It's not all that difficult to spoof a MAC address or the LAN card might have been changed.  I'd agree that tracing it is a non-starter.

I've been researching and it seems that exe2bat.exe does the job of converting an executable to a format that can be used to recreate it on a target system.

Is this technique of value in the pen testing field now or is it redundant?

I recall having seen something quite a while ago about the use of debug.exe to recreate an executable.  A text file is downloaded to a locked down system, renamed as a .bat then run.  Towards the end of the batch file there are a series of commands such as:

@echo rcx >> tmp1
@echo n >> tmp1
@echo w >> tmp1
@echo q >> tmp1
@debug < tmp1 > nul
@copy /b /y tmp1 tmp1.exe

The main body of the text file has the representation of the executable which is piped in sequence into tmp1.  I am interested to know how the executable is converted into the format that can be used in a text file in this way.

I don't know if this technique is used currently in pen tests or if it's been superceded by other techniques.

Thanks in advance.

Thanks alucian.  I'm using a live BT4 CD and I'm considering using an old laptop (within the HCL) to load BT4.  I know that I can take an image to restore the laptop should I make any major configuration errors.  I'm pleased that I have a card and appropriate commands which will allow me to collect the traffic that I'll need to learn about the association and authentication process.

UPDATE (and sorry for not feeding back earlier!):

I've been pulling my hair out.   I managed to get a second Netgear WG511T PCMCIA card and all the research that I did led me to believe that it *should* work to collect management frames.  I looked into airmon-ng and issued:

ifconfig wlan0 down
airmon-ng start wlan0

which created a new entry in ifconfig -a (mon0)

I started Wireshark and collected using mon0.  Lo and behold, there were beacons and probes!  I switched back to my original WG511T card and it didn't work so I guess it's been a combination of a faulty card and the lack of my using airmon-ng.  Before you (Ketchup) mentioned this, I assumed that I could change the mode of the card from within Wireshark.

As a non-Linux user, it's been a steep learning curve ... but one which has made me more determined to learn more!

Having got BT4 working, I tried connecting to my wireless router and could when I used the connection manager so it appears that the driver is correct but I still need to get the wpa_supplicant.conf file sorted.  I set up the second laptop and got it to associate too but nothing was picked up by Wireshark.  This is despite whether it was associated or not and whether it was in promiscuous mode or not.

I'll look into getting a second card from the list that you linked.  I just wonder if it's a problem of my configuration of Wireshark so I might ask on their forum.  I ran Kismet in BT3 (whilst not associated) and it picked up my home network, as expected, without any problems.

I wondered if the -k switch was used in other versions ... I've managed to get BT4 working and the lspci -k output is:


I'm not even able to get connected to my wireless (WPA) card connected now though!  I'll get back into BT3, copy the entire wpa_supplicant.conf file and try that in BT4.

Unfortunately, the older laptop (the one with the PCMCIA card) won't run BT.  It was designed for W98 (yes, that old) and has 128MB RAM.  I'll try the PCMCIA card in the newer laptop though to see if it will pick up traffic from my wireless router.

BTW, do you have any recommendations for wireless cards (USB or PCMCIA) which will "play" with BT without any hassle?  I'm keen to capture the traffic so I can understand the authentication process.

Thank you for the guidance.  Your interpretation of the configuration is correct.

I ran lspci -k in BT3 and got the following:


so I tried lspci -v and got the following related to the ethernet and wireless:

I couldn't see anything relating to kernel module or drivers though.

I'll see if I can get BT4 to work.  I suppose my alternative is to get a USB or PCMCIA wireless card which will work.  I'm based in the UK so would prefer to get something here, rather than have to order from the US (with additional shipping charges).

I'm interested in capturing my own WEP and WPA association and authentication traffic so I can study and then understand it.  I set up two laptops, one running BT3 live CD and the other Windows XP with a Netgear WG511T PCMCIA wireless card.

I managed to get the capturing laptop configured and authenticated to my wireless router (WPA).  I also got my second laptop authenticated but didn't see any of the association/authentication packets when I ran Wireshark in BT3.  I set the capturing laptop wireless in promiscuous mode.  This is Intel PRO/Wireless 2200BG.

I ran the test again but didn't authenticate my capturing laptop first.  It didn't make any difference as I didn't see any traffic when the second laptop authenticated.

Finally, I captured traffic when the capturing laptop authenticated.  All I saw were a series of EAPOL frames.  There were no beacons, probes or frames containing the SSID.  I have seen a pcap file of the authentication process so I know that these additional frames should be present.

I just wonder if my Intel Wireless card isn't playing nicely with Wireshark.  Any tips?  I hasten to add that this is for my own education, rather than illicit activity in a coffee shop (etc.)!

If it were as easy as that, everyone would be doing it.  You need to understand how networks work, about security and how to exploit vulnerabilities in the target system.  There's no "one size fits all" solution.

Brilliant - I just want to get the Treo into my hands now to start playing!

Hey Ketchup - I've already approached my mobile provider about upgrading to a Treo.  Can you let me have details of the product that you use please?

Would it be of benefit to wget the address and look at the code?  I realise that it might not be easy to see exactly what it's doing, particularly if it's extensive or if there's obfuscation.

How are you connected to the internet?  It's possible to configure an ADSL router not to respond to ICMP from the WAN port.

They're in the middle of a series about virtualisation and ESXi on Hak5 (it's been advertised here).  I'm not an expert, but I think that they're aiming more towards a functional virtualisation setup for a real working network, rather than a lab to play and learn.  They built a PC last week for under $2000 and they loaded ESXi.  I'm not sure what comes next, but I hope that they'll do some of the configurations of ESXi and OS installs.  I suspect that I'll be following their recommendations over the next month or so.

I know that such a PC would exceed my lab requirements, but I could use it subsequently in a production network.