Hands on with BackTrack

Information gathering, scanning, simple exploits

By Edison Carrick

Starting up and Getting an IP

• startx

• ifup eth0

The Tools

• The ‘K Menu’

• That’s not all:– The `/pentest` directory

netdiscover

• ‘an active/passive address reconnaissance tool’

• Using ARP, it detects live hosts on a network.

nmap

• Nmap ("Network Mapper") is a free and open source commandline utility for network exploration or security auditing.

• Extremely powerful.

• Simple use:Nmap –v –A‘v’ for verbosity and ‘A’ for OS/version

Detection

ZenmapNmap, but prettier

• Zenmap is a GUI interface for nmap.• Easily detect OS, Services, TCP

sequences and more with a click or two of a button.

Exploits

• Databases and Programs– ExploitDB– Metasploit

• The internet– Exploit-db.com– Google

Searching for a vulnerability

• exploitDB – ./searchsploit

• Googling • Conveniently Remote Exploit has

included their exploitDB on backtrack.• Since we have a 2003 server lets

search for 2003 vulnerabilities.– ./searchsploit 2003– ./searchsploit 2k3

Exploring and Testing a written Exploit

• ‘cat’ perfect for viewing• Recognizing shellcode, and how the

exploit runs.• Running the exploit– ./7132.py– Finding the usage

Getting the Shell

• ./7132.py 192.168.1.2 2• Noticing that the exploit prints that

the shell is bound to the server on port 4444.

• Netcat- the tool for everything– nc –v 192.168.1.2 4444

Prevention?

• Keep servers and computers up-to-date and patched.

• Use only services that are necessary, and disable the ones unneeded.

• Using the default settings can be dangerous.

More Information

• NetDiscover- http://nixgeneration.com/~jaime/netdiscover/

• Nmap/Zenmap- http://nmap.org/ • http://www.exploit-db.com/• http://www.metasploit.com/• More on the MS08-067 vulnerability-

MS08-067• Background image for PowerPoint found

at- xshock.de