The AP’s and controller were all setup ok, but for some reason the AP’s didn’t want to register via CAPWAP. I had one previous working AP (which after the fix I dunno how it managed to work) that had registered. Via CDP it showed that the working AP was running C1140-K9W8-M while the busted AP’s were all running C1140-RCVK9W8-M. The recovery image is supposed to become active when the main image fails to load so I thought it may have been an issue I needed to console in to fix. Luckily it wasn’t.

All AP’s received DHCP on the right VLAN and everything else was looking fine (ACL’s etc) it was just the registration phase that didn’t work. After talking with some other engineers we found the issue was as simple as the option 43 on DHCP. It had previously been set to an ASCII option instead of HEX. Even though the Cisco docs said to set it as a HEX TLV we had it working previously on ASCII. After we hit it back to HEX all the AP’s registered without any problem.

I considered all of the 13″ ulv models from where I’m from and the VT definitely stood out as the best value for money. Considering it has a dual core supporting vt-x extensions and 4bg of RAM I thought it would be great to run Backtrack 4 in a VM.

When I got everything installed and configured, I ran up my Alfa AWUS036H wireless USB adapter but started seeing some issues with it running under VM. There were certain circumstances in which the adapter would freeze and require a replug to fix, and then when it worked got poor performance with packet injection.

So I decided to do a proper HDD install of BT4. For this I have a 500gb external Seagate HDD that I bought for BT4 to hold some rainbow tabled on.

I ran into heaps of problems using the install.sh script from bt to install to a local harddisk. I kept receiving grub error 2 errors regardless of what I did and where I installed it to. After trying to sort through manually installing grub I kept getting grub error 15’s.

I trolled through massive amounts of forum posts trying to get the thing to work but everything I tried failed. Finally though I stumbled across a post on the Backtrack forums about setting up BT4PF to HDD referencing the Backtrack perfect install doco.

Regardless of it being written for BT4PF everything worked perfectly and I now have BT4 running on my external usb hdd on my ul30vt. Heres the details about how its done and the original thread for reference:

Perfect install: http://www.offensive-security.com/documentation/bt4install.pdf

Create new partitions

root@bt:~# fdisk /dev/sdb <-- NOTE this was the device node of my external usb hdd and it may be different for yours.
The number of cylinders for this disk is set to 1044.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-1044, default 1):
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-1044, default 1044): +128M <-- NOTE: I had issues with partition size and space at 128mb, currently mine is running at +1G for future kernels etc.
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 2
First cylinder (10-1044, default 10):
Using default value 10
Last cylinder, +cylinders or +size{K,M,G} (10-1044, default 1044): +1024M <-- NOTE: this is the size of your swap space, seeing as I have 4GB of RAM, to make it easy I set the swap at +10G.
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 3
First cylinder (142-1044, default 142):
Using default value 142
Last cylinder, +cylinders or +size{K,M,G} (142-1044, default 1044): <-- NOTE: the default is the remainder of the disk and should have sufficient size for all the OS and BT files + any extra files you want to keep.
Using default value 1044
Command (m for help): t
Partition number (1-4): 2
Hex code (type L to list codes): 82
Changed system type of partition 2 to 82 (Linux swap / Solaris)
Command (m for help): a
Partition number (1-4): 1
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.
root@bt:~#

Format Partitions

 NOTE: the /dev/sdb device node was for my external usb hdd and may be different to yours.
root@bt:~# mke2fs /dev/sdb1
root@bt:~# mkswap /dev/sdb2
root@bt:~# swapon /dev/sdb2
root@bt:~# mkreiserfs /dev/sdb3

Mount and copy files

root@bt:~# mkdir /mnt/bt4
root@bt:~# mount /dev/sda3 /mnt/bt4/
root@bt:~# mkdir /mnt/bt4/boot
root@bt:~# mount /dev/sda1 /mnt/bt4/boot
root@bt:~# cp --preserve -R /{bin,home,pentest,root,usr,boot,etc,lib,opt,sbin,var} /mnt/bt4/
root@bt:~# mkdir /mnt/bt4/{dev,mnt,tmp,proc,sys}
root@bt:~# mount -t proc proc /mnt/bt4/proc/
root@bt:~# mount -o bind /dev /mnt/bt4/dev/

Copy the splash screen

root@bt:~# cd /media/cdrom0/boot
root@bt:~# cp --preserve -R {bootsplash,vmlinuz,initrd.gz} /mnt/bt4/boot/

Configure GRUB

root@bt:~# chroot /mnt/bt4/ /bin/bash

root@bt:~# nano /boot/grub/menu.lst
timeout 5 #The number of seconds GRUB should wait before booting an OS
default 0 #The entry which should be booted by default
fallback 1 #The entry which should be booted in the event of the first one failing

splashimage=(hd0,0)/grub/bt4.xpm.gz

# This is an example of using a separate partition for /boot
title              BT4
root              (hd0,0)				# Boot Partition
kernel            /vmlinuz root=/dev/sda3 rw vga=0x317
initrd            /initrd.gz

root@bt:~# grub
grub> find /grub/stage1
    (hd1,0) <-- NOTE: this was the return by GRUB for my external usb hdd and may be different for yours. Same as the following commands.
grub> root (hd1,0)
grub> setup (hd1)
grub> quit

Original thread: http://backtrack-linux.org/forums/old-backtrack-4-howto/20281.htm

I  wrote the original software by hand directly in PHP/CSS in haste during my last course holidays, it was never properly finished and was probably filled with SQL holes (:o!)

Yeah, so anyway, Wordpress now.

Not saving conversation media file because either forward or reverse media not received.

This caused ucsniff to only generate a forward wave file.

I looked around for a solution, but it was already built into ucsniff.

One of the problems with this new UCSniff feature is that it is ineffective against intercepting any Skinny messages from the phone to the network. This is because the IP Phone ARPs for its remote IP gateway when it boots up and registers for the first time, and any subsequent spoofed ARP packets are ineffective.

All we have to do is run:

ucsniff -i eth0.20 --tftpm -T -D

One thing that I observed was that –tftpm would only be correctly applied in targeted mode. Even though we can target using the ettercap options /x/ // it still wouldnt work.

When it works properly it will show:

Receiving SEP CNF XML file via TFTP MitM attack
Modified the GARP Setting to GARP Enabled
UCSniff running GARP Disablement bypass flood for IP Phone xxxx

You can still target a single host MitM without ARPing the whole VLAN by generating a targets.txt file.

I may make a basic bash script and post it for generating a targets.txt file, but its easily hand editable and would show something like:

XXXX.XXXX.XXXX.XXXX,ext,name,sccp

Previously I gave instructions on running BT3 on a USB with persistence, this worked great on the EEE, however I ran into problems when running voiphopper. The EEE complained about not being able to add the VLAN interface to eth0 and therefore vlanhopping would not work.

ERROR: trying to add VLAN # to IF -:eth0:- error: Invalid argument

I did the usual and modprobed 8021q, checked other dependencies etc but it wouldnt go. The 701 runs an Attansic L2 card and in linux runs under the atl2 driver, so I did some research and found mixed reports on the net about VLAN tagging not being supported on the atl2. After no luck I even contemplated buying a newer netbook with supported hardware.

I’ve got another persitent distro, Ubuntu Netbook Remix, so I decided to test that as the atl2 drivers are built into the kernel and have changed recently. Long story short, VLAN tagging worked in UNR.

I tried to find newer atl2 drivers and load them manually into BT3, but couldnt find any readily and couldnt really be bothered searching too hard. I downloaded BT4 and made another persistent usb drive. Due to the newer Debian kernel used in BT4, VLAN tagging worked without a problem.

VLAN tagging and therefore voiphopper now worked. Next intercepting SCCP conversations. In my previous testing I was using UCsniff 2.4 to record SCCP conversations via ARP poisoning (MitM). This worked infrequently, and in my production environment (Clustered Cisco Call Manager 4.2(sr3a)) complained about GARP being disabled and that it would not record the conversation. Since then i’ve been hanging out for UCSniff 3.0 which was due to be released on the 24/10/09. They released it early!

Another long story short, UCSniff 3.0 works under BT4 under an EEE 701 and happily records SCCP from CCM4.2.

Happy days!

I’ve yet to test packet injection on BT4, but dont expect too many problems with this.

Heres a step by step of the processes involved.

Create persistent BT4 on USB
Followed the directions outlined here:

• http://www.infosecramblings.com/backtrack/backtrack-4-usbpersistent-changesnessus

VLAN Support + VLAN Hopping

Firstly modprobe to enable VLAN tagging in the environment

modprobe 8021q

Connect to a cisco switchport with a similar switch config

switchport mode access
switchport access vlan 10
switchport voice vlan 20

Try VLAN hopping with voiphopper

voiphopper -i eth0 -c 0

Download and compile UCSniff 3.0
Download UCSniff here:

• http://ucsniff.sourceforge.net/

Compiling

tar zxvf ucsniff-3.01.tar.gz
cd ucsniff-3.01
./configure
make
make install

MiTM SCCP
To record all SCCP conversations on the voice VLAN

ucsniff -i eth0.20 --garpdb // //

Or to target a particular IP phone, without enumerating the targets on the voice VLAN first

ucsniff -i eth0.20 --garpdb /XXXX.XXXX.XXXX.XXXX/ //

Finally play back the file from the commandline

play filename.mp3

The details which I posted here 12months ago works perfectly again. One extra thing to note is after applying the change to the Windows taskbar time, the 797X’s will change their time automatically, the other phones wont though.

In order to force them to update their time, you will need to reset the devices from the Date/Time group.

Hope this helps

Heres a pretty simple guide to getting the 701 up and running with a persistent Backtrack 3 on usb, fingerprinting with Kismet and cracking WEP with wesside-ng.

Firstly I followed the persistent usb details outlined at:

• http://forums.remote-exploit.org/tutorials-guides/14486-bt3-usb-persistent-changes-using-linux.html

Secondly for each time you want to inject packets or use kismet run the following:

wlanconfig ath0 destroy
wlanconfig ath0 create wlandev wifi0 wlanmode monitor

To run kismet, you will have to modify the following file. If you’re running BT3 live without persistence you will have to do this every time.

Edit /usr/local/etc/kismet.conf and change source to:

source=madwifi_g,wifi0,wifi0

Finally, I wont record another WEP video like every other person on the net – just run the following to find the bssid mac of the AP (from kismet):

wesside -i ath0 -v MAC

Next I plan on running easside-ng for those networks where something doesn’t go right (occasional). Ill throw the details up for that when I’ve done it.

When doing a debug ccsip all, it appeared that I wasn’t receiveing a SIP INVITE, and that I would constantly throw out REGISTER’s but not hear anything back.

Yesterday I started thinking that maybe there was a something in my firewall ACL that was blocking the connection, but when I looked at it i couldn’t see anything wrong with it. I decided to add permit tcp any any eq 5060 just to make sure things were happening, and then I saw this response:

10 permit tcp any any eq 5060 (18 matches)

So things were happening but something still wasnt right.

I had spent most of the day looking over the config and trying different solutions around the net but nothing helped. This morning I decided to revisit the config and started with the ACL’s. Then I noticed this.

240 deny udp any any eq 1024 (128 matches)

I had borrowed an ACL from our work access layer switches, designed to filter out commonly used virus ports and this was one of the entries. It looked like the SIP response from iiNet was replying on udp port 1024 for the INVITE message which was of course blocked. As soon as I removed this registration went straight through and calls started routing.

Hope this helps saves the headaches that i had.

I have had some problems finding the initialisation commands for Vodafone in Australia.

Here is the process.

Installing the Blackberry Storm will install 3 modems:
- Standard 33600 bps Modem
- Standard 33600 bps Modem #2
- Standard Modem

Leave the first two alone, but under the standard modem in the advanced properties, enter

+cgdcont=,,"vfinternet.au"

Next create a new manual internet connection and when it asks for a password enter *99# and do not enter any username or password

Open up the Blackberry Desktop Manager, connect to the new connection and away you go

I have been toying with the idea of setting up SNORT and managed AV and found this at the beginning of the tutorial.

“Paranoia will get you through times of no enemies better than enemies will get you through times of no paranoia” ~ Pete Granger

This quote so easily spells out the best approach IT security.

Genius.