Blog Archives

Back Track 5 r3 a BOx or a BOmb. The security suite.

  1. Back Track 5 r3 a BOx or a BOmb. The security suite.
  2. Since it was started in 2006, Back Track has become one of the best security suites in penetration testing market. Due to that fact, there has been a huge proliferation of this kind of software in the last few years.

In this article we are going to cover how a bunch of software  could be as easy as pie, or a dangerous game that could get you into trouble. On one side, installation is pretty easy (even in a virtual machine, you can easily run a security distribution). On the other side, the management and mastering is in a completely different league.

We have in front of us a Linux OS with more than 300 penetration tools.

  1. This article will help you to open the box. What can you do with a box? Not so much or maybe nothing. But with the content of the box, you could probably do a lot of things, even more if we are talking about a big box with hundreds of boxes inside. I must tell you to be careful, because depending on the use, the content can be as bad as nitroglycerin. Regardless, it is not necessary to say that, in some countries, the use of this tools can be considered as  terrorism.

When used in the right way, we can have a great security tool which will be able to help in several different areas (wifi, forensics….). With the right knowledge on each area the power multiplies 10 times.

If you use it wrongly, you can have serious problems. That said, it will be your own responsibility once you start BackTrack.

After you read this article, you would be able to run a security suite and use a couple of applications. My opinion is that the information here displayed is enough to get you hooked and with some hunger for knowledge. I think like this, mainly because I will give you a few tips to get information from the system you want to audit 😉 and I say a small part because it is quite difficult to talk about more than the 300 tools that are a part of Back Track. Inside security, there are also different fields that we could talk about, and talk a lot by the way.

  1.   I still remember the time, several years ago, when I discovered this tool. It was Back Track 2 at that time. I was using a new DELL laptop with 2 Gb RAM , 1,6 Ghz intel processor and a nvidia graphic card. It took me at least 3 days to sniff a simple packet because of my wifi chipset version and another extra day to inject traffic. I didn´t have internet at home because I was living abroad and I had to go to a local cybercafe.

Let´s start from the beginning. The current version is BackTrack 5 r3. I recommend to download the iso image from  http://www.backtrack-linux.org/. Since this is an Ubuntu version modified, Ubuntu 4.4.3. to be more accurate, you can run it even in a smart phone.

Once the iso is in your hands, you have 3 options:

  • Install it in your hard drive. Highly recommended for professionals.
  • Install it in a USB or DVD (With the proliferation of the USB devices, it does not make any sense but it is a possibility ) to run a live version. It is also a good option if you do not want to change anything in your computer. But I would recommend that, once you run your live image, you must make your changes permanent in your USB, because the next time you run it, you should change the features. And that  is not so funny.
  • Virtualization. The best and quick option to play with. This option offers you the possibility to install or even run the live ISO image in a virtual machine. It is the easiest  way to start using it. You could run a lot of virtual machines with only a PC, depending of the features and characteristics of your equipment. With a computer and a couple of virtualized machines you can play to protect a box and attack the other one. It is funny if you are into it and you could spend lots of hours 🙂

First steps:

After booting the system, you can see the following message:

Figure 1. Boot

Figure 1 – Boot

Type intro and you will enter in the main boot menu. There are 3 different modes:

-Stealth

-Forensics

-Text (this one is the default option)

Figure 2. Back Track Menu

Figure 2 – Back Track menu

The main objective of this article is to speak only about the first boot option that is “Text mode”, so you can get to know it better. Let´s say that I jump quickly into graphic mode, basically because that’s the easiest way in most of the cases, and because it is a more friendly environment. I must also say that to reach excellence in Back Track, you need to be fair good in text mode and know it very well. That is the same as saying “if you want to run, you should start to walk first”.

Following with the instructions, once you press “BackTrackText” the screen will show:

Figure 3. Prompt

Figure 3 – Login

When the “bt login” appears, it means that you are already in Text mode. The following are the credentials to log into the system.

user root
password toor(the one used in last back track distributions)

Figure 4. Prompt2

 

Figure 4 – Command line

When you type the default credentials, you will see the prompt that is showed above. From here the race will begin! You can start to play now. So far, at this point, we have crossed the line. Everything is ready!

You can start applications in text mode (Tcpdump, netcat, nmap… ). Also, as in every linux distribution, with Alt + Function keys you can move to different terminals.

To run the graphical environment, just type:

root@bt:~# startx

Once you are in the main window, go to Applications > BackTrack. You will now see the whole areas that BackTrack is covering:

Figure 5. Xwindow

Figure 5 – Back Track Xwindow

From now on, it depends on preferences. As you can see in the previous image, there are different areas to explore:

  • Information Gathering
  • Vulnerability Assessment
  • Exploitation Tools
  • Privilege Escalation
  • Maintaining Access
  • Reverse Engineering
  • RFID Tools
  • Stress Testing
  • Forensics
  • Reporting Tools
  • Services
  • Miscelaneous

As a good expert, before any attack, you need to know your “victim” right? I believe that it is sensible to start with Information Gathering Tools. You would need to get as much information as possible to find the best vector attacks. Personally, one of my favorite tools  for recognition jobs  is Maltego. The Paterva guys are doing a very well job on this area.  With a graphic interface, they make it easy for a program to start getting information from a simple domain record. With this tools you would simplify your work, avoiding getting locks in Text mode and parsing to draft the final report. It is quite complete and there even is the possibility to add plugins.

Believe me, this tool is fantastic.Let me tell you that, as a security consultant, it helps a lot to use Maltego. To be honest, as a consultant, the whole Suite is a mandatory tool to have.  It is like an all-in-one. I do not need to say that a good professional use to have every tool personalized and this is also the case. Back Track is running under a Linux distribution or, even better, it is a Linux distribution already modified for security experts. Then, once you are provided with the ultimate Back Track tool, you may start to tune it to fulfill your own necessities.

You also have wine  installed by default to emulate any windows application in a Linux machine.

ü  Let´s talk now about Maltego. It comes to my mind a previous version (version 2) in which you were not asked to log in as in this new one. This has been made probably  to provide better features.

How can we use it then? Where should I start? Once you open it up, the picture that is showed next (figuere 6) is the first screen you would see:

Figure 6. Maltego

Figure 6 – Maltego

The first option that you may check is the Manage > Manage Transforms. This is an important one and the real engine that would help you establish the parameters of how Maltego will work later on. A good transform will lead you to achieve a best result.

Figure 10. Transform manager

Figure 7 – Transform manager

You can create your own transforms, personalized in order to your necessities, or you can also modify the ones that are in the system by default. You also need to accept each transform disclaimer, unless you want to accept every time you do a transform. You can sort them by Status and accept the ones in “disclamer not accepted” status. After you fine tune your transformations, you are ready to start using Maltego.

As some ways to see the information, you have Main View, Bubble View and Entity List View. By default, Main View is the one that will be selected. The differences are in how data are represented (with icons in the main view, with bubbles in the bubbles view and also as a list). The default view starts the same as in Figure 6. Let´s see the options. On the left side, there are the objects which you can drag and drop into the Main View. On the right side you see some other windows that will be empty until you select an icon. Starting from the left and selecting “Domain”, for example, you already have the first piece of the game. I did a test with the default feature that is paterva.com. Of course that you can change anything to whatever domain name that you want, and do the same for each object. Clicking on it or even passing the mouse over it, you have a detailed view and also a property view in the right side of the main window. With an object, there is not so much that we can do. Let´s go on! Now you click with the right button of the mouse on the domain “Run Transform” -> “All transforms” and that´s the result:

Figure 13. Run - Transform - finished

Figure 8 – Transformation finished

As you can see, there is  a lot of “rubbish”. In this case, if you visit paterva.com, you´ll notice that at the end of the website, there are some social network icons and that is why you see facebook, twitter, youtube… in your schema. This is the same for phones and some other objects. For that reason, discard all the icons that are not giving you any interesting information. And you can continue with each icon doing transforms until you get the final picture as well.

When you clik on “Running transforms” this is what Maltego is doing in the “background” to finally draw the final  picture.

Figure 12. Output - Transform

Figure 9 – Transform output

The best idea is to check only the important transformations or even better if you ask me,  disable the ones not needed and create personalized ones. As I said before, the first clicks you may do after start Maltego is Manage > Manage Transforms.

ü  Another interesting tool that we can talk about is Etherape. It is not under BackTrack option in the main menu. You can find it in systems tools or in internet. This is a graphical network monitor with 5 different capture modes (Token Ring, FDDI, Ethernet, IP and TCP).You could see the connections from your host , the connections to your host, or both ways. This is, in my opinion, an easy and light tool with just a few options, but very useful.

Figure 15. Etherape preferences

Figure 10 – EtherApe – Preferences

You surely would be surprised if you run this tool after you type your favorite website.  It is like if it is alive. Every few seconds, a banner or another link in your browser is creating a connection. I did a test with http://www.facebook.com. You can also see the ips, traffic per node, traffic per protocol.

Figure 16. Etherape

Figure 11 – EtherApe

An easy and quick example that you can try is typing the ip of your own router in your browser and you´ll see that only one connection is created between you and the router. But if you type, for example, http://www.amazon.com, you will see the bigger amount of connections that are created.

Let´s assume that you are a security guy that needs to audit a “secured system”.  The first action that you may do is to change your mac address. Because you do not want to be discovered or even because you already know the physical address of a machine and you want to obfuscate. The tool used for that purpose is the one that we are going to see next, macchanger.

ü  “Macchanger”.

Figure 17. Macchanger

Figure 12 – Macchanger

As you can see in the previous screenshot of the help menu, this is an easy and useful tool, much like some of the previous ones. With a virtual machine, you could also do it but if you want to change too many times, it is worth it.

The last application which I will cover in this article is

ü  Metasploit.  This application is an Exploitation tool,  then we will find in below path(see figure 13):

Figure 18. Metasploit

Figure 13 – Metasploit path

Metasploit is a powerful framework that could be used in different fields. It is like a Back Track inside another Back Track.  I would like to start mentioning that, an important task which you should do before starting to play with, it is to update the database. The real power of this tool is in the  database, which is being continuously updated. Metasploit is “exploiting” vulnerabilities and  if you don´t have this DDBB up to date, it is like an old anti-virus not updated since 3 months ago. Maybe you have the intention to exploit a vulnerability that is already in the database  and you do not want to update, but this is not usual because the vendors and software developers are also fixing the problems as soon as possible. There are some cases in which since day “0” to the moment the problem is patched, takes longer than expected.

To understand better, let´s think about a scenario: You are a system administrator for an important company and your web server is affected by a XSS. Due to this vulnerability, a user could get a copy of your user database compromising the privacy of the employees. As a good administrator, you need to test that your application is not affected by the dangerous bug or, if it is affected, try to fix the problem. The most important thing for you is the system that you are administering. We need to know our infrastructure (software and hardware),  and also the behavior of a specific pattern.

Some concepts that should be familiar to you when you are using Metasploit are payload and exploit.  A payload is a part of a software which allows you to take control of the computer that is affected by an exploit, which we are exploiting. The most known payload is Meterpreter(we will see it in the example later on). An exploit is a program or piece of software designed to break or crash into a system through a known vulnerability.

What this software is basically doing, is to checking in a database for all kind of bugs for different platforms, software… (that´s why is so important to update first).  You can load a bug for a specific application and once it is loaded, you can attack the application with that tool. Let´s see it with an example:

1st- Update the database. As I mentioned before this is an important step. Looking at figure 13, we can see that there is an icon to update metasploit. Click on it and prepare yourself a good coffee while you wait. It will takes time.

Figure 21. Metasploit-updated

Figure 14 – Updating Metasploit

2nd – Start Metasploit. You will get a random image and at the end you will see: version, exploits, payloads….

Figure 19. Metasploit-start

Figure 15 – msf console

3rd – Find a bug in metasploit and try to use it. Just type “search”  command  plus a chain to search. In the example below we are searching for ms08  (command:”search ms08″).

Figure 21. Metasploit-bug

Figure 16 – Searching in modules

4th – Load the module. Once you have defined the exploit, type: “use” + module.

Figure 23. MSF-show_options

Figure 17 – Module loaded

Once you are in ms08_067_netapi module, you need to investigate which options you can  type.

Now, you can define your parameters with the “set” command.

  • set rhost 192.168.1.61 (this is the ip of the remote host)
  • set lhost 192.168.1.59 (our local ip)

5th – Once it is loaded run an attack to exploit the bug. When we have the parameters configured, we will type the “exploit” command and WE ARE INSIDE!!

Figure 24. Meterpreter

Figure 18 – Exploiting

Meterpreter is the payload. Invoking help, we will already see the commands to execute in the remote host.

Figure 25. Meterpreter_shell

Figure 19 – Shell in remote host

This is only a module and you could load hundreds of modules. We also could find hundreds of exploits.

Just to resume, the commands used in this article for metasploit are:

  • ./msfpro -> Start the program
  • search + “string” -> Search in the big database you need this command.
  • use + module to load  -> Load module
    • show options -> Options in the module that you previously loaded.
      • Set + option -> It defines the values
      • exploit -> It starts the exploit
  1. To cover in deep all the tools included in this distribution I should spend some months of my life or even some years.

Just to summarize, we are standing in front of a swiss army knife(a big one by the way!).

I have given you the main steps to use one of the best security suites in the world. Now it is up to you. With that amount of tools in Back Track, you can choose which one is your strong point and try to use it and do your best.  Or even you could try to investigate about other areas.

If you are an expert in networks, you can use BT. If you are a programmer, you can use BT. If you are a DDBB expert, you can use BT. If you are a security specialist, you can use BT. Even if you are not an IT expert you also can use it, to get information about any place, person or  item 😉

About Eduardo Cuthbert:
I started in networking and security in 2004. Ever since I discovered the field of Security I have been passionate about it.

Having always lived and worked in a medium size city in Spain, I decided to try and take my chances abroad. Knowing that in other countries I could develop and research, I left and found a job in Switzerland, where I am living and working currently.

I have always worked in those two fields and I consider myself a committed and focused person, so researching and learning about new developments is something essential to me. That’s why I have always looked for better ways of improving.

Through all my career I got several certifications, such as CCNP and CCSP.

I am also a cycling enthusiast.

Text: Eduardo Cuthbert González

Proof reader: Desirée Suarez González

Advertisements