By Ralf Spenneberg
Penetration testing is the art of breaking into your own network. Security consultants and system administrators use penetration testing todiscover holes before an intruder can find them. Unfortunately, intruders use a vast collection of powerful tools for sniffing, snooping, cracking, and hiding out on a target network.
If you want to simulate an attack, you could always download this large collection of applications and temporarily install them on whatever system you plan to use for the attack. However, searching for the right tools and then installing them on your system can take up hours or even days of your time.
A number of Linux distributions are designed to support penetration testing. Two of the most popular security testing distributions (Auditor and Whax) merged early this year to create the BackTrack distribution.
BackTrack [1] is based on the Slackware Live CD, Slax [2].
In addition to the many intrusion tools, BackTrack also includes a large selection of applications for investigating and uncovering signs of clandestine entry.
You can obtain BackTrack from the project website [1]. Or, if you have a copy of last month's Linux Magazine (March 2007), you'll find BackTrack on the Best of Live Distros DVD. This article will show you how to get started with BackTrack, and it also provides a glimpse of the many tools that are included on the BackTrack CD.
BackTrack comes as a live CD, so to run it, you simply need to insert it in the CD drive and then boot the system. At the prompt, log on as root and then enter the root password toor before going on to set up the GUI with xconf.
After you have completed the setup, simply type startx to launch the GUI.
If an error occurs, try gui as a workaround for launching the graphical interface.
If you need to, you can type dhcpcd to ask the DHCP server for an IP address. BackTrack does not do this automatically.
BackTrack's KDE-based menu system provides access to dozens of security tools and other forensic-analysis applications (see Figure 1).
Browsing the BackTrack menu is a little like browsing the many menus and submenus of a games distribution; only, instead of a bunch of games, the GUI is stocked with sniffers, spoofers, scanners, and other utilities to assist you with security testing.
The tools are organized by group:
BackTrack's security tools will give system administrators everything they need in order to hunt down their security holes.
The following sections will describe just a sampling of some of the tools that are available on the BackTrack CD.
Security analysis normally starts with an inventory of the computers, operating systems, and network services.
The Enumeration menu provides some popular port scanners, such as NMap and the NMapFE, in addition to SNMP analysis tools and tools for accessing LDAP servers and Windows SMB shares.
Submenus contain scanners for special protocols. For example, Nikto scans and analyzes web servers, while IKE Scan and IKEProbe help administrators analyze their virtual private networks (VPNs). After ascertaining the operating systems and services on the network, you can move on and search for matching exploits in three major vulnerability and exploit archives: Milw0rm [3], Metasploit [4], and Securityfocus [5].
If you need to crack password-protected services or find out how robust your passwords are, BackTrack offers a variety of tools for password attacks.
In addition to the classic john cracker, which will have no trouble finding the root password (see Figure 3), you'll find a number of other tools for offline cracking of encrypted passwords or online password guessing.
Sniffers help network administrators scan their networks and test for secure protocols. BackTrack has a number of useful helpers, including the classic Ethereal, Etherape, Driftnet, and DSniff (see Figure 4), along with many other helpful sniffers.
It is even possible to crack SSH connections with BackTrack. sshow and sshmitm attack the SSH connections that use version 1 of the SSH protocol (see Figure 5).
Administrators can run sshmitm to launch a Man-in-the-Middle attack on an SSH connection.
To use sniffers on switched networks or to run sshmitm for a Man-in-the-Middle exploit, admins will also need spoofing tools. arpspoof or macof support sniffing on switched networks.
While macof generates much conspicuous network traffic, arpspoof is a tool that is very difficult to detect.
arpspoof attacks the ARP cache on the target systems, tricking the system into delivering packets to the sniffer via the switch. This is achieved by poisoning the ARP cache on the victim machines. (For more information on ARP spoofing, see the resources [6] [7].)
BackTrack also comes with a number of very useful tools for testing the WLAN and the Bluetooth networks.
Besides Kismet, the collection of tools includes Aircrack, Airsnort, WEPAttack, and WEP_crack.
Of course, the administrative workstation will need a WLAN interface to run these tools.
BackTrack supports common Bluetooth attack scenarios.
Besides legacy exploit tools for Bluetooth networks - for finding vulnerable mobile phones, for example - the distribution also has auditing tools for help with identifying Bluetooth devices in the vicinity.
Because attacks today increasingly tend to target web applications and the underlying databases, the BackTrack distribution also has a number of programs that can help administrators with analyzing web applications and the database systems.
For example, curl supports script-based access to web servers; DMitry and HTTPrint will serve up useful information about web servers and domains (see Figure 6).
If the web server is not configured correctly, httpput will support file uploads; list-urls extracts all the URLs from a website, and isr-form.pl analyzes the HTML forms.
Last but not least, Nikto will analyze a web server to discover the known vulnerabilities.
The Paros penetration proxy gives the system administrator the ability to modify HTTP requests before sending them to the web server. In this way, hidden fields in HTML forms and cookies can be manipulated to work around Javascript plausibility tests for form input.
BackTrack also has automatic blind SQL injection scripts and brute-force password crackers for database analysis. Tools such as Absinthe (see Figure 7) provide automatic mechanisms to simplify the analysis process.
The BackTrack developers also provide tools for analyzing Cisco network devices. First and foremost, there are two tools that exploit known vulnerabilities in Cisco devices: Cisco Global Exploiter, and Yersinia.
Yersinia is particularly interesting because it attacks Cisco's proprietary Layer 2 protocols to enable VLAN hopping.
System administrators can use the Yersinia tool to reprogram the port used by the current connection to make the connection part of a different VLAN. However, as VLANs are often used to separate networks for security reasons, this can be very dangerous.
In (all too) many environments, the people in charge do not pay enough attention to their switches; therefore, Yersinia exploits work more often than you might expect them to.
The Cisco vulnerability scanner, Cisco Torch, helps system administrators close the gaps.
BackTrack is also useful for forensic analysis of systems after a suspected compromise. The forensic team includes the tried-and-trusted Sleuthkit and Autopsy tools, versions 2.03 and 2.06,respectively.
The Foremost [8] tool helps analysts identify and restore deleted files purely based on their content. This is what forensics specialists refer to as file carving.
In addition to penetration, scanning, and forensics tools, BackTrack has a number of interesting tunneling applications.
SSLTunnel encrypts arbitrary TCP connections, NSTX or OzymanDNS set up tunnels via the DNS protocol using mandatory caching name servers as proxies.
You'll also find a special Hijetter tool for Jetdirect printers. The Hijetter tool gives the user access to variables, the display, and also to the filesystem.
Documentation is another important consideration in any penetration test. The BackTrack distribution includes the revolutionary Leo [9] editor.
The Leo editor has a very intelligent outline mode, featuring the ability to launch scripts directly within a document. The Leo editor also supports intelligent access to the integrated file browser.
Because Leo is written in Python, system administrators can use the browser to write their own Python scripts or even use it to write very simple plugins.
If you enjoy the experience of working with BackTrack, you might like to have the abilty to save data or update the applications. If this is the case, you can install BackTrack on a hard disk or on a USB stick.
To do so, just select BackTrack Installer in the System menu (see Figure 8).
After selecting the target medium, you will also need to decide whether to install a live version (700 MB) or else opt for a genuine Linux system (2.7 GB).
Opt for the genuine Linux system option if you really want to update applications and also to store your data.
The BackTrack distribution is something that no system administrator's toolbox should be without. The BackTrack distribution provides sysadmins with everything necessary to test the security posture of a network.
The BackTrack distribution developers are currently working on version 2.0, which will include updates to many of the the BackTrack tool collection. Other changes in the new version include aufs with zlib compression instead of UnionFS, dual core support, and new tools like defcon, blackhat, and packetstorm. New features include network boot and cracking cluster support. A beta version of BackTrack 2.0 is on the BackTrack site [1].
| INFO |
|
[1] BackTrack: http://www.remote-exploit.org
[2] Slax: http://www.slax.org [3] Milw0rm: http://www.milw0rm.com [4] Metasploit: http://www.metasploit.org [5] Securityfocus: http://www.securityfocus.com [6] ARP spoofing: http://de.wikipedia.org/wiki/ARP-Spoofing [7] "Traffic Tricks: ARP Spoofing and Poisoning," by Thomas Demuth and Achim Leitner, Linux Magazine July, 2005; http://www.linux-magazine.com/issue/56/ARP_Spoofing.pdf [8] Foremost: http://foremost.sourceforge.net [9] Leo: http://webpages.charter.net/edreamleo/ |