Looking for Security Holes with Backtrack LIVE SEARCH the Backtrack Live Distribution Lets You Act Like an Intruder to Test Your Network’S Security

COVER STORY BackTrack

Looking for security holes with BackTrack LIVE SEARCH The BackTrack live distribution lets you act like an intruder to test your network’s security.

BY RALF SPENNEBERG

enetration testing is the art of merged early this year to create the Magazine (March 2007), you’ll find breaking into your own network. BackTrack distribution. BackTrack on the Best of Live Distros PSecurity consultants and system BackTrack [1] is based on the Slack- DVD. This article will show you how to administrators use penetration testing ware Live CD, todiscover holes before an intruder can Slax [2]. find them. Unfortunately, intruders use In addition to a vast collection of powerful tools for the many intru- sniffing, snooping, cracking, and hiding sion tools, Back- out on a target network. Track also in- If you want to simulate an attack, you cludes a large se- could always download this large collec- lection of application of applications and temporarily in- tions for investi- stall them on whatever system you plan gating and uncov- to use for the attack. However, searching ering signs of for the right tools and then installing clandestine entry. them on your system can take up hours You can obtain or even days of your time. BackTrack from A number of Linux distributions are the project web- designed to support penetration testing. site [1]. Or, if you Two of the most popular security testing have a copy of last Figure 1: The KDE desktop lets admins easily navigate BackTrack’s distributions (Auditor and Whax) month’s Linux huge collection of programs.

36 ISSUE 77 APRIL 2007 WWW.LINUX - MAGAZINE.COM BackTrack COVER STORY

The tools are or- ganized by group: • Enumeration • Exploit Archives • Scanner • Password Attacks • Fuzzer • Spoofing • Sniffers • Wireless Tools • Bluetooth • Cisco Tools • Database Tools • Forensic Tools BackTrack’s security tools will give Figure 3: john lets admins test the strength of passwords. toor was system administra- cracked in a single round of guessing. tors everything they need in order to hunt down their security holes. Getting Started The following sections will describe BackTrack comes as a live CD, so to run just a sampling of some of the tools that it, you simply need to insert it in the CD are available on the BackTrack CD. drive and then boot the system. At the prompt, log on as root and then enter the root password toor before going on to set up the GUI with xconf. After you have completed the setup, simply type startx to launch the GUI. If an error occurs, try gui as a workaround for launching the graphical interface. If you need to, you can type dhcpcd to ask the DHCP server for an IP address. BackTrack Figure 4: DSniff identifies user passwords transmit- does not do this automatically. ted by clear-text protocols. get started with BackTrack, and it also BackTrack’s KDE-based menu provides a glimpse of the many tools system provides access to dozens of se- Enumeration that are included on the BackTrack CD. curity tools and other forensic-analysis Security analysis normally starts with an applications (see inventory of the computers, operating Figure 1). systems, and network services. Browsing the The Enumeration menu provides some BackTrack menu popular port scanners, such as NMap is a little like and the NMapFE, in addition to SNMP browsing the analysis tools and tools for accessing many menus and LDAP servers and Windows SMB shares. submenus of a Submenus contain scanners for special games distribu- protocols. For example, Nikto scans and tion; only, instead analyzes web servers, while IKE Scan of a bunch of and IKEProbe help administrators ana- games, the GUI is lyze their virtual private networks stocked with sniff- (VPNs). After ascertaining the operating ers, spoofers, systems and services on the network, scanners, and you can move on and search for match- other utilities to ing exploits in three major vulnerability Figure 2: NMapFE supports easy scanning; the tool is based on the assist you with and exploit archives: Milw0rm [3], popular NMap program. security testing. Metasploit [4], and Securityfocus [5].

WWW.LINUX - MAGAZINE.COM ISSUE 77 APRIL 2007 37 COVER STORY BackTrack

If the web server is not configured cor- Wireless rectly, httpput will support file uploads; BackTrack also list-urls extracts all the URLs from a comes with a website, and isr-form.pl analyzes the number of very HTML forms. useful tools for Last but not least, Nikto will analyze testing the WLAN a web server to discover the known vul- and the Bluetooth nerabilities. networks. The Paros penetration proxy gives the Besides Kismet, system administrator the ability to mod- the collection of ify HTTP requests before sending them tools includes Air- to the web server. In this way, hidden crack, Airsnort, fields in HTML forms and cookies can be Figure 5: sshow exploits weaknesses in the SSH protocol and calcu- WEPAttack, and manipulated to work around Javascript lates the length of the username, the password, and the commands WEP_crack. plausibility tests for form input. entered in the session. Of course, the BackTrack also has automatic blind administrative SQL injection scripts and brute-force If you need to crack password-pro- workstation will need a WLAN interface password crackers for database analysis. tected services or find out how robust to run these tools. Tools such as Absinthe (see Figure 7) your passwords are, BackTrack offers a BackTrack supports common Blue- provide automatic mechanisms to sim- variety of tools for password attacks. tooth attack scenarios. plify the analysis process. In addition to the classic john cracker, Besides legacy exploit tools for Blue- which will have no trouble finding the tooth networks – for finding vulnerable Cisco: A Special Case root password (see Figure 3), you’ll find mobile phones, for example – the distri- The BackTrack developers also provide a number of other tools for offline crack- bution also has auditing tools for help tools for analyzing Cisco network de- ing of encrypted passwords or online with identifying Bluetooth devices in the vices. First and foremost, there are two password guessing. vicinity. tools that exploit known vulnerabilities in Cisco devices: Cisco Global Exploiter, Sniffing Web Servers and Databases and Yersinia. Sniffers help network administrators Because attacks today increasingly tend Yersinia is particularly interesting be- scan their networks and test for secure to target web applications and the un- cause it attacks Cisco’s proprietary Layer protocols. BackTrack has a number of derlying databases, the BackTrack distri- 2 protocols to enable VLAN hopping. useful helpers, including the classic bution also has a number of programs System administrators can use the Yer- Ethereal, Etherape, Driftnet, and DSniff that can help administrators with ana- sinia tool to reprogram the port used by (see Figure 4), along with many other lyzing web applications and the data- the current connection to make the con- helpful sniffers. base systems. nection part of a different VLAN. How- It is even possible to crack SSH con- For example, curl supports script- ever, as VLANs are often used to sepa- nections with BackTrack. sshow and based access to web servers; DMitry and rate networks for security reasons, this sshmitm attack the SSH connections that HTTPrint will serve up useful informa- can be very dangerous. use version 1 of the SSH protocol (see tion about web servers and domains (see In (all too) many environments, the Figure 5). Figure 6). people in charge do not pay enough at- Administrators can run sshmitm to launch a Man-in-the-Middle attack on an SSH connection. To use sniffers on switched networks or to run sshmitm for a Man-in-the-Mid- dle exploit, admins will also need spoofing tools. arpspoof or macof support sniffing on switched networks. While macof generates much conspic- uous network traffic, arpspoof is a tool that is very difficult to detect. arpspoof attacks the ARP cache on the target systems, tricking the system into delivering packets to the sniffer via the switch. This is achieved by poisoning the ARP cache on the victim machines. (For more information on ARP spoofing, see the resources [6] [7].) Figure 6: httprint can reveal the web server software for an application server.

38 ISSUE 77 APRIL 2007 WWW.LINUX - MAGAZINE.COM BackTrack COVER STORY

tention to their switches; therefore, Yer- revolutionary Leo sinia exploits work more often than you [9] editor. might expect them to. The Leo editor The Cisco vulnerability scanner, Cisco has a very intelli- Torch, helps system administrators close gent outline mode, the gaps. featuring the abil- BackTrack is also useful for forensic ity to launch analysis of systems after a suspected scripts directly compromise. The forensic team includes within a docu- the tried-and-trusted Sleuthkit and Au- ment. The Leo ed- topsy tools, versions 2.03 and 2.06, itor also supports respectively. intelligent access The Foremost [8] tool helps analysts to the integrated identify and restore deleted files purely file browser. based on their content. This is what fo- Because Leo is rensics specialists refer to as file carving. written in Python, system adminis- Miscellaneous trators can use the In addition to penetration, scanning, and browser to write forensics tools, BackTrack has a number their own Python of interesting tunneling applications. scripts or even use Figure 8: Run the installer to install BackTrack on your disk. SSLTunnel encrypts arbitrary TCP con- it to write very nections, NSTX or OzymanDNS set up simple plugins. should be without. The BackTrack distri- tunnels via the DNS protocol using man- bution provides sysadmins with every- datory caching name servers as proxies. For Ever and Ever thing necessary to test the security pos- You’ll also find a special Hijetter tool If you enjoy the experience of working ture of a network. for Jetdirect printers. The Hijetter tool with BackTrack, you might like to have The BackTrack distribution developers gives the user access to variables, the the abilty to save data or update the are currently working on version 2.0, display, and also to the filesystem. applications. If this is the case, you can which will include updates to many of Documentation is another important install BackTrack on a hard disk or on the the BackTrack tool collection. Other consideration in any penetration test. a USB stick. changes in the new version include aufs The BackTrack distribution includes the To do so, just select BackTrack In- with zlib compression instead of staller in the Sys- UnionFS, dual core support, and new tem menu (see tools like defcon, blackhat, and packet- Figure 8). storm. New features include network After selecting boot and cracking cluster support. A the target me- beta version of BackTrack 2.0 is on the dium, you will BackTrack site [1]. ■ also need to de- cide whether to INFO install a live ver- [1] BackTrack: sion (700 MB) or http:// www. remote-exploit. org else opt for a gen- [2] Slax: http:// www. slax. org uine Linux system [3] Milw0rm: http:// www. milw0rm. com (2.7 GB). Opt for the gen- [4] Metasploit: http:// www. metasploit. org uine Linux system [5] Securityfocus: option if you re- http:// www. securityfocus. com ally want to up- [6] ARP spoofing: http:// de. wikipedia. org/ date applications wiki/ ARP-Spoofing and also to store [7] “Traffic Tricks: ARP Spoofing and Poi- your data. soning,” by Thomas Demuth and Achim Leitner, Linux Magazine July, Conclusions 2005; http:// www. linux-magazine. com/ issue/ 56/ ARP_Spoofing. pdf The BackTrack distribution is [8] Foremost: something that no http:// foremost. sourceforge. net system adminis- [9] Leo: http:// webpages. charter. net/ Figure 7: Absinthe makes child’s play of SQL injection. trator’s toolbox edreamleo/