Académique Documents
Professionnel Documents
Culture Documents
The Backtrack 5 Complete Tutorial is a series of tutorials that show how to use every tool included in the Backtrack 5 Live CD. They are separated into the groups in which they appear on Backtrack:
Information athering !ulnera"ility #ssessment $%ploitation Tools &rivilege $scalation 'aintaining #ccess (everse $ngineering ()ID Tools *tress Testing )orensics (eporting Tools *ervices 'iscellaneous
Bluetooth #nalysis "luediving "tscanner D+* #nalysis dnsdict, dnsenum dnsmap dnsrecon dnstracer dnswalk fierce l"d
btscanner
"tscanner is a utility used to gather as much information as possi"le from an unpaired Bluetooth device. It is specifically aimed at e%tracting information from unpaired devices. such as I$$$ 0/I num"ers. and possi"le host identification. The "elow e%ample shows how to use "tscanner to scan for availa"le Bluetooth devices. !ample "sage# "tscanner $nter 1i2 to "egin a scan for devices. and then 1a2 to a"ort the scan once devices are found. *elect the discovered device "y pressing 3$nter4 to see more information a"out the target.
$N% Analysis
dnsdict&
dnsdict, is a utility used to enumerate a domain for I&v, D+* entries. meaning it will try to find as many I&v, 5#### records6 D+* records for the selected domain as possi"le. This is useful for finding su" domains that may "e invisi"le to the pu"lic. "ut still e%ists in D+* records. 0ften. these forgotten a"out domains are outdated and can "e a vector for e%ploit "ased attacks against the domain. dnsdict, uses a dictionary list which is used to guess possi"le D+* entries. !ample "sage# dnsdict, google.com
dnsenum'pl
dnsenum is a &erl utility used to collect as much information as possi"le regarding a domain. It collects "asic information such as # records5host addresses6. nameserves. and '7 records 5mail hosts6. "ut also e%tracts useful information such as BI+D versions and searches for unlisted su"domains using a dictionary "ased attack. dnsenum also has reverse lookup utilities that can perform reverse D+* lookups for C class network ranges. In the e%ample "elow. we use dnsenum in order to look for as much information as possi"le for the technology8flow.com domain.
dnsmap
dnsmap is a utility used to create a list of hosts and D+* records for a domain. It uses a word list to search for possi"le su"domains. and can output results in several different formats. such as C*! or plain .t%t. In the e%amples "elow. we use the dnsmap utility to attempt to map the hosts that technology8flow.com uses. In the second e%ample. a wordlist is used to guess su"domains. and then the results are written to 9root9results.t%t. The final e%ample simply writes the results to 9root9results.t%t. !ample "sage# dnsmap technology8flow.com !ample "sage# dnsmap technology8flow.com 8w wordlist.t%t 8r 9root9results.t%t !ample "sage# dnsmap technology8flow.com 8r 9root9results.t%t
dnsrecon
dnsrecon is a &ython "ased utility. Currently. dnsrecon has , features that make it great for gathering information a"out a domain or I& address from D+* records: ;. <. =. >. 5. ,. (everse lookups for I& "locks Top level domain e%pansion D+* host and domain "ruteforce #. +*. *0# and '7 record lookups ?one transfer for each +* server found )ind *(! records
In the e%ample "elow. dnsrecon is used in order to guess 5"rute force option of 8t "rt6 su"domains for technology8flow.com. using dictionary.lst as a dictionary file to pull entries from. !ample "sage#.9dnsrecond.py 8t "rt 8d technology8flow.com 8D dictionary.lst
dnstracer
dnstracer is a program that reports the chain of D+* servers that a D+* re@uest takes in order to do a D+* lookup. It tells the user which servers have authority for a -one. and the intermediary D+* nodes the were found in the way. This tool is very simple to useA the "elow e%ample uses dnstracer to ver"osely find D+* server information for a lookup for technology8flow.com.
dnswalk
dnswalk is a &erl script that helps de"ug D+* servers. It can run -one transfers for domains. and can help check for consistancy and accuracy of records. Bhile originally intended for use as a D+* de"ugger. dnswalk can "e used in order to gather information a"out a particular target domain or target D+* server. In the e%ample "elow. we look up information for the technology8 flow.com domain. +ote the tailing 3.4. which is an important part of the domain name system. #lso note that dnswalk provides as much information in its error9warning messages 5many servers don2t allow -one transfers6. as it does in successfully completed @ueries and transfers. !ample "sage#.9dnswalk technology8flow.com.
fierce
fierce is a &erl program that aims to scan for non contiguous I& address space. This means it uses a "rute force D+* lookup method in order to search for allocated9unallocated I& addresses for a domain. This information is useful for other scanners. such as nmap. nessus. or nikto. since I& information is needed for these utilities. In the first e%ample "elow. we scan for I& adresses in the ;;;.<<<.===.C9<> range. using ns;.nameserver.com as the nameserver. +e%t. we use fierce in order to scan a particular domain. technology8flow.com. !ample "sage#.9fierce.pl 8range ;;;.<<<.===.C8<55 8dnsserver ns;.nameserver.com !ample "sage#.9fierce.pl technology8flow.com
lbd
l"d is a proof of concept shell script that attempts to detect whether a domain uses a load "alancing system. In order to do this. it looks for "oth D+* and DTT& load "alancing. and attempts to calculate if it is used. This is useful in gathering iformation regarding a domain2s architecture. as well as how a domain may react to a sudden increase in traffic. such as those caused "y a Distri"uted Denial of *ervice 5DDo*6 attack. In this e%ample. we check whether technology8flow.com uses load "alancing 5it does not6: !ample "sage#.9l"s.sh technology8flow.com
(orensics
#nti !irus )orensic Tools
chkrootkit rkhunter Install truecrypt he%edit "ulkEe%tractor evtparse e%iftool missidentify mork pref &TF readpst reglookup stegdetect vinetto fat"ack foremost magicrescue recoverGpeg safecopy scalpel scrounge8ntfs testdisk hashdeep md5deep
sha;deep sha<5,deep tigerdeep whirlpooldeep air dc=dd ddrescue ewfa@uire &TF *etup #utopsy *leuthkit Driftnet pCf tcpreplay Bireshark 7plico Cmos&wd fcrack-ip samdump pdfid pdf8parser peepdf pdf"ook pdgmail &TF !olatility
)orensic *uites
+etwork )orensics
rkhunter
rkhunter is another utility used to check for signs of rootkits on /ni% "ased systems. /sually. you will want to run the scan against a mounted filesystem. using a trusted set of "inaries. In the "elow e%ample. the :sk option sets it so that a keypress isn2t re@uired after each test run. !ample "sage: rkhunter 8c :sk
$igital (orensics
he!edit
he%edit is a program that gives the user the a"ility to view a file in he%adecimal and #*CII view. It offers the a"ility to read a device as a file. It includes "uild in key shortcuts to make it fast and easy to edit and analy-e file. including skipping to specific memory locations. cutting and pasting. changing views. modes. and synta%es similar to that of emacs. !ample usage: he%edit HfilenameI
evtparse'pl
This utility takes .evt files. which contain log information for use "y the event manager. and parses them into something useful for investigators. *pecifically. it dumps the events as a timeline. !ample usage: evtparse.pl 8e HeventElogI
e!iftool
e%iftool allows users to read or write metadate 5like $7I)6 to image. video. and audio files. Dere are a few e%amples from the e%iftool manpage: !ample usage# e%iftool 8a 8u 8g; HimageEfileI !ample usage: e%iftool 8CommentJ2$nter a comment in @uotes here2 HimageEfileI
missidentify
The missidentify tool finds Bindows =< e%ecuta"le files. It can search recursively through folders in order to find them. and then displays the results "ack to the user. *tandard usage would usually include searching recursively 58r options6. !ample usage: missidentify 8r HlocationI
mork'pl
# &erl script that will strip information from a 'ork data"ase file. 'ork files were previously used "y 'o-illa programs to store information. such as )irefo% "rowsing history. and Thunder"ird contacts. Bhile newer )irefo% versions use *Klite data"ase files to store "rowser information now. Thunder"ird continues to use 'ork files. The following e%ample uses mork.pl to create an DT'L file with information from a 'ork file input. !ample usage: mork.pl :html H'orkEfileI
pref'pl
This &erl script parses the content of Bindows 7& and Bindows !ista prefetch files and directories. The output can "e set to comma separated values 5.csv6 for easier viewing. In the following e%ample. pref.pl is used to parse data from a folder containing prefetch files from !ista 5default is 7&6 and output it as a csv file. !ample usage# pref.pl 8v 8f HprefetchEfileI 8c
ptk
&TF is a forensics toolkit. similar to the *leuthkit toolkit. It contains "uilt in modules in order to analy-e nearly any type of media or filetype that may "e encountered in a forensics investigation. It is "rowser "ased. and first needs to have a 'y*KL data"ase configured. Leave all fields as default. and use the password 3toor4 for the root user in 'y*KL. It should setup successfully. at which point you need to register for the free version. Copy the license file you received into the config directory for &TF located at 9var9www9ptk9config.
http://technology-flow.com/wp-content/uploads/2011/05/ptk.png
http://technology-flow.com/wpcontent/uploads/2011/05/ptk.png
+e%t. log in as either admin or investigator. and open a new case. )ill out the necessary information. then add an image file to "egin. It can even "e a (#' dump. )rom here. the "uilt in tools will help you pull information from the image5s6.
)olatility
!olatility is a framework writen in &ython that speciali-es in (#' analysis. The !olatility )ramework can analy-e volatile memory dumps from any system type. and can provide a deep insight into the state of the system while it was running. The !olatility )ramework has "een tested on Bindows. 0* 7. Linu%. and even Cygwin. In the e%ample "elow. we use !olatility in order to list processes that were running on the system while the (#' image ram.img was taken. !ample "sage#volatility plist 8f ram.img