backtrack 4 r2 - sfissa presentation
DESCRIPTION
This presentation was put together for a South Florida ISSA technical workshop.TRANSCRIPT
BackTrack 4 – R2
Jorge OrchillesPeter Greko
South Florida ISSA
About Jorge Orchilles• Information * for over 8 years
• Security Analyst – Fortune 10
• Consultant by night – Orchilles Consulting
• Master of Science and BBA in Management Information Systems – Florida International University
• Author – Microsoft Windows 7 Administrator’s Reference (Syngress)
• Certifications – CISSP, GCIH, CEH, CICP, CCDA, CSSDS, MCTS, MCP, Security+
• Organizations:
• President South Florida ISSA
• OWASP
• InfraGard
• Miami Electronic Crimes Task Force
• Hack Miami
About Peter Greko
• Local InfoSec Researcher• Security Analyst – Fortune 10• Hack Miami Board Member
– Not one of “them 2”• Speaks at conferences
– HOPE, Hacker Halted, AppSec DC
Intro to Back Track
• Live DVD for Penetration Testing– Can download VM as well
• 300+ tools installed– Saves a lot of time
• Runs on Ubuntu– KDE
• http://www.backtrack-linux.org
Let’s Get Started
• Insert the Back Track 4 –R2 DVD and reboot your computer.
• When the BIOS comes up, press F2, F12, etc depending on your BIOS for the Boot Menu – select DVD.
• When BackTrack splash screen comes up press Enter.
• To log in: – Username: root– Password: toor
Configure• Start KDE: startx• Start networking:
– Open a terminal: /etc/init.d/networking start– Wireless: KDE-Internet-Wicd Network Manager
• SSID: SFISSA• WPA-PSK: SFISSArocks!
– DHCP: 192.168.1.200-249/24– Static IP:
• ifconfig eth0 192.168.1.1XX/24• route add default gw 192.168.1.1 (not required)• DNS: echo nameserver <ip> > /etc/resolve.conf• Do not use:
– 192.168.1.1– 192.168.1.100 – Level 1 Victim– 192.168.1.110 – Level 2 Victim– 192.168.1.120 - Metasploitable
– Ping 192.168.1.110 to ensure you are up.
/pentest
• Get familiar with the BackTrack GUI and /pentest directory
• These are all the tools available to you• How many have you played with already?
Ethical Hacking 101
0. Get Permission1. Information Gathering2. Recon – Scanning3. Gain Access4. Maintain Access5. Cover Tracks – clean up
“Most of hacking is doing user and admin tasks with malicious intent.” – SANS SEC504 Class
0. Get Permission
• You have permission to attack ONLY the following hosts:– 192.168.1.100– 192.168.1.110– 192.168.1.120
• Anything else is considered illegal!• SFISSA• SFISSArocks!
1. Information Gathering
• We will be probing three hosts which were already given.
• Some background– 100 and 110 are from Heorot.net – 120 is called Metasploitable
• Not much else to do here– No Google
Real Scenario
• You would most likely need to identify live hosts:– Ping sweep: nmap –sP 192.168.1.0/24– DNS Zone transfer: host –l <domain.local>
<DNSserverip>– Netdiscover – BackTrack KDE
• Documentation– Create a txt file with identified hosts.
2. Recon
• We will start by probing the hosts to determine open ports:– nmap
• We can also run other automated tools, like a vulnerability scanner or web application scanner:– Nessus– Nikto
nmap
• Nmap is:– Free and open source– Tool to discover, monitor, and troubleshoot TCP/IP– Cross Platform– Simple to use
• http://nmap.org/
Using nmap 101
• Millions of options• nmap –h• nmap [target] – scans 1000 most common TCP
ports• nmap –F [target] – scans 100 most common
TCP ports• nmap –iL filename.txt – scans all hosts in file,
one per line
Using nmap 102
• nmap –sS [target] – SYN Scan• nmap –O – os fingerprinting• nmap –p80 – scans port 80
– -p- all ports– -p21,22,25,80 – scans those ports
• nmap –v – verbose• nmap –n – do not resolve DNS• Many cheat sheets online and –h has many more• Example
– nmap –sSV –n –O –P0 192.168.1.100 > 100TCP.txt
Lab
• Open a terminal• cd to location where hosts.txt is• nmap –n –F –iL hosts.txt
– This will do a quick scan (100 most common TCP ports) for each live host
• What did you find?– What now?
• Documentation• http://192.168.1.100
Go at it
• The intro and scenario has been set• Feel free to hack away at the three hosts:
– 192.168.1.100– 192.168.1.110– 192.168.1.120
Nessus
• Nessus is NOT a part of BackTrack but the best vulnerability scanner available
• http://www.tenablesecurity.com• For BackTrack 4 download – Ubuntu 8.04 32bit.deb• Install:
– dpkg –I *.deb– /opt/nessus/sbin/nessus-adduser– Register: http://www.nessus.org/plugins/?view=register-
info– Start Nessus: /etc/init.d/nessusd start
• https://localhost:8834/
Nikto
• Web Server Scanner• http://cirt.net/nikto2 • /pentest/scanners/nikto• ./nikto.pl –host <websiteip>:<port>
3. Gain Access
• Leverage findings from steps 1 and 2• What have we found?• Use Hydra to brute force ssh using possible
usernames.
3. Elevate Privileges
• The user you cracked doesn’t have enough privileges… how do you find who does?– Cat /etc/passwd– Cat /etc/group
• Bruteforce SSH with known user that has sudo privs….
Keep Going and Try Harder!!!
• Each scenario is different• Use what you know and have experienced in
the past in the current scenario.• Tools won’t do it all, use your head!
Conclusion and Take Away
• Get permission• Run some scans on your hosts
– Nmap– Nessus– Nikto
• Always be willing to learn more, try harder, and think harder