hackvault: backtrack 5

::The following info was taken from http://nmap.org/book/nse.html

WHAT IS IT?

The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing
and diverse set of scripts distributed with Nmap, or write their own to meet custom needs.

Scripts are written in the embedded Lua programming language2. The language itself is well documented in the books Programming in Lua, Second Edition and Lua 5.1 Reference Manual. The reference manual is also freely available online3, as is the first edition of Programming in Lua4. Given the availability of these excellent general Lua programming references, this document only covers aspects and extensions specific to Nmap's scripting engine.

HOW DO I USE IT?
NSE is activated with the -sC option (or --script if you wish to specify a custom set of scripts) and results are integrated into Nmap normal and XML output. Two types of scripts are supported: service and host scripts. Service scripts relate to a certain open port (service) on the target host, and any results they
produce are included next to that port in the Nmap output port table. Host scripts, on the other hand, run no more than once against each target IP and produce results below the port table.

SHOW ME WHAT TO TYPE...

Example 1 shows a typical script scan. Service scripts producing output in this example are ssh-hostkey, which provides the system's RSA and DSA SSH keys, and rpcinfo, which queries portmapper to enumerate available services. The only host script producing output in this example is smb-os-discovery, which collects a variety of information from SMB servers. Nmap discovered all of this information in a third of a second.

Example 1. Typical NSE output

# nmap -sC -p22,111,139 -T4 localhost

Starting Nmap ( http://nmap.org )
Interesting ports on flog (127.0.0.1):
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey: 1024 b1:36:0d:3f:50:dc:13:96:b2:6e:34:39:0d:9b:1a:38 (DSA)
|_ 2048 77:d0:20:1c:44:1f:87:a0:30:aa:85:cf:e8:ca:4c:11 (RSA)
111/tcp open rpcbind
| rpcinfo:
| 100000 2,3,4 111/udp rpcbind
| 100024 1 56454/udp status
|_ 100000 2,3,4 111/tcp rpcbind
139/tcp open netbios-ssn
Host script results:
| smb-os-discovery: Unix
| LAN Manager: Samba 3.0.31-0.fc8
|_ Name: WORKGROUP
Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds

I DO NOT HAVE TIME TO WRITE MY OWN SCRIPTS!!

Listed are the build-in scripts preloaded on NMAP 5.61TEST4 (Release January 2012)

address-info.nse

afp-brute.nse

afp-ls.nse

afp-path-vuln.nse

afp-serverinfo.nse

afp-showmount.nse

amqp-info.nse

asn-query.nse

auth-owners.nse

auth-spoof.nse

backorifice-brute.nse

backorifice-info.nse

banner.nse

bitcoin-getaddr.nse

bitcoin-info.nse

bitcoinrpc-info.nse

bittorrent-discovery.nse

broadcast-avahi-dos.nse

broadcast-db2-discover.nse

broadcast-dhcp-discover.nse

broadcast-dns-service-discovery.nse

broadcast-dropbox-listener.nse

broadcast-listener.nse

broadcast-ms-sql-discover.nse

broadcast-netbios-master-browser.nse

broadcast-novell-locate.nse

broadcast-pc-anywhere.nse

broadcast-pc-duo.nse

broadcast-ping.nse

broadcast-rip-discover.nse

broadcast-sybase-asa-discover.nse

broadcast-upnp-info.nse

broadcast-wake-on-lan.nse

broadcast-wpad-discover.nse

broadcast-wsdd-discover.nse

citrix-brute-xml.nse

citrix-enum-apps-xml.nse

citrix-enum-apps.nse

citrix-enum-servers-xml.nse

citrix-enum-servers.nse

couchdb-databases.nse

couchdb-stats.nse

creds-summary.nse

cvs-brute-repository.nse

cvs-brute.nse

daap-get-library.nse

daytime.nse

db2-das-info.nse

db2-discover.nse

dhcp-discover.nse

dns-blacklist.nse

dns-brute.nse

dns-cache-snoop.nse

dns-fuzz.nse

dns-nsec-enum.nse

dns-random-srcport.nse

dns-random-txid.nse

dns-recursion.nse

dns-service-discovery.nse

dns-update.nse

dns-zeustracker.nse

dns-zone-transfer.nse

domcon-brute.nse

domcon-cmd.nse

domino-enum-users.nse

dpap-brute.nse

drda-brute.nse

drda-info.nse

epmd-info.nse

finger.nse

firewalk.nse

ftp-anon.nse

ftp-bounce.nse

ftp-brute.nse

ftp-libopie.nse

ftp-proftpd-backdoor.nse

ftp-vsftpd-backdoor.nse

ftp-vuln-cve2010-4221.nse

ganglia-info.nse

giop-info.nse

gopher-ls.nse

hadoop-datanode-info.nse

hadoop-jobtracker-info.nse

hadoop-namenode-info.nse

hadoop-secondary-namenode-info.nse

hadoop-tasktracker-info.nse

hbase-master-info.nse

hbase-region-info.nse

hddtemp-info.nse

hostmap.nse

http-affiliate-id.nse

http-apache-negotiation.nse

http-auth.nse

http-awstatstotals-exec.nse

http-axis2-dir-traversal.nse

http-backup-finder.nse

http-barracuda-dir-traversal.nse

http-brute.nse

http-cakephp-version.nse

http-cors.nse

http-date.nse

http-default-accounts.nse

http-domino-enum-passwords.nse

http-email-harvest.nse

http-enum.nse

http-favicon.nse

http-form-brute.nse

http-google-malware.nse

http-grep.nse

http-headers.nse

http-iis-webdav-vuln.nse

http-joomla-brute.nse

http-litespeed-sourcecode-download.nse

http-majordomo2-dir-traversal.nse

http-malware-host.nse

http-method-tamper.nse

http-methods.nse

http-open-proxy.nse

http-open-redirect.nse

http-passwd.nse

http-php-version.nse

http-put.nse

http-robots.txt.nse

http-robtex-reverse-ip.nse

http-title.nse

http-trace.nse

http-unsafe-output-escaping.nse

http-userdir-enum.nse

http-vhosts.nse

http-vmware-path-vuln.nse

http-vuln-cve2011-3192.nse

http-vuln-cve2011-3368.nse

http-waf-detect.nse

http-wordpress-brute.nse

http-wordpress-enum.nse

http-wordpress-plugins.nse

iax2-version.nse

imap-brute.nse

imap-capabilities.nse

informix-brute.nse

informix-query.nse

informix-tables.nse

ip-geolocation-geobytes.nse

ip-geolocation-geoplugin.nse

ip-geolocation-ipinfodb.nse

ip-geolocation-maxmind.nse

ipidseq.nse

ipv6-node-info.nse

irc-botnet-channels.nse

irc-brute.nse

irc-info.nse

irc-unrealircd-backdoor.nse

iscsi-brute.nse

iscsi-info.nse

jdwp-version.nse

krb5-enum-users.nse

ldap-brute.nse

ldap-novell-getpass.nse

ldap-rootdse.nse

ldap-search.nse

lexmark-config.nse

lltd-discovery.nse

maxdb-info.nse

metasploit-xmlrpc-brute.nse

modbus-discover.nse

mongodb-databases.nse

mongodb-info.nse

ms-sql-brute.nse

ms-sql-config.nse

ms-sql-dump-hashes.nse

ms-sql-empty-password.nse

ms-sql-hasdbaccess.nse

ms-sql-info.nse

ms-sql-query.nse

ms-sql-tables.nse

ms-sql-xp-cmdshell.nse

mysql-audit.nse

mysql-brute.nse

mysql-databases.nse

mysql-empty-password.nse

mysql-info.nse

mysql-users.nse

mysql-variables.nse

nat-pmp-info.nse

nbstat.nse

ncp-enum-users.nse

ncp-serverinfo.nse

nessus-brute.nse

netbus-auth-bypass.nse

netbus-brute.nse

netbus-info.nse

netbus-version.nse

nexpose-brute.nse

nfs-ls.nse

nfs-showmount.nse

nfs-statfs.nse

notepad.exe

nping-brute.nse

nrpe-enum.nse

ntp-info.nse

ntp-monlist.nse

omp2-brute.nse

omp2-enum-targets.nse

openlookup-info.nse

openvas-otp-brute.nse

oracle-brute.nse

oracle-enum-users.nse

oracle-sid-brute.nse

ovs-agent-version.nse

p2p-conficker.nse

path-mtu.nse

pgsql-brute.nse

pjl-ready-message.nse

pop3-brute.nse

pop3-capabilities.nse

pptp-version.nse

qscan.nse

quake3-info.nse

quake3-master-getservers.nse

realvnc-auth-bypass.nse

resolveall.nse

reverse-index.nse

rexec-brute.nse

rlogin-brute.nse

rmi-dumpregistry.nse

rpcinfo.nse

rtsp-methods.nse

rtsp-url-brute.nse

script.db

servicetags.nse

sip-brute.nse

sip-enum-users.nse

skypev2-version.nse

smb-brute.nse

smb-check-vulns.nse

smb-enum-domains.nse

smb-enum-groups.nse

smb-enum-processes.nse

smb-enum-sessions.nse

smb-enum-shares.nse

smb-enum-users.nse

smb-flood.nse

smb-mbenum.nse

smb-os-discovery.nse

smb-psexec.nse

smb-security-mode.nse

smb-server-stats.nse

smb-system-info.nse

smbv2-enabled.nse

smtp-brute.nse

smtp-commands.nse

smtp-enum-users.nse

smtp-open-relay.nse

smtp-strangeport.nse

smtp-vuln-cve2010-4344.nse

smtp-vuln-cve2011-1720.nse

smtp-vuln-cve2011-1764.nse

sniffer-detect.nse

snmp-brute.nse

snmp-interfaces.nse

snmp-ios-config.nse

snmp-netstat.nse

snmp-processes.nse

snmp-sysdescr.nse

snmp-win32-services.nse

snmp-win32-shares.nse

snmp-win32-software.nse

snmp-win32-users.nse

socks-open-proxy.nse

sql-injection.nse

ssh-hostkey.nse

ssh2-enum-algos.nse

sshv1.nse

ssl-cert.nse

ssl-enum-ciphers.nse

ssl-google-cert-catalog.nse

ssl-known-key.nse

sslv2.nse

stuxnet-detect.nse

svn-brute.nse

targets-ipv6-multicast-echo.nse

targets-ipv6-multicast-invalid-dst.nse

targets-ipv6-multicast-slaac.nse

targets-sniffer.nse

targets-traceroute.nse

telnet-brute.nse

telnet-encryption.nse

tftp-enum.nse

unusual-port.nse

upnp-info.nse

vnc-brute.nse

vnc-info.nse

vuze-dht-info.nse

wdb-version.nse

whois.nse

wsdd-discover.nse

x11-access.nse

xmpp-brute.nse

xmpp-info.nse

Well, not exactly but close enough. This weekend project just got really interesting. Who would ever think of an innocent Apple iPad would be "pentesting" in a Starbucks. Ok, I really didn't run the proof of concept at a Starbucks, I did it in my personal sandbox. But in theory it can be done for "research" and for academic purposes. This actually started with just trying to get BT5 on my phone, a rooted Android. But after getting it to work, and running it for a few hours, I got frustrated with the small text and difficulty to enter text and special key strokes.

So in it's simplest concept, fire up the VNC server on the Android, fire up a VNC client on the iPad (tablet), and remote control to the Android. So let's light this firecracker...

Hardware:
1. Android Smart Phone (rooted): tested on AT&T HTC Inspire. Android Froyo with 8GB MicroSD.
2. Apple iPad: tested with iOS5. any working iPad will do or in this case any tablet device.

Software:
1. BackTrack 5 for Android: http://forum.xda-developers.com/showthread.php?t=1079898 - RTFM (google it if you don't know), follow instructions on how to load it on your Android.
2. Terminal Emulator for Android: this is a must to get BT5 running. It has to run rooted. A simple "SU" command on the "$" prompt will switch you to a bash "#".
3. VNC for iPad: the free VNC lite will do. You do not need the VNC Viewer ($9.99).

Notes:
1. After you get BT5 running on Android, make sure your VNC server is running. If you forgot to activate it during the initial startup, just type "startvnc".
2. The usual default port for VNC is "5900", for the BT5 on Android its "5901".
3. default username and password is both "root"
4. Obviously, the iPad and the Android have to be in the same Wifi network in the same subnet. Your "subjects" also have to be in the same Wifi network. So, you might find yourself in a pissing contest with another pentester if you happen run into one.
5. Caveat: You'll have a stealth appearance, nobody would suspect that an iPad can actually pentest, specially if you keep your Android in your bag or pocket. But you'll have 2 devices on an open network! You better have a good grip of two operating systems - Android and iOS.
6. So you say, why not just use a laptop...?? True, I agree totally. But what's the fun in that. Plus, I really like travelling light.
7. This is really a proof of concept, if you can come up of a more creative way if using your BT5 on your Android, let me know.

Happy Hunting.

hackvault

2014-05-21

Installing VLC in Backtrack 5

2012-01-13

NMAP Scripts for your entertainment.

2011-10-22

Backtrack 5 on iPad1

2011-08-25

Tor on BT5 (squeeze/sid)