BackTrack 4 – R2

Jorge OrchillesPeter Greko

South Florida ISSA

About Jorge Orchilles• Information * for over 8 years

• Security Analyst – Fortune 10

• Consultant by night – Orchilles Consulting

• Master of Science and BBA in Management Information Systems – Florida International University

• Author – Microsoft Windows 7 Administrator’s Reference (Syngress)

• Certifications – CISSP, GCIH, CEH, CICP, CCDA, CSSDS, MCTS, MCP, Security+

• Organizations:

• President South Florida ISSA

• OWASP

• InfraGard

• Miami Electronic Crimes Task Force

• Hack Miami

About Peter Greko

• Local InfoSec Researcher• Security Analyst – Fortune 10• Hack Miami Board Member

– Not one of “them 2”• Speaks at conferences

– HOPE, Hacker Halted, AppSec DC

Intro to Back Track

• Live DVD for Penetration Testing– Can download VM as well

• 300+ tools installed– Saves a lot of time

• Runs on Ubuntu– KDE

• http://www.backtrack-linux.org

Let’s Get Started

• Insert the Back Track 4 –R2 DVD and reboot your computer.

• When the BIOS comes up, press F2, F12, etc depending on your BIOS for the Boot Menu – select DVD.

• When BackTrack splash screen comes up press Enter.

• To log in: – Username: root– Password: toor

Configure• Start KDE: startx• Start networking:

– Open a terminal: /etc/init.d/networking start– Wireless: KDE-Internet-Wicd Network Manager

• SSID: SFISSA• WPA-PSK: SFISSArocks!

– DHCP: 192.168.1.200-249/24– Static IP:

• ifconfig eth0 192.168.1.1XX/24• route add default gw 192.168.1.1 (not required)• DNS: echo nameserver <ip> > /etc/resolve.conf• Do not use:

– 192.168.1.1– 192.168.1.100 – Level 1 Victim– 192.168.1.110 – Level 2 Victim– 192.168.1.120 - Metasploitable

– Ping 192.168.1.110 to ensure you are up.

/pentest

• Get familiar with the BackTrack GUI and /pentest directory

• These are all the tools available to you• How many have you played with already?

Ethical Hacking 101

0. Get Permission1. Information Gathering2. Recon – Scanning3. Gain Access4. Maintain Access5. Cover Tracks – clean up

“Most of hacking is doing user and admin tasks with malicious intent.” – SANS SEC504 Class

0. Get Permission

• You have permission to attack ONLY the following hosts:– 192.168.1.100– 192.168.1.110– 192.168.1.120

• Anything else is considered illegal!• SFISSA• SFISSArocks!

1. Information Gathering

• We will be probing three hosts which were already given.

• Some background– 100 and 110 are from Heorot.net – 120 is called Metasploitable

• Not much else to do here– No Google

Real Scenario

• You would most likely need to identify live hosts:– Ping sweep: nmap –sP 192.168.1.0/24– DNS Zone transfer: host –l <domain.local>

<DNSserverip>– Netdiscover – BackTrack KDE

• Documentation– Create a txt file with identified hosts.

2. Recon

• We will start by probing the hosts to determine open ports:– nmap

• We can also run other automated tools, like a vulnerability scanner or web application scanner:– Nessus– Nikto

nmap

• Nmap is:– Free and open source– Tool to discover, monitor, and troubleshoot TCP/IP– Cross Platform– Simple to use

• http://nmap.org/

Using nmap 101

• Millions of options• nmap –h• nmap [target] – scans 1000 most common TCP

ports• nmap –F [target] – scans 100 most common

TCP ports• nmap –iL filename.txt – scans all hosts in file,

one per line

Using nmap 102

• nmap –sS [target] – SYN Scan• nmap –O – os fingerprinting• nmap –p80 – scans port 80

– -p- all ports– -p21,22,25,80 – scans those ports

• nmap –v – verbose• nmap –n – do not resolve DNS• Many cheat sheets online and –h has many more• Example

– nmap –sSV –n –O –P0 192.168.1.100 > 100TCP.txt

Lab

• Open a terminal• cd to location where hosts.txt is• nmap –n –F –iL hosts.txt

– This will do a quick scan (100 most common TCP ports) for each live host

• What did you find?– What now?

• Documentation• http://192.168.1.100

Go at it

• The intro and scenario has been set• Feel free to hack away at the three hosts:

– 192.168.1.100– 192.168.1.110– 192.168.1.120

Nessus

• Nessus is NOT a part of BackTrack but the best vulnerability scanner available

• http://www.tenablesecurity.com• For BackTrack 4 download – Ubuntu 8.04 32bit.deb• Install:

– dpkg –I *.deb– /opt/nessus/sbin/nessus-adduser– Register: http://www.nessus.org/plugins/?view=register-

info– Start Nessus: /etc/init.d/nessusd start

• https://localhost:8834/

Nikto

• Web Server Scanner• http://cirt.net/nikto2 • /pentest/scanners/nikto• ./nikto.pl –host <websiteip>:<port>

3. Gain Access

• Leverage findings from steps 1 and 2• What have we found?• Use Hydra to brute force ssh using possible

usernames.

3. Elevate Privileges

• The user you cracked doesn’t have enough privileges… how do you find who does?– Cat /etc/passwd– Cat /etc/group

• Bruteforce SSH with known user that has sudo privs….

Keep Going and Try Harder!!!

• Each scenario is different• Use what you know and have experienced in

the past in the current scenario.• Tools won’t do it all, use your head!

Conclusion and Take Away

• Get permission• Run some scans on your hosts

– Nmap– Nessus– Nikto

• Always be willing to learn more, try harder, and think harder

Questions?

Jorge Orchillesjorge@orchilles.com

Twitter: jorgeorchilleshttp://www.orchilles.com