You need to add the correctly repositories to /etc/apt/sources.list then add correct gpg keys. It's pretty quick and easy. I'm surprised I never blogged this yet. So what you want to do is go to this page and get the repository information.
http://docs.kali.org/general-use/kali-linux-sources-list-repositories
In a console add this:
gpg --recv-keys AED4B06F473041FA
gpg -a --export AED4B06F473041FA| sudo apt-key add -
or maybe this
gpg --keyserver pgpkeys.mit.edu --recv-key AED4B06F473041FA
gpg -a --export AED4B06F473041FA| sudo apt-key add -
apt-get update
apt-get upgrade
or apt-get dist-upgrade
This should resolve the problem with the repositories. Sometimes there is a problem with apt configuration when you install the system without a network connection. This happens with pretty much any Debian based linux. If you install the system with ethernet cable plugged in and use the software mirrors option to install all of the software everything will usually install correctly. I used to have this problem with Ubuntu all the time.
Sunday, July 27, 2014
Installing Linux Software Notes
Here's
my thing with Linux software installation. First I try apt-get to
install it. Syntax is apt-get install <package name>
If that doesn't work I use apt-cache search <package name>
or I'll try software center open terminal and type software-center graphical installer will open if it is installed if not apt-get install software-center. If the programs are not available through software-center use synaptic. Open a terminal and type synaptic. If it is not installed type apt-get install synaptic. Then run it. Search for your package and install it. Most of the time it will automatically install dependencies. If this fails there's always downloading the tarball and tar xvf <package> cd into the package directory then into the source directory chmod 755 ./configure to make the configuration file work. Then run ./configure then make then make install. Qt installers are a little different or running qmake or cmake. The stuff can get confusing. quickly. Make sure to read the install instructions which you probably won't understand from the get go. Google search for the install instructions with valid command line syntax examples. At last resort using something like alien to convert rpm to deb or something stupid like that. Generally if you it is a .deb package it will install with dpkg -i <package> But if it need dependencies you'll have to track those down.
If people are talking about having installed the program and used it. Ask them to post their command line history that is about the easiest way to get install instructions. Open terminal issue history should show the last 500 things you did in terminal.
If a program doesn't install after a few hours of trying just about everything. Email the developer. Most people are pretty approachable and they want their software to be easy to use. It beats posting your question on a linux forum where you are likely to get flamed and not have your question answered at all.
If that doesn't work I use apt-cache search <package name>
or I'll try software center open terminal and type software-center graphical installer will open if it is installed if not apt-get install software-center. If the programs are not available through software-center use synaptic. Open a terminal and type synaptic. If it is not installed type apt-get install synaptic. Then run it. Search for your package and install it. Most of the time it will automatically install dependencies. If this fails there's always downloading the tarball and tar xvf <package> cd into the package directory then into the source directory chmod 755 ./configure to make the configuration file work. Then run ./configure then make then make install. Qt installers are a little different or running qmake or cmake. The stuff can get confusing. quickly. Make sure to read the install instructions which you probably won't understand from the get go. Google search for the install instructions with valid command line syntax examples. At last resort using something like alien to convert rpm to deb or something stupid like that. Generally if you it is a .deb package it will install with dpkg -i <package> But if it need dependencies you'll have to track those down.
If people are talking about having installed the program and used it. Ask them to post their command line history that is about the easiest way to get install instructions. Open terminal issue history should show the last 500 things you did in terminal.
If a program doesn't install after a few hours of trying just about everything. Email the developer. Most people are pretty approachable and they want their software to be easy to use. It beats posting your question on a linux forum where you are likely to get flamed and not have your question answered at all.
WPScan
I saw this tool as being fairly useful for evalulating wordpress security. It's a tool that many web publishers could probably use by themselves. But really if people took any interests in security they would not be using WP. If you visit the black hat forums there's a zero day exploit for some wordpress plugin nearly every day. While word press is fairly secure as a stand alone script most of the plugins are not very well tested. Many are vulnerable to SQL injection or cross site scripting. But that's another story. I found this video tutorial for WPScan entertaining.
Here's the official site. It's pretty easy to install. There are install instructions for just about every platform. WPScan
This videos gives a more realistic impression of brute forcing than others. Notice the tester fails to find the password. This is usually the case. If you pick a strong password you are less likely to be bruteforced do to the amount of time it takes to run the authentication requests against the web login. If you pick a long password with special characters and and numbers along with upper and lowercase letters it's a lot better than a simple dictionary word. Dictionary words are just that dictionary words. Dictionary words and permutations and subject to dictionary attacks. Words not in the dictionary are less likely to get found. With a better dictionary file the attacker may have been successful.
Here's the official site. It's pretty easy to install. There are install instructions for just about every platform. WPScan
This videos gives a more realistic impression of brute forcing than others. Notice the tester fails to find the password. This is usually the case. If you pick a strong password you are less likely to be bruteforced do to the amount of time it takes to run the authentication requests against the web login. If you pick a long password with special characters and and numbers along with upper and lowercase letters it's a lot better than a simple dictionary word. Dictionary words are just that dictionary words. Dictionary words and permutations and subject to dictionary attacks. Words not in the dictionary are less likely to get found. With a better dictionary file the attacker may have been successful.
Monday, July 7, 2014
Google It | Rant about Google search results
I'm just going to rant for a minute about Google search results. In 2012 I could find just about anything I wanted by search for it on Google. I could find a tutorial for a certain type of software by searching for the software version and what I was trying to accomplish. Now I can find basically nothing. The main problem with search engines is the have a huge index of older sites that are trusted and well established. Older sites have more backlinks and have better rankings on search engines. Link popularity is still a pretty big factor for search engine ranking algorithms. The main problem with this is when you are trying to look up something that is up to date like a software tutorials or even worse trying to look up code examples with valid syntax for the current version of a programming language on the off chance you actually have to code something yourself. I'm very annoyed when I look up some code examples on Google and I find forum posts from 2003-2007 because those posts are the posts with link popularity or whatever. There's nothing worse than following a tutorial to the letter and having a syntax error and then looking things up and not knowing how to fix it. Hours later I have a working program that does what I want. It's annoying. You know what's more annoying than that? When people say "Google it".
"Google it" is what every person who doesn't know the answer says instead of admitting they really don't know the answer. I'm asking questions on a forum because I've searched on Google and I can't find the answer to my question? Yeah, SORRY FOR NOT READING THE ENTIRE MYSQL MANUAL COVER TO COVER. IT'S OVER 5000 PAGES. I have better things to do. I just need to make this one little thing work. I don't need a database administrator certificate. I just need to know something simple like loading data into a table from a text file or converting a table to xml or converting excel files to xml or creating two tables from one.
Here's the other thing jerks my chain about search results. I'm finding a huge number of forum posts when I search for things on Google. The problem is that they are unanswered questions. You know what forum post should be the right there at the top of the search results? I'll give you a hint. THE POST WITH THE ANSWER TO MY QUESTION! You know what's even more annoying than finding an unanswered bulletin board question? Finding a bulletin board question that is answered with GOOGLE IT! YOU HAVE TO BE KIDDING ME! If I could find what I was looking for on Google I wouldn't be asking about it on a forum. And by answering a forum post with Google it you are creating yet another page that will show up in the search results that has the answer Google it instead of an intelligent response. That's Great!
It's funny search engine results about the same quality they were in 2003. It's like every improvement made in search engine technology was just nullified in one shot with whatever update Google made in August of 2013. I can't find anything I look for on Google.
The more annoying thing is when I look up something in astromony like caput draconis I'm looking for an article about the nodal cycle of the moon. Not a YouTube video from some crappy band, a video game, Harry Potter, and certainly not forum posts from username: caput draconis.
I have no problem finding celebrities and movies. It's funny when a movie comes along that has the same name a something in physics. When I Google search something like event horizon I find 5 of the first ten results are about the movie even horizon and the other 5 are about black holes. OK I found what I'm looking for.
I've come full circle. Google used to an easy way to look up information I wanted. Now it's like searching the card catalog at the library. You know that feeling you get when the library book you want was checked out and never returned or somebody had stollen it? That's what Google search is becoming. So I'm back to reading 600-1200 page non-fiction books on a fairly regular basis. The days of easy searching are over. Unless you want funny picture of cats or something equally useless.
The open source community needs a search engine with human moderated results. Computer algorithms can't judge the information content of an article all they can do is check spelling and markup and measure keyword density and link popular. Sorry there's just to much spammy pages and otherwise useless content showing up on search engines these days. It needs quality control. And not the kind of technocrat elitists that run DMOZ and not the kind of fake popularity gauges you find on sites like Digg where the results are easily manipulated by hundreds of thousands of sock puppet accounts voting for whatever articles the account owners want to be on top.
"Google it" is what every person who doesn't know the answer says instead of admitting they really don't know the answer. I'm asking questions on a forum because I've searched on Google and I can't find the answer to my question? Yeah, SORRY FOR NOT READING THE ENTIRE MYSQL MANUAL COVER TO COVER. IT'S OVER 5000 PAGES. I have better things to do. I just need to make this one little thing work. I don't need a database administrator certificate. I just need to know something simple like loading data into a table from a text file or converting a table to xml or converting excel files to xml or creating two tables from one.
Here's the other thing jerks my chain about search results. I'm finding a huge number of forum posts when I search for things on Google. The problem is that they are unanswered questions. You know what forum post should be the right there at the top of the search results? I'll give you a hint. THE POST WITH THE ANSWER TO MY QUESTION! You know what's even more annoying than finding an unanswered bulletin board question? Finding a bulletin board question that is answered with GOOGLE IT! YOU HAVE TO BE KIDDING ME! If I could find what I was looking for on Google I wouldn't be asking about it on a forum. And by answering a forum post with Google it you are creating yet another page that will show up in the search results that has the answer Google it instead of an intelligent response. That's Great!
It's funny search engine results about the same quality they were in 2003. It's like every improvement made in search engine technology was just nullified in one shot with whatever update Google made in August of 2013. I can't find anything I look for on Google.
The more annoying thing is when I look up something in astromony like caput draconis I'm looking for an article about the nodal cycle of the moon. Not a YouTube video from some crappy band, a video game, Harry Potter, and certainly not forum posts from username: caput draconis.
I have no problem finding celebrities and movies. It's funny when a movie comes along that has the same name a something in physics. When I Google search something like event horizon I find 5 of the first ten results are about the movie even horizon and the other 5 are about black holes. OK I found what I'm looking for.
I've come full circle. Google used to an easy way to look up information I wanted. Now it's like searching the card catalog at the library. You know that feeling you get when the library book you want was checked out and never returned or somebody had stollen it? That's what Google search is becoming. So I'm back to reading 600-1200 page non-fiction books on a fairly regular basis. The days of easy searching are over. Unless you want funny picture of cats or something equally useless.
The open source community needs a search engine with human moderated results. Computer algorithms can't judge the information content of an article all they can do is check spelling and markup and measure keyword density and link popular. Sorry there's just to much spammy pages and otherwise useless content showing up on search engines these days. It needs quality control. And not the kind of technocrat elitists that run DMOZ and not the kind of fake popularity gauges you find on sites like Digg where the results are easily manipulated by hundreds of thousands of sock puppet accounts voting for whatever articles the account owners want to be on top.
Sunday, July 6, 2014
How to fix virtualbox on Kali Linux
If you like Kali you've probably installed it as your primary operating system. I like it. It's stable. It's fun. I wanted to set up some virtual machines for penetration testing. If you have problems running Virtualbox on Kali here's how to fix them.
Open a terminal window and issue the following command:
apt-get remove virtualbox
apt-get update
Now download the latest version of Virtualbox While you're there get the VM Virtualbox Extension Pack.
now cd to whatever your download directory is and issue the command to install with dpkg. Example syntax:
dpkg -i virtualbox-4.3_4.3.12-93733~Debian~wheezy_amd64.deb
Then I downloaded the extension from the same page and installed it by double clicking.
One you have installed Virtualbox go ahead and install the extensions pack by double clicking it. And there you have it. Working virtualbox.
Thanks to Cyba Freez for this solution.
Tuesday, July 1, 2014
2014 The Most Popular Penetration Testing Distributions and what I think about them.
Kali Linux
Kali is probably the best penetration testing distribution out there. It's very stable and has just about every penetration testing tool you could ever want.
It's easy to install if you have a wired connection but has some issues installing over a wireless network. If you connect to an open wireless network the installer will work just fine but if you try installing on a WPA protected access point it will fail to exchange keys and your installation will fail.
Kali is a huge improvement over Backtrack 5r3 because it is Debian based rather than Ubuntu Based. There is a lot more upstream support. Kali has a forum. But pretty much like any Linux forum there are bunch of people on there who think they are smarter than you but say "Google it". So Google it first. Do a little bit of reading so you can converse intelligently on the subject you are asking about. Otherwise you are going to get flamed. That's how Linux forums work.
Parrot Security OS
Parrot is based on Kali and has a really cool desktop. It will install over a protected wireless network. Flash doesn't work and for life of me I can't seem to get it to work. Which kinda sucks if you want to watch video tutorials about the tools included in the distro. But since Parrot Kali based I'm familiar with most of the tools I want to use. All and all it's pretty useful. The printscreen button wont work so you have to install something like Shutter to take screen shots. It's pretty good and they community seems to be working hard to fix the bugs. I know I am. This is a really cool distribution so I'd like to see it grow. The support forums are in Italian but there are some facebook pages and groups where you can get support in English.
Bugtraq
Bugtraq has an Ubuntu based version and a Debian based version. It comes with some fun stuff like RATs, trojans, and botnets. It also has an array of digital forensics tools along with things you have probably come to expect in a pentest distro.
Nodezero and Caine are also worth mentioning here but I haven't got around to reviewing them exclusively.
Distros I don't recommend but I'll give you the opportunity to check them out for yourself:
Backbox, Blackbuntu, Samurai Web Testing Framework, Knoppix STD, Pentoo, Weakerthan, Matriux, Deft, and BlackArch.
Kali is probably the best penetration testing distribution out there. It's very stable and has just about every penetration testing tool you could ever want.
It's easy to install if you have a wired connection but has some issues installing over a wireless network. If you connect to an open wireless network the installer will work just fine but if you try installing on a WPA protected access point it will fail to exchange keys and your installation will fail.
Kali is a huge improvement over Backtrack 5r3 because it is Debian based rather than Ubuntu Based. There is a lot more upstream support. Kali has a forum. But pretty much like any Linux forum there are bunch of people on there who think they are smarter than you but say "Google it". So Google it first. Do a little bit of reading so you can converse intelligently on the subject you are asking about. Otherwise you are going to get flamed. That's how Linux forums work.
Parrot Security OS
Parrot is based on Kali and has a really cool desktop. It will install over a protected wireless network. Flash doesn't work and for life of me I can't seem to get it to work. Which kinda sucks if you want to watch video tutorials about the tools included in the distro. But since Parrot Kali based I'm familiar with most of the tools I want to use. All and all it's pretty useful. The printscreen button wont work so you have to install something like Shutter to take screen shots. It's pretty good and they community seems to be working hard to fix the bugs. I know I am. This is a really cool distribution so I'd like to see it grow. The support forums are in Italian but there are some facebook pages and groups where you can get support in English.
Bugtraq
Bugtraq has an Ubuntu based version and a Debian based version. It comes with some fun stuff like RATs, trojans, and botnets. It also has an array of digital forensics tools along with things you have probably come to expect in a pentest distro.
Nodezero and Caine are also worth mentioning here but I haven't got around to reviewing them exclusively.
Distros I don't recommend but I'll give you the opportunity to check them out for yourself:
Backbox, Blackbuntu, Samurai Web Testing Framework, Knoppix STD, Pentoo, Weakerthan, Matriux, Deft, and BlackArch.
Easily reinstall all of your favorite programs with APTonCD
APTonCD is a really fast and easy way to back up your installed software for Debian based Linux distributions. To install simply issue the following command in terminal.
To run APTonCD simply type:
apt-get install aptoncd
To run APTonCD simply type:
aptoncdAPTonCD has a nice graphical user interface that allows you select the packages you want and create an ISO. You can burn this to a CD or DVD for later use. If you want to restore your packages from a previous installation simple run aptoncd and click the restore button. Now select the packages you want to install. It's that easy.
You can make some bitcoin/altcoin by referring friends to qoinpro
You can make some bitcoin, feathercoin, dogecoin by referring people to this site. qoinpro They pay daily and the more people you sign up the more you get. You get a % of what the people you sign up earn. It's pretty sick really if you can sign up a lot of people. Try it out.
A little bit about me
I started in web design and publishing in 2003. I created my first website with freewebs.com (now webs.com) It was a toy camera photo gallery. I scanned my 35mm photos and published them on the website. I started marketing the site seriously in 2004 and by 2005 the site was recieving over 100,000 visitors per month and on its best month recieved 595,000+ pageviews. Did a great deal of SEO work on the site and it started to show up on Google for searches like "Oregon Photographs". The site hovered around 100,000 on Alexa with jumps to about 40,000 on good days. I was able build a strong PR5 on Google with something like 35,000 backlinks. I realized I was kinda good at this SEO stuff and started building new sites to sell link space to SEO firms for profit. This was a nice part time income. If I had it to do over again I would have kept doing web publishing instead of getting back into construction.
In 2006 I played a nice little prank on Google and made my site rank #1 for "The most visited site on the internet". Just to prove that search engine rankings are prone to manipulation. While Google cleaned up the search engine algorithms since then and it's a lot harder to spam your way to the top of the SERPS it is still possible to create an Organic presense through SEO best practices (honest hard work). I've done a lot of work for non-profits and small business startups over the last 5 years. Most of it I have not been paid for. I work in skilled labor fields from 2006 to 2010 and kept web publishing as a hobby.
In 2011 I found myself unemployed and I needed something to pass the time until I found full time work again. I took decided to take up computer programming. It was by chance I was search through some videos on YouTube for clips from the movie Basic. When I found a series of BASIC tutorials. I decided to learn how to program in BASIC. I downloaded QB64 which is a fully C++ compatible BASIC compiler. It's basically an open source clone of Microsoft QuickBASIC. Anyhow I worked my way through the tutorial series and learned what there was to learn there. I then turned my attention to Visual BASIC 2010 and learned that. I was spending a good deal of time online and I became a target for hackers for whatever reason. My system was PDOS's serveral times. During the next several months I started learning about security topics. I started learning the Linux operating system. I bought an older computer at thrift store for $11 hard drive not included. I installed the hard drive and downloaded and installed Ubuntu 10.04 and started learning Ubuntu. Shortly after I bought a new laptop and installed Ubuntu on my old laptop as well. I had no idea what I was doing for the first several months and honestly I didn't even know how to connect it to the internet. I had some shitty broadcom chipset for which the drivers were not included. I had to figure out how install the drivers. I read through Linux For Dummies. I highly recommend reading through the For Dummies books if you don't know anything a subject. After that I read through a programming manual for Linux. Then I started reading administration related books. At this point I started to have a clue what I was doing with computers.
In 2012 I had my last negative experience with Windows. My Windows 7 laptop crashed and I had no way of recovering my data. I knew enough about Linux to install and run it as my primary operating system. I haven't gone back. It still fix Windows PCs for friends. But I don't use windows anymore. Honestly I don't miss Adobe Photoshop or Visual Studio enough to use Windows. At point I was still progamming as a hobby. There was one BASIC compiler for Linux but it was a pain in the ass to track down all of the dependencies to make it work. So after a spending an entire weekend trying to install it I shelved BASIC and started learning C++. I worked my way through about 70 tutorials and realized I need to learn some networking related stuff. I found some really good sockets programming tutorials in Java so I went ahead and learned Java.
By summer of 2012 I had started learning to hack. It mostly stemmed from curiosity. I wanted to see if my wireless router as secure as the installer told me it was. It wasn't. I downloaded a copy of backtrack 5r2 and and script called wifite.py and proceded to own the wireless access point in a little over an hour. I started learning the aircrack tool suite and tools like reaver wps. It wasn't very long I was pretty good at hacking wireless routers. I figured out how to make them more secure in the process. This is the important thing. The hacking part is more a fun biproduct of curiosity about information security related topics.
In spring of 2013 I started working with a startup information security firm. We had a nice little penetration testing lab where we worked on a lot of wireless auditing. Then I went back to college for a bit. I got bored of that and decided to travel.
In 2006 I played a nice little prank on Google and made my site rank #1 for "The most visited site on the internet". Just to prove that search engine rankings are prone to manipulation. While Google cleaned up the search engine algorithms since then and it's a lot harder to spam your way to the top of the SERPS it is still possible to create an Organic presense through SEO best practices (honest hard work). I've done a lot of work for non-profits and small business startups over the last 5 years. Most of it I have not been paid for. I work in skilled labor fields from 2006 to 2010 and kept web publishing as a hobby.
In 2011 I found myself unemployed and I needed something to pass the time until I found full time work again. I took decided to take up computer programming. It was by chance I was search through some videos on YouTube for clips from the movie Basic. When I found a series of BASIC tutorials. I decided to learn how to program in BASIC. I downloaded QB64 which is a fully C++ compatible BASIC compiler. It's basically an open source clone of Microsoft QuickBASIC. Anyhow I worked my way through the tutorial series and learned what there was to learn there. I then turned my attention to Visual BASIC 2010 and learned that. I was spending a good deal of time online and I became a target for hackers for whatever reason. My system was PDOS's serveral times. During the next several months I started learning about security topics. I started learning the Linux operating system. I bought an older computer at thrift store for $11 hard drive not included. I installed the hard drive and downloaded and installed Ubuntu 10.04 and started learning Ubuntu. Shortly after I bought a new laptop and installed Ubuntu on my old laptop as well. I had no idea what I was doing for the first several months and honestly I didn't even know how to connect it to the internet. I had some shitty broadcom chipset for which the drivers were not included. I had to figure out how install the drivers. I read through Linux For Dummies. I highly recommend reading through the For Dummies books if you don't know anything a subject. After that I read through a programming manual for Linux. Then I started reading administration related books. At this point I started to have a clue what I was doing with computers.
In 2012 I had my last negative experience with Windows. My Windows 7 laptop crashed and I had no way of recovering my data. I knew enough about Linux to install and run it as my primary operating system. I haven't gone back. It still fix Windows PCs for friends. But I don't use windows anymore. Honestly I don't miss Adobe Photoshop or Visual Studio enough to use Windows. At point I was still progamming as a hobby. There was one BASIC compiler for Linux but it was a pain in the ass to track down all of the dependencies to make it work. So after a spending an entire weekend trying to install it I shelved BASIC and started learning C++. I worked my way through about 70 tutorials and realized I need to learn some networking related stuff. I found some really good sockets programming tutorials in Java so I went ahead and learned Java.
By summer of 2012 I had started learning to hack. It mostly stemmed from curiosity. I wanted to see if my wireless router as secure as the installer told me it was. It wasn't. I downloaded a copy of backtrack 5r2 and and script called wifite.py and proceded to own the wireless access point in a little over an hour. I started learning the aircrack tool suite and tools like reaver wps. It wasn't very long I was pretty good at hacking wireless routers. I figured out how to make them more secure in the process. This is the important thing. The hacking part is more a fun biproduct of curiosity about information security related topics.
In spring of 2013 I started working with a startup information security firm. We had a nice little penetration testing lab where we worked on a lot of wireless auditing. Then I went back to college for a bit. I got bored of that and decided to travel.
Subscribe to:
Posts (Atom)