attacker…

EnCase and Tableau Forensic Bay

Came across this issue today and though I'd share it with you.

I recently installed the latest version of EnCase Version Reading the release notes states that hard drives connected to Tableau Write Blockers are now recognized by EnCase as been write blocked. Since we use a large number of Tableau devices I started testing.

In testing I have found this to be true for the Tableau T35es, T35e, T3u , T4, T14 and the T15.

When testing with the T335 (Forensic Drive Bay Controller Firmware 6.22) I found the that EnCase is not correctly identifying a drive as been write blocked.

Test Results

IDE - Set to Read Only
SATA1 - Set to Read Only
SATA2 - Set to Read Only

EnCase see's all drives as Write Blocked

IDE - Set to Read Write
SATA1 - Set to Read Write
SATA2 - Set to Read Write

EnCase see's all drives as not Write Blocked

IDE - Set to Read Only
SATA1 - Set to Read Write
SATA2 - Set to Read Only

EnCase see's all drives as Write Blocked.

This can be an issue because if you b…

Install OpenOffice 3.01 in Backtrack 4 Beta

I decided to install OpenOffice in Backtrack since it is not part of the default pack because of size limitations. I always find it useful to have a spreadsheet application installed as part of my Pen-Testing toolkit.
Get the Linux DEB. I am using the English (US)

tar -zxvf OOo_3.0.1_LinuxIntel_install_en-US_deb.tar.gz
cd OOo_inst_folder/DEBS
dpkg -i *.deb

(Not sure this is needed for KDE but I did it for the icons in kmenuedit)
cd desktop-integration
dpkg -i *.deb

Add it to KDE if you are using Gnome you don't need to do this.

Click on Utilities
Ctrl+N (New)

Name: OpenOffice3 (or what ever you want)
Command: /opt/openoffice.org3/program/soffice
Click on the blank icon next to name and pick an icon for open office
Ctrl+S (Save)

Increase the number of tcp connections in Windows XP


Half-open limit fix is a programdesignedto change the maximum number of concurrent half-open outbound TCP connections (connection attempts) in the Windows system file tcpip.sys. Microsoft first introduced this limit in Windows XP SP2 (Service Pack 2) and is present in all later versions of Windows. This was done to try to slow the spreading of viruses and malware from system to system and also to reduce the impact of infected systems participating in DoS (Denial of Service) attacks. This limit makes it impossible for Windows systems to have more than 10 concurrent half-open outbound connections. After 10, new connection attempts are put in a queue and forced to wait.

FreeNAS - Transmission and Windows Remote Client

I've been playing around with FreeNAS for some time now and have migrated an old Debian server over to FreeNAS in order to make things easier for the non-linux members of our team.

The server hosts all the deployment images for our lab workstations amoung other non-sensitive data. The images are deployed via pxe. more on that to follow in another post.

I recently looked at the BitTorrent service which seems like a good idea. All your torrents are controlled and downloaded to centeral location. Ideal in a lab environment. Downloading the latest version of Ubuntu or OpenOffice is now as simple as dropping the .torrent file in to shared directory and letting FreeNAS take care of the rest.

The majority of the lab workstations are Windows box's so I went to the Transmission website to download the Windows remote client. It was then that I found that Transmission do not have a Windows client.

A few google minutes later I find transmission-remote-dotnet on the google code page. I instal…

VMWare Shared Folders and BackTrack 4 Beta

I finally got around to trying out the latest version of Backtrack 4 Beta. Using VMWare Workstation 6.5.1 I enabled "Shared Folders" so I could use some pre-complied tables. However when I browsed to /mnt/hgfs I see a blank folder.
Trying mount.hgfs .host:/ /mnt/hgfs/ gave the following error. Error: cannot mount filesystem: No such device

To fix this issue follow these steps.

Download and extract the latest tarball of open-vm-tools from sourceforge.

Download and extract the latest glib tarball from because open-vm-tools require it

Install glib
./configure && make && make install

Satisfy dependencies of open-vm-tools.
./configure --without-dnet --without-x --without-unity --without-icu && make && make install

Reboot and use the following command to mount your VMWare Shared Folder.

mount -t vmhgfs .host:/ /mnt/hgfs/

Add Pre-Computed WPA hashes to airolib

First I obtained the 33GB rainbow table from

Please note that the 33 GB file is compressed using a number of methods so you need a lot of space to decompress the hash files.

When file is downloaded (wpa_psk-h1kari_renderman.tar.lzma) extract the file, I used 7zip.
Once extracted you are left with wpa_psk-h1kari_renderman.tar

Next step is to decompress the .tar, I used 7zip.
When the extraction is complete you will have 9 folders these folders contain the pre-compiled Hashes.

Now all you have to do is know what essid you are looking for I assume you are Auditing your OWN NETWORK or have permission to audit your clients network.


I want to audit a wireless network with WPA encryption with an essid of "Private"

airolib-ng testdb --import cowpatty /mnt/sdb1/wpapsk/xag-0/Private

There will then be some reading and writing to "testdb"

airolib-ng testdb --stats

you should see your essid computed to 100%