Install wepbuster BT5

Open, terminal

Then.  Sudo nano

paste in following code

# download wepbuster from google code. ATOF, latest release is 1.0 beta 0.7
wget -O wepbuster.tgz

# install wepbuster
tar xzf wepbuster.tgz -C /pentest/wireless

# source on how to install CPAN:

apt-get install lynx
apt-get install ncftp


# in CPAN interactive shell (so don’t type the “cpan> ” part)
cpan> install Expect
cpan> install File::Slurp
cpan> install Number::Range
cpan> install Algorithm::Permute

# now quit CPAN

cpan> quit

# create shortcut

mv /pentest/wireless/wepbuster* /pentest/wireless/wepbuster
ln -s /pentest/wireless/wepbuster/wepbuster /usr/bin/wepbuster

# launch wepbuster



Then > Ctrl + X Save it

Sudo chmod +x Give the file execution rights.

Then run the file.  ./

or sudo sh

Have fun.

New Hashkill Released

Hashkill 0.3.1
Hashkill is an opensource hash cracker for Linux that uses OpenSSL. Currently it supports 4 attack methods (dictionary, bruteforce, hybrid) and has 31 plugins for different types of hashes (md5, sha1, phpbb3, mysql, md5 (unix), des(unix), sha(unix), vbulletin, smf, etc). It is multithreaded and supports session save/restore.
Download here

BT5-scripts Wordlist Creation/Combination/manipulation/analyzation !


Originally designed as a word list creation tool, thad0ctor’s BT5 Toolkit has become an all purpose security script to help simplify many Backtrack 5 functions to help Pentesters strengthen their systems.

The backbone of thad0ctor’s Backtrack 5 Toolkit is the Wordlist Toolkit that contains a plethora of tools to create, modify, and manipulate word lists in order for end users to strengthen their systems by testing their passwords against a variety of tools designed to expose their pass phrases. In short it is the ultimate tool for those looking to make a wide variety of word lists for dictionary based and other brute force attacks.

The toolkit is designed with usability in mind for the Backtrack 5R2 linux distro but will also work on BT5 R1 and other Ubuntu based distros if configured properly. The script is constantly updated with multiple revisions to include new cutting edge features and improvements in order to provide full spectrum wordlist creation capabilities

Get it here >

Download here


Use Crunch to Create Wordlists For bruteforce WPA/

That one line of code seems so simple, yet when you check the estimated size of the wordlist to be created
you would definately think twice about trying to create, save and use it…

The size of the wordlist can be calculated as follows ;

(x^y) * (y+1) = size in bytes
x = The number of characters being used to create the wordlist
y = The number of characters the words/passphrases in the wordlist have.

Based on the above example, we have 10 possible numeric values and 6 possible alpha values,
so 16 characters in total, and we want to calculate based on a wordlist wherein the passphrases have 8 characters.
To calculate what the size would be in konsole we can use “bc” ;

echo “(16^8)*(8+1)” | bc

Or we can even just type it in google; (16^8)*(8+1)
and it will return the same result ;

Next we can check the conversions of the resulting size in KB / MB / GB etc. ;

thats quite a lot…

I put together a (very!) simple script in order to be able to quickly check what kind of size one
is looking at when thinking of creating a wordlist with the same min/max length in crunch;




After saving to your /root/ directory for instance, just run by entering ;


You need to enter ;
> the number of characters to be used when creating the wordlist. (using the above example; 16)
> the length of the words/passphrases in the wordlist. (using the above example; 8)

You cant choose to check what the results would be with any fixed patterns, or variables, (have to leave the hard stuff like that to the pro’s !) but it is still an eye-opener to see the sizes involved with a ‘simple’ wordlist.

The result will show you the expected number of words/passphrases in the wordlist along with the estimated
file size in bytes / Kilobytes / Megabytes / Gigabytes / Terabytes / Petabytes

Just a bit of fun and possibly handy to have in your crunch directory for reference 😉

Please comment if I messed up on the calculations anywhere..

Install Airdrop-ng Backtrack5

Airdrop-ng is described as being a ‘rule-based Deauth(entication) tool’.

Airdrop is now available through the standard Backtrack repositories, can install with ;

apt-get update
apt-get install airdrop-ng

Different from other deauthentication tools, Airdrop provides a means to either allow or deny clients to the same access point at the same time, as well as other nifty functions such as allowing or denying access based on hardware type (hardware name or OUI).

This allowance or denial is based on rules which are entered in a text file read by the application.

The way it works is fairly staightforward, first airodump needs to be started, configured to write out to a .csv file.
Then airdrop is started, linking to the csv file and pointing to a rules configuration file where the drop rules are entered.

So the main thing is to figure out what you want to achieve with this tool running, prepare the file with drop rules accordingly and then let it rip !

First things first, start up airodump and configure to write to a .csv file ;

airmon-ng start wlan0
airodump-ng mon0 -w test –output-format csv

Now to create a file with the Airdrop drop rules.
The standard format is;

a(allow)/bssid mac(or ‘any’)|client mac(or ‘any’)
d(deny)/bssid mac(or ‘any’)|client mac(or ‘any’)

In the written examples I am using 00-11-22-33-44-55 as AP mac and 55-44-33-22-11-00 as Client mac.
This for simplicity’s sake.
Some of the actual picture examples show different macs addresses as these are taken from an actual test run requiring actual connections.

To start off, I will first create a simple file with a ‘deny all’ rule for a specific AP ;

echo ‘#Deny rules’ > rules && echo ‘d/00-11-22-33-44-55|any’ >> rules

This rule will deny all clients access to the AP with mac address 00:11:22:33:44:55.
(Can also enter MAC addresses in the standard format; 00:11:22:33:44:55)

So now time to run Airdrop ;
(You can also include the -p option to disable the use of Pysco, gets rid of the ‘Not Found’ message ..)
[Depending on how it was installed, the below commands likely need to be started with ./airdrop-ng]

cd /pentest/wireless/airdrop-ng/
airdrop-ng -i mon0 -t ~/test-01.csv -r ~/rules

You can also include the -b option for some more detail (Rule debugging);

airdrop-ng -i mon0 -t ~/test-01.csv -r ~/rules -b

Now to edit the rules file to allow a client to access ;
As rules are run in a cascading order (from top to bottom) note that the Allow rules should be placed above the Deny rule ;

nano rules
#Allow rule
#Deny rule


With the above when running airdrop, all clients except 55-44-33-22-11-00 will be denied access to AP in question.
(Similar to an access point’s mac-filtering approach)

There is no real need to include “#Allow rule” and the “#Deny rule”, its just for clarity’s sake.

Another nice function is the ability to Allow or Deny access to certain hardware based on OUI codes or (some) hardware names.
The OUI list can be updated in airdrop as follows (of course need to be online);

airdrop-ng -u

The OUI list can be found @ /pentest/wireless/airdrop-ng/support/oui.txt

I have only tested this using names on my network with Linksys and Intel equipment.

For instance, you can create a rule to deny all clients access to a Linksys router (WRT54G was tested) as follows ;

nano rules
#Deny rule

The airdrop-ng result ;

airdrop-ng -i mon0 -t ~/test-01.csv -r ~/rules -b

Or you can create a rule to deny linksys adapters from accessing a certain AP ;

nano rules
#Deny rule

The airdrop-ng result ;

airdrop-ng -i mon0 -t ~/test-01.csv -r ~/rules -b

Each time Airdrop finishes sending packets it re-parses the airodump csv file for changes as well as the rules file, this means that the rules file can be updated even while Airdrop is running.

WPA/WEP automated with intergrated wordlist generator

Wepbuster : Download from Installation procedure (assuming that wepbuster was downloaded into /tmp) :

root@bt:/# cd /tmp
root@bt:/tmp# tar xvfz wepbuster.tgz 
root@bt:/tmp# mv wepbuster-1.0_beta/wepbuster /usr/local/bin

Update Security Components BT5 with Fast/

Updating security components

/pentest/exploits/ -i

First update fast-track, then update other individual components (Metasploit, Aircrack, nikto, etc; or choose ‘9’ to update all)

If updating nikto doesn’t work :

Updating Nikto... 
cd: 1: can't cd to /pentest/scanners/nikto/ 
/bin/sh: ./ not found 

Fix :

root@bt:~# mkdir /pentest/scanners/nikto/
root@bt:~# ln -s /usr/bin/nikto /pentest/scanners/nikto/
root@bt:/pentest/exploits/~# ./fast-track -c 1 2