Backtrack 5 Complete Tutorial

The Backtrack 5 Complete Tutorial is a series of tutorials that show how to use every tool included in the Backtrack 5 Live CD. They are separated into the groups in which they appear on Backtrack:

Information athering !ulnera"ility #ssessment $%ploitation Tools &rivilege $scalation 'aintaining #ccess (everse $ngineering ()ID Tools *tress Testing )orensics (eporting Tools *ervices 'iscellaneous

Backtrack 5 Information Gathering

1. +etwork #nalysis
o

Bluetooth #nalysis "luediving "tscanner D+* #nalysis dnsdict, dnsenum dnsmap dnsrecon dnstracer dnswalk fierce l"d

Network Analysis Bluetooth Analysis

bluediving
Bluediving is a software suite speciali-ing in Bluetooth penetration testing. Bluediving itself comprises of several tools. such as Blue"ug and Blue*narf. /sing these tools. Bluediving is a"le to provide a single platform for launching nearly every type of Bluetooth "ased attacks. Bluediving presents a simple. easy to use command line where the user is given the option of choosing attack targets. choosing attack methods. and ever enumerating various Bluetooth devices discovered. The top level menu looks like this:
[MAIN MENU] menu: [1] [2] [3] [ ] [#] [&] [*] Scan Scan and attack Scan and info Scan fo!""" Add kno$n de%ice '(an)e p!efe!ences S(o$ p!efe!ences [a] Action [e] Exploit [i] Info [t] Tools

[+] S(o$ lo)file ,-,-,-,-,-,-,-,-,-,,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,- [x] Exit ,

btscanner
"tscanner is a utility used to gather as much information as possi"le from an unpaired Bluetooth device. It is specifically aimed at e%tracting information from unpaired devices. such as I$$$ 0/I num"ers. and possi"le host identification. The "elow e%ample shows how to use "tscanner to scan for availa"le Bluetooth devices. !ample "sage# "tscanner $nter 1i2 to "egin a scan for devices. and then 1a2 to a"ort the scan once devices are found. *elect the discovered device "y pressing 3$nter4 to see more information a"out the target.

$N% Analysis
dnsdict&
dnsdict, is a utility used to enumerate a domain for I&v, D+* entries. meaning it will try to find as many I&v, 5#### records6 D+* records for the selected domain as possi"le. This is useful for finding su" domains that may "e invisi"le to the pu"lic. "ut still e%ists in D+* records. 0ften. these forgotten a"out domains are outdated and can "e a vector for e%ploit "ased attacks against the domain. dnsdict, uses a dictionary list which is used to guess possi"le D+* entries. !ample "sage# dnsdict, google.com

dnsenum'pl
dnsenum is a &erl utility used to collect as much information as possi"le regarding a domain. It collects "asic information such as # records5host addresses6. nameserves. and '7 records 5mail hosts6. "ut also e%tracts useful information such as BI+D versions and searches for unlisted su"domains using a dictionary "ased attack. dnsenum also has reverse lookup utilities that can perform reverse D+* lookups for C class network ranges. In the e%ample "elow. we use dnsenum in order to look for as much information as possi"le for the technology8flow.com domain.

!ample "sage# .9dnsenum.pl :enum 8f dns.t%t :update a 8r technology8flow.com

dnsmap
dnsmap is a utility used to create a list of hosts and D+* records for a domain. It uses a word list to search for possi"le su"domains. and can output results in several different formats. such as C*! or plain .t%t. In the e%amples "elow. we use the dnsmap utility to attempt to map the hosts that technology8flow.com uses. In the second e%ample. a wordlist is used to guess su"domains. and then the results are written to 9root9results.t%t. The final e%ample simply writes the results to 9root9results.t%t. !ample "sage# dnsmap technology8flow.com !ample "sage# dnsmap technology8flow.com 8w wordlist.t%t 8r 9root9results.t%t !ample "sage# dnsmap technology8flow.com 8r 9root9results.t%t

dnsrecon
dnsrecon is a &ython "ased utility. Currently. dnsrecon has , features that make it great for gathering information a"out a domain or I& address from D+* records: ;. <. =. >. 5. ,. (everse lookups for I& "locks Top level domain e%pansion D+* host and domain "ruteforce #. +*. *0# and '7 record lookups ?one transfer for each +* server found )ind *(! records

In the e%ample "elow. dnsrecon is used in order to guess 5"rute force option of 8t "rt6 su"domains for technology8flow.com. using dictionary.lst as a dictionary file to pull entries from. !ample "sage#.9dnsrecond.py 8t "rt 8d technology8flow.com 8D dictionary.lst

dnstracer
dnstracer is a program that reports the chain of D+* servers that a D+* re@uest takes in order to do a D+* lookup. It tells the user which servers have authority for a -one. and the intermediary D+* nodes the were found in the way. This tool is very simple to useA the "elow e%ample uses dnstracer to ver"osely find D+* server information for a lookup for technology8flow.com.

!ample "sage#dnstracer 8v technology8flow.com

dnswalk
dnswalk is a &erl script that helps de"ug D+* servers. It can run -one transfers for domains. and can help check for consistancy and accuracy of records. Bhile originally intended for use as a D+* de"ugger. dnswalk can "e used in order to gather information a"out a particular target domain or target D+* server. In the e%ample "elow. we look up information for the technology8 flow.com domain. +ote the tailing 3.4. which is an important part of the domain name system. #lso note that dnswalk provides as much information in its error9warning messages 5many servers don2t allow -one transfers6. as it does in successfully completed @ueries and transfers. !ample "sage#.9dnswalk technology8flow.com.

fierce
fierce is a &erl program that aims to scan for non contiguous I& address space. This means it uses a "rute force D+* lookup method in order to search for allocated9unallocated I& addresses for a domain. This information is useful for other scanners. such as nmap. nessus. or nikto. since I& information is needed for these utilities. In the first e%ample "elow. we scan for I& adresses in the ;;;.<<<.===.C9<> range. using ns;.nameserver.com as the nameserver. +e%t. we use fierce in order to scan a particular domain. technology8flow.com. !ample "sage#.9fierce.pl 8range ;;;.<<<.===.C8<55 8dnsserver ns;.nameserver.com !ample "sage#.9fierce.pl technology8flow.com

lbd
l"d is a proof of concept shell script that attempts to detect whether a domain uses a load "alancing system. In order to do this. it looks for "oth D+* and DTT& load "alancing. and attempts to calculate if it is used. This is useful in gathering iformation regarding a domain2s architecture. as well as how a domain may react to a sudden increase in traffic. such as those caused "y a Distri"uted Denial of *ervice 5DDo*6 attack. In this e%ample. we check whether technology8flow.com uses load "alancing 5it does not6: !ample "sage#.9l"s.sh technology8flow.com

(orensics
#nti !irus )orensic Tools

chkrootkit rkhunter Install truecrypt he%edit "ulkEe%tractor evtparse e%iftool missidentify mork pref &TF readpst reglookup stegdetect vinetto fat"ack foremost magicrescue recoverGpeg safecopy scalpel scrounge8ntfs testdisk hashdeep md5deep

Digital #nti )orensics Digital )orensics )orensic #nalysis Tools

)orensic Carving Tools

)orensic Dashing Tools

sha;deep sha<5,deep tigerdeep whirlpooldeep air dc=dd ddrescue ewfa@uire &TF *etup #utopsy *leuthkit Driftnet pCf tcpreplay Bireshark 7plico Cmos&wd fcrack-ip samdump pdfid pdf8parser peepdf pdf"ook pdgmail &TF !olatility

)orensic Imaging Tools

)orensic *uites

+etwork )orensics

&assword )orensics Tools

&D) )orensic Tools

(#' )orensics Tools

Anti )irus (orensic Tools

chkrootkit
chkrootkit is a utility that will check for signs that a device is infected with a rootkit. It runs on Linu%. )reeB*D. and 0*7 versions. It uses standard utlitities such as awk. grep. netstat. cut. echo. and more in order to detect signatures that suggest rootkits. The standard use of chkrootkit should contain an alternate path to trusted "inaries 5don2t trust "inaries on a machine you are scanning6. along with the path to the directory to "e scanned. !ample usage: chkrootkit 8p Hpath8to8trusted8"inariesI 8r Hroot8path8to8scanI

rkhunter
rkhunter is another utility used to check for signs of rootkits on /ni% "ased systems. /sually. you will want to run the scan against a mounted filesystem. using a trusted set of "inaries. In the "elow e%ample. the :sk option sets it so that a keypress isn2t re@uired after each test run. !ample "sage: rkhunter 8c :sk

$igital Anti (orensics

Install truecrypt
This script is used to install Truecrypt. software that is used to create encrypted files using various encryption ciphers. It contains features such as hidden partitions inside the encyption file. as well as the a"ility to use files and te%t passwords as keys to the encryption file. Look here for a more in depth Truecrypt tutorial

$igital (orensics
he!edit
he%edit is a program that gives the user the a"ility to view a file in he%adecimal and #*CII view. It offers the a"ility to read a device as a file. It includes "uild in key shortcuts to make it fast and easy to edit and analy-e file. including skipping to specific memory locations. cutting and pasting. changing views. modes. and synta%es similar to that of emacs. !ample usage: he%edit HfilenameI

(orensic Analysis Tools

bulk*e!tractor
"ulkEe%tractor is a utility that scans many types of information storage 5files. folders6 and outputs information that it finds in them. Bhat separates "ulkEe%tractor from other similar tools is its speed. "ulkEe%tractor doesn2t look at file system structures on the input. so it is a"le to process the scan faster. and thus. more thoroughly. This tools outputs information found. such as ccn.t%t 5credit card num"ers6. email.t%t 5email addresses6. e%if.t%t 5$7I) data from media files6. url 5/(Ls found6. and more. !ample usage# "ulkEe%tractor 8o Houtput directoryI input +ote that the output directory must not already e%ist.

evtparse'pl
This utility takes .evt files. which contain log information for use "y the event manager. and parses them into something useful for investigators. *pecifically. it dumps the events as a timeline. !ample usage: evtparse.pl 8e HeventElogI

e!iftool
e%iftool allows users to read or write metadate 5like $7I)6 to image. video. and audio files. Dere are a few e%amples from the e%iftool manpage: !ample usage# e%iftool 8a 8u 8g; HimageEfileI !ample usage: e%iftool 8CommentJ2$nter a comment in @uotes here2 HimageEfileI

missidentify
The missidentify tool finds Bindows =< e%ecuta"le files. It can search recursively through folders in order to find them. and then displays the results "ack to the user. *tandard usage would usually include searching recursively 58r options6. !ample usage: missidentify 8r HlocationI

mork'pl
# &erl script that will strip information from a 'ork data"ase file. 'ork files were previously used "y 'o-illa programs to store information. such as )irefo% "rowsing history. and Thunder"ird contacts. Bhile newer )irefo% versions use *Klite data"ase files to store "rowser information now. Thunder"ird continues to use 'ork files. The following e%ample uses mork.pl to create an DT'L file with information from a 'ork file input. !ample usage: mork.pl :html H'orkEfileI

pref'pl
This &erl script parses the content of Bindows 7& and Bindows !ista prefetch files and directories. The output can "e set to comma separated values 5.csv6 for easier viewing. In the following e%ample. pref.pl is used to parse data from a folder containing prefetch files from !ista 5default is 7&6 and output it as a csv file. !ample usage# pref.pl 8v 8f HprefetchEfileI 8c

ptk
&TF is a forensics toolkit. similar to the *leuthkit toolkit. It contains "uilt in modules in order to analy-e nearly any type of media or filetype that may "e encountered in a forensics investigation. It is "rowser "ased. and first needs to have a 'y*KL data"ase configured. Leave all fields as default. and use the password 3toor4 for the root user in 'y*KL. It should setup successfully. at which point you need to register for the free version. Copy the license file you received into the config directory for &TF located at 9var9www9ptk9config.

http://technology-flow.com/wp-content/uploads/2011/05/ptk.png

http://technology-flow.com/wpcontent/uploads/2011/05/ptk.png

+e%t. log in as either admin or investigator. and open a new case. )ill out the necessary information. then add an image file to "egin. It can even "e a (#' dump. )rom here. the "uilt in tools will help you pull information from the image5s6.

)olatility
!olatility is a framework writen in &ython that speciali-es in (#' analysis. The !olatility )ramework can analy-e volatile memory dumps from any system type. and can provide a deep insight into the state of the system while it was running. The !olatility )ramework has "een tested on Bindows. 0* 7. Linu%. and even Cygwin. In the e%ample "elow. we use !olatility in order to list processes that were running on the system while the (#' image ram.img was taken. !ample "sage#volatility plist 8f ram.img