DNSCrypt Install on Ubuntu 12.04

For Windows, DNSCrypt is a simple install from an executable file. For Linux, not so much. This guide is for installing DNSCrypt in Ubuntu 12.04 (x86_64). 

I found several instructions on how to get this software working properly with no single bullet proof method. I pieced together several parts from different instructions and came up with the most simple solution possible.

First off download the dnscrypt tarball from http://download.dnscrypt.org/dnscrypt-proxy/  I found version 1.3.0 to work better as I had some issues installing 1.3.1.

You will probably need the libsodium package too which can be downloaded here https://download.libsodium.org/libsodium/releases/  The latest version should work fine and this will be installed first.

I also recommend installing the build-essential packages in case you’re missing compilers.

apt-get install build-essential

Untar the libsodium package and install

tar -xvzf libsodium-0.4.2.tar.gz

cd libsodium-libsodium-0.4.2

sudo ./configure

make && make install

Do the same for the dnscrypt package

tar -xvzf dnscrypt-proxy-1.3.0.tar.gz

cd dnscrypt-proxy-1.3.0

sudo ./configure

make

make install

You will need to make some changes to your DNS settings in the Connection Manager. Open it and Edit Connections. Find your connection Wired/Wireless and go to the IPv4 settings tab. Change method to ‘Automatic (DHCP) addresses only‘ and enter the IP 127.0.0.2 in the DNS Servers box. In Ubuntu 12.04, a local DNS cache is running on 127.0.0.1 so .2 is required.

In a terminal, issue the command :

sudo dnscrypt-proxy -a 127.0.0.2 –edns-payload-size=4096 –pidfile=/run/dnscrypt-proxy.pid –user=dnscrypt

If successful, you should see something similar to the following. I’m using OpenDNS through my router so the 208.67.220.220 DNS server shows up.

[INFO] Generating a new key pair
[INFO] Done
[INFO] Server certificate #1234567890 received
[INFO] This certificate looks valid
[INFO] Server key fingerprint is ……….
[INFO] Proxying from 127.0.0.2:53 to 208.67.220.220:443

A simple tcpdump will tell you if everything is working properly. If DNS requests are going over 443 with encrypted UDP packets, everything should be working, if its still using 53 and you can see the hosts being queried, somethings wrong.

‘tcpdump -i eth0 port 443’

Output should be similar to this….

20:22:02.070686 IP ubuntu.local.40117 > resolver2.opendns.com.https: UDP, length 324

E..`: ..@..G
….C…….L..q6fnvWjB…….OY…e..+.1.-P..v’.p.$2d..>Tx7[….hV…-..[/Q.~<.=…..@.Tp.d!!..>$j…’…1….?.
..U…b>.<…w…y…h…RC….=lt>n.BT…&..
.c..I.T”…m5._|.C..0.U.GA…..$V..2…T&.U…..o…0HO.{..K.L.%.G…K.’……    .}.!…..$.Ex….S.geN……….a.T….0..L..n..\..4..,..H4.~z…..!..6xu..-.i…U..+z…….;.”.n..

Advertisements

Ettercap Host Scan lockup Fix

This is a quick fix I ran across trying to fix Ettercap.  Ettercap comes installed by default on Backtrack5 R2. By default, it also tends not to work and crashes after you launch the Host Scan.

This is the source of the solution http://www.backtrack-linux.org/forums/showthread.php?t=40562 to give credit.

First you’ll need to remove the current version of Ettercap by typing apt-get remove ettercap

Next download these builds of ettercap.

For BT5 32bit go to: https://launchpad.net/~timothy-redae…+build/1758139
For BT5 64bit go to: https://launchpad.net/~timothy-redae…+build/1758138

Download the 3 built .deb files and install them using dpkg -i ettercap-common_0.7.3-1.4ubuntu1drizzt1_i386.deb ettercap-gtk_0.7.3-1.4ubuntu1drizzt1_i386.deb ettercap_0.7.3-1.4ubuntu1drizzt1_i386.deb 

Ettercap should now be available in the Backtrack menu under Applications > Internet > ettercap

This will prevent ettercap from crashing after the host scan.

Generate 10 Digit Phone Numbers using Crunch in Backtrack

Phone numbers are some of the most commonly used passwords for WEP/WPA encrypted wireless networks. Several ISP’s use them as default passwords for their routers for easy to remember access.  By creating a list of every possible phone number combination with a specific area code, generally your own area code, it will give you quick access to most wireless networks using a dictionary attack. Using crunch built into Backtrack 5R2, you can quickly generate every possible number combination beginning with a specified area code.

Applications > BackTrack > Privilege Escalation > Password Attacks > Offline Attacks > crunch

Use the following command

./crunch 10 10 -t 123%%%%%%% -o /root/123.txt

Explanation of command.  10 refers to the number of characters. The -t command allows you to specify a pattern where only the @’%^ characters will change, in this case the %. The 123 is where the area code will go followed by 7 % characters. The -o is for output and can be saved anywhere. Make sure to save it as a .txt file. This will only take a few seconds and will say 100% when finished. Now you can load these in Gerix and bruteforce WPA.

Note: Most cities have multiple area codes. To combine multiple files into one just do a ‘cat 123.txt 456.txt 789.txt >> all.txt’

WEP Cracking in Backtrack 5 using Gerix

I’m creating several posts at once, and I’ll be adding screen shots shortly, bear with me.

Boot up to Backtrack 5 R2. You’ll need a laptop with a wireless card that supports monitor mode and packet injection.

Applications >BackTrack > Exploitation Tools > Wireless Exploitation Tools > WLAN Exploitation > gerix-wifi-cracker-ng

Note [At the bottom of Gerix, you will see the current actions taking place, so if something goes wrong you can see exactly what it is]

With Gerix open, go to the Configuration Tab.

You should see your interface marked as wlan0. Select it, and click the button below labeled Enable/Disable Monitor Mode.  The card will now be in Monitor mode.

At this point, you can also click the Set random MAC address to spoof your MAC address.

Click on the interface labeled mon0 so it’s highlighted.  Underneath that, you will see a button to Rescan Networks. Click this to search for SSID’s.

Select the desired WEP network SSID.

Click the WEP tab. Click Start Sniffing and Logging. You should see the BSSID MAC loaded as well as the PWR (Signal Strength) and other data.  Keep this window open.

Click Performs a test of injection AP to ensure your card is able to inject packets. You will get a message stating “Injection is working!”. You can close this window.

For this demonstration we will use WEP Attacks (no-client). Click the button labeled as such.

Under Fragmentation attack, click Associate with AP using fake auth. In the bottom data viewer window, you will see it read “Fake authentication with mon0”

Click Fragmentation attack button. Once it finds a packet, it will prompt to “Use this packet ?” Type Y for yes.

Click Create the ARP packet to be injected on the victim access point.

Click Inject the created packet on victim access point. Type Y in this box also.  Keep this window open.

Go to the Cracking tab, and under WEP Cracking, click the Aircrack-ng – Decrypt WEP password button. You will be watching here for the number of IV’s. (got 10,000 IVs)

You will generally need about 10,000 – 20,000 IVs to decrypt the password and sometimes less. This can take 30 seconds to a couple minutes depending on the amount of wireless traffic. You can safely close this window, and click the button again to reopen it when it has enough IV’s.

The key will be displayed in this window when complete.

VMWare Tools Install Ubuntu

With your virtual machine running, in the VMware menu, VM > Install VMware Tools.

Open a terminal in the virtual machine and do the following

# mkdir /mnt/cdrom; mount /dev/cdrom  /mnt/cdrom
# cp /mnt/cdrom/VMwareTools-<version>.tar.gz /tmp/
# cd /tmp/
# tar zxpf VMwareTools-<version>.tar.gz 
# cd vmware-tools-distrib/
# ./vmware-install.pl 
Accept default settings if you are unsure.

This should work on most VM's.

Run Google Chrome as root

In Backtrack , you are automatically defaulted to the root user.  If you try to install Google Chrome and run it you get an error like this

Open a terminal and do the following

# gedit /usr/bin/google-chrome

This will open up gedit. Scroll to the very bottom of the script.

The last line will look like

exec -a “$0”  “$HERE/chrome”  “$@”

Add the following to the end, with a space after the ”

–user-data-dir

The resulting line should look as follows

exec -a “$0”  “$HERE/chrome”  “$@” –user-data-dir

Save and close.

Google Chrome will launch as root.

OSSEC Install on Ubuntu with WUI

What is OSSEC?

OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows.

The installation instructions are a bit spread out on the OSSEC website and it took me awhile to figure everything out. So here you go, the work is done for you.  The following instructions are how to install the OSSEC, along with the OSSEC WUI (Web User Interface). OSSEC HIDS must be installed before OSSEC WUI.

Install build essentials

sudo apt-get install build-essential (try “build-essentials” if that doesn’t work)

Download
wget http://www.ossec.net/files/ossec-hids-latest.tar.gz
wget http://www.ossec.net/files/ossec-hids-latest_sum.txt
md5sum ossec-hids-latest.tar.gz
sha1sum ossec-hids-latest.tar.gz

Extract and Install
tar -zxvf ossec-hids-*.tar.gz
cd ossec-hids-*
./install.sh

Start service
/var/ossec/bin/ossec-control start

Setup will prompt for setup preferences, just follow the on screen instructions and accept defaults if you aren't sure.
OSSEC will now be installed. Next you will install the OSSEC WUI which requires apache and php.

Install Apache
apt-get install apache2 libapache2-mod-php5
/etc/init.d/apache2 restart

Download
cd /var/www
wget http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz
wget http://www.ossec.net/files/ui/ossec-wui-0.3-checksum.txt
md5sum -c ossec-wui-0.3-checksum.txt
sha1sum -c ossec-wui-0.3-checksum.txt

Install
tar -zxvf ossec-wui-0.3.tar.gz
mv ossec-wui-0.3 ossec
cd ossec
./setup.sh

Add www-data to ossec group
usermod -a -G ossec www-data
cat /etc/group |grep ossec
It should look like this 'ossec:x:1001:www-data'

Fix /tmp permissions
chmod 770 tmp/
chgrp www-data tmp/
apache2ctl restart

Now go to http://127.0.0.1/ossec/
If everything worked you should be presented with a web page.