Backtrack

Intro to the Backtrack operating system Backtrack is a Live Linux distribution based on SLAX that has been aggressively modified into a comprehensive offensive penetration testing tool. Backtrack is the result of the merging of WHAX (formerly Whoppix) and Auditor and is freely available from the remote-exploit website at http://remote-exploit.org/backtrack.html Backtrack is by no means the only live security distribution of it's kind, It is however arguably the best free distribution. Other examples of this technology are obviously WHAX and Auditor but joining these ranks are distributions like P.H.L.A.K and Operator. While these distributions preform largely the same task, Backtrack provides a much more active user community coupled with live training from security professional Mati Aharoni naturally this is not free. Other similar technologies are Helix and and F.I.R.E these tools are more focused on forensic examination and recovery than penetration testing but provide a rich set of tools for this purpose. Backtrack is focused on offensive security. Offensive security isn't about attacking computers in an attempt to steal information or cause chaos it is about finding and demonstrating vulnerability so they can be understood and thus countered. The Backtrack OS will not attempt to restrict or record your activity and thus can be used for any purpose but as explained in the licensing and supporting documentation Backtrack was made by security professionals for security professionals. This view is also inherent in the supporting forums and documentation. while you can easily learn how to preform a no client WEP crack on the forum you will be asked to only preform this on your own routers. If you want to play around with SQL injection do it on you own server as the forum moderators will inform the site's web master of your efforts. Using Backtrack is reasonably simple but the operation of the system does require working knowledge of Linux. Backtrack has a KDE or Flux desktop for graphical interaction but the majority of the tools supplied are command line tools. The basic tools provided with the operating system are minimal as the vast majority of KDE's default tools have been removed, this makes the system unsuitable for day to day tasks that are unrelated to penetrating testing. The customizations preformed on the kernel, drivers and utilities that make Backtrack what it is also make it very hard to install new software, most of the time compiling from source is the only option. Fortunately once the software you require is compiled for the system a module can be created and inserted into the system at boot time without having to recompile the .iso file. It is this feature that makes the SLAX scripts that underly Backtrack so good for this kind of implementation. Backtrack was intended to be a live Linux distribution this is to say booted from a CD or from a Flash device. This allows the OS to be highly portable and secure in that it can be easily reverted back to a default state. Why is this functionality important? A lot of the tools provided with the Backtrack distribution introduce security flaws into the system making it possible for your exploits to be used against you. While the Kernel has been modified and patched the Backtrack OS has large security flaws such as the use of the root account. Most users of Backtrack will login as root with user = root, pass = toor in fact this is the default setting. This is done to give you unrestricted access to the tools you are using without the need to constantly su or type passwords. This also means that any attacker that knows the Backtrack operating system can easily gain control of the system. Changing these default settings is easier said than done, this is because the system will not remember any changes without the user recompiling the .iso and re burning their disk or voiding this security mechanism by installing the OS on a local disk. If Backtrack is used as intended little damage can be done, persistent data can be stored on removable disks and system configuration can be written to the casper-ng rewrite image on a removable or local disk. These forms of persistence will not threaten the security of the OS as they can be easily purged and the majority of the system will stay read only.

Overview of the tools available in the Backtrack operating system The Backtrack operating system provides a comprehensive set of over 300 unique tools for security analysis and testing the main tool categories are: Information Gathering The Information Gathering section includes tools to find information about DNS, routes, and SMTP data. These tools would be useful for the research phase of an attack including target selection. There are tools here that will allow the hacker to find the owner of a network or target and begin to build a picture of what is connected to the target organization. Network Mapping Network mapping is the next phase of an attack, once a target has been chosen the attacker will need to explore the target network/system. Backtrack provides tools to Identify live hosts, fingerprint running OS, portscan, and fingerprint services. Vulnerability Identification Vulnerability Identification is an important aspect of penetration testing, there is little point in breaking into a system unless the systems vulnerabilities can be accurately identified. For this purpose Backtrack provides tools for analyzing vulnerabilities in Cisco routers, Databases, and web resources. There is also a series of targeted fuzzers to automate the testing of common elements. The information these tools produce could be used to compromise the system or to create a vulnerability report for the system administrator. Penetration This is the phase where you break into the system, the most useful tool BackTrack provides us with is the Metasploit framework. Penetrating a network or system usually means running some exploit remotely on the target computer(s) and either obtaining information or acquiring a remote shell. Suffice to say the scope of the attack canvas on most systems would allow an attacker to do just about anything to a system once through the defenses. Most professional penetration testers will use proof of concept exploits to demonstrate new or unique vulnerabilities and as common vulnerabilities found in the system would have been noted by the fuzzer or the tester would have recognized them either way there would be no need to actually execute an exploit if the result was obvious. The Metasploit framework has us covered here as well, the primary function of the framework is to develop and test new exploits. Privilege Escalation Privilege Escalation is concerned with gaining access to resources on a system that you aren't allowed to. This includes password cracking and spoofing. BackTrack provides many sniffers and spoofing techniques but their use in this respect would be to build up to some kind of password attack or to bypass authentication. Backtrack provides two kinds of password attacks offline and online, the offline attacks are preformed on captured information like a Microsoft SAM dump to obtain the administrator account password. The online password attacks are used for bruteforcing authentications that cant be downloaded or dumped this is a live form of attack and requires the attack to be in real time. Maintaining Access Maintaining access is about backdoors, rootkits, and tunneling. These tools allow the attacker to easily regain access to the machine. This is especially useful if you wish to execute a multi step attack. An example of this would be attempting to remotely compromise a application running on the system that doesn't expose any vulnerabilities to the remote attacker. The attacker could find a vulnerability in some other aspect of the system and install a backdoor or tunnel that would then allow them to reach the target application. These tools are also useful for botnets and DoS attacks.

Radio Network Analysis This area covers 802.11, Bluetooth and RFID analysis. The point here is to sniff, crack, and hack into these radio networks. The 802.11 tools are by far the most complete and most used. The Bluetooth tools are fine but Bluetooth has limited vulnerabilities to exploit in the sense that most modern phones are immune to the well known snarf or bluebug attacks. But in saying that there are some really good Bluetooth scanners here. VOIP & Telephony Analysis RTP and VOIP are prime targets here, we are supplied with the standard fuzzers, sniffers, and crackers. But there are also a lot of Dos attacks for these protocols.

Some Bluetooth tools

Btcrack
BTCrack is the worlds first Bluetooth Pass phrase (PIN) bruteforce tool, BTCrack will bruteforce the Passkey and the Link key from captured Pairing* exchanges. http://www.nruns.com/_en/security_tools_btcrack.php

Bluebugger
bluebugger is an implementation of the bluebug technique which was discovered by Martin Herfurt from the Trifinite Group. It was tested with Nokia 6310i, Nokia N72 and Sony Ericsson T68i. Info: http://www.remote-exploit.org/codes_bluebugger.html

Blueprint
Blueprinting is a method to remotely find out details about Bluetooth-enabled devices. Blueprinting can be used for generating statistics about manufacturers and models and to find out whether there are devices in range that have issues with Bluetooth security. Info: http://trifinite.org/trifinite_stuff_blueprinting.html

Blue|smash
Blue|Smash is a python based tool for pentesting Bluetooth enabled devices. Blue|Smash version 1.* is mainly based on Bluetooth enabled phones and was built for the backtrack live CD. Version 2.0 is now available from http://sourceforge.net/projects/bluesmash/

Bluesnarfer
Bluesnarfer will download the phone book of any mobile device vulnerable to bluesnarfing. Info: http://www.alighieri.org/project.html

Btscanner
btscanner is a tool designed specifically to extract as much information as possible from a Bluetooth device without the requirement to pair. Info: http://www.pentest.co.uk/

Carwhisperer
The carwhisperer project intends to bring sensibility to manufacturers of carkits and other Bluetooth appliances without display and keyboard for the possible security threat evolving from the use of standard passkeys. Info: http://trifinite.org/trifinite_stuff_carwhisperer.html

ObexFTP
The ObexFTP application enables you to store and retrieve documents to your mobile phones memory - that way you can access your phonebook, logo, ringtone, mp3, picture and general storage directly. http://triq.net/obexftp.html

HCIDump
Hcidump reads raw HCI data coming from and going to a Bluetooth device and prints to screen commands, events and data in a human-readable form. Optionally, the dump can be written to a file rather than parsed, and the dump file can be parsed in a subsequent moment. Info: http://www.linuxcommand.org/man_pages/hcidump8.html

Redfang
RedFang is a small proof-of-concept application to find non discoverable Bluetooth devices. This

is done by brute forcing the last six (6) bytes of the Bluetooth address of the device and doing a read_remote_name(). Info: http://www.net-security.org/software.php?id=519

Ussp-Push
ussp-push is a OBEX object pusher for Linux, using the BlueZ BlueTooth stack. The original ussp-push implementation required explicit binding to RFCOMM channels before the usage, that made it quite cumbersome to use. Now it has BlueTooth name resolution, SDP service resolution, and direct access to remote BlueTooth listening channels. Info: http://www.xmailserver.org/ussp-push.html

bdaddr
Utility for changing the Bluetooth device address

bss
BSS (Bluetooth Stack Smasher) is a L2CAP layer Fuzzer for Linux, distributed under GPL licence. BSS requires the standard bluetooth library.

btftp
BTFTP transfer files over Bluetooth connection. FTP uses a client-server connection. To use FTP over Bluetooth run btsrv (see instruction below) in server host and btftp in client host.

hcidump-crash
A tool for looking into HCIdumps after a crash

hidattack
Bluetooth keyboards and mice make up a large percentage of Bluetooth devices. All the keyboards, mice, joysticks and drawing tablets use the HID protocol (HID = Human Interface Device). HID is independent from Bluetooth and is also used for USB devices. The Bluetooth SIG specifies a small wrapper protocol to transport HID over Bluetooth. The hidattack will basically hijack the connected HID Bluetooth device of the computer.

hstest
HSTEST allows you to recorded and playback items over your Bluetooth headset

rfcomm
Connect to a remote Bluetooth device on an RFCOMM channel,read data from it and send data to it like using telnet to connect to a TCP port. Some links to online resources http://offensive-security.com/ http://remote-exploit.org/ http://forums.remote-exploit.org/index.php www.isecom.org www.oissg.org http://milw0rm.com/ http://metasploit.com/ http://www.darknet.org.uk/