RAJASTHAN INSTITUTE OF ENGINEERING & TECHNOLOGY Computer Engineering Department Session: 2012-2013(B.

Tech VIII SEM) ABSTRACT

BACKTRACK A SOCIAL ENGINEERING TOOL
DHARMANSHU VASHISHTH d.vashishth77@gmail.com

Backtrack is a distribution based on the Debian GNU/Linux distribution aimed at digital forensics and penetration testing use. It is named after backtracking, a search algorithm. Backtrack is a product of Linux or it is Open Source. There was no any license required. Backtrack is the worlds leading penetration testing and information security auditing distribution. With hundreds of tools preinstalled and configured to run out of the box. Backtrack provides a solid Penetration testing platform. Its all working in once place. Backtrack is a Linux security distribution that contains all of the tools necessary to Performa complete security assessment of systems, networks, and applications. These articles will describe some basic practical uses of the tools within Backtrack as they relate to a networkbased penetration test or security assessment. Backtrack was designed with penetration testing in mind. A pen test is a method of evaluating and testing the security of a system, network, or application by performing actions that are meant to simulate the actions of a malicious attacker. There are a few different ways BT can be setup and used. You can create a Live CD or bootable USB drive and run it in a live environment, install BT5 to virtual machine (VM), or install BT5 directly to a hard drive and boot to it as the main OS.

1. Introduction
1.1 Introduction:
Backtrack is the worlds leading penetration testing and information security auditing distribution. With hundreds of tools preinstalled and configured to run out of the box. Backtrack provides a solid Penetration testing platform. Its all working in once place. A Linux distribution designed for penetration testing, i.e. ethical hacking Many, tools for hacking into any type of system, wireless or wired. A huge library of drivers and support routines.

1.2 Installation:
Installation was always a big problem when we talk about Linux Operating System. There were some Solutions: Boot from live CD. Boot from live Pen drive (mostly used). Virtual box (for demonstration). Full installation in separate partion.

(1)Boot from live CD:

Download the BACKTRACK CD from its official site. Burn the image using any image burner Plug & play.

(2)Boot from live Pen drive:

CDs are not a feasible option. Make your Pen drive bootable. Tools required :

1. Unetbootin: http://unetbootin.sourceforge.net 2. BACKTRACK image (.iso) 3. Pen drive

Default User name or password:

Username: root Password: toor

Formats in Windows:
NTFS FAT FAT32

Formats in Linux:
EXT2 EXT3 EXT4 FAT FAT32 NTFS

2. Social Engineering Toolkit

Social Engineering Toolkit:
SET is a toolkit from Backtrack. First attach is a Social Engineering Attack. Copy a web-site (mine). Get someone to go to the site. Get on their machine. Go to your backtrack machine. Control Alt T (for a terminal). Command cd /pentest/exploits/ Terminal cd /pentest/exploits/set; ./set Update your metasploit and backtrack Trial and Error is involved. It is not shrink wrapped. Setup your server --- which is the backtrack payload.

3. Backtrack Tutorial:
The Backtrack 5 Tutorial is a series of tutorials that show how to use every tool included in the Backtrack 5 Live CD. They are separated into the groups in which they appear on Backtrack: Information Gathering Vulnerability Assessment Exploitation Tools Privilege Escalation Maintaining Access Reverse Engineering RFID Tools Stress Testing Forensics Reporting Tools Services Miscellaneous

3.1 Backtrack Information Gathering:

3.1.1 Network Analysis (1)Bluetooth Analysis

bluediving btscanner

(2)DNS Analysis

dnsdict6 dnsenum dnsmap dnsrecon dnstracer dnswalk fierce lbd

(1) Bluetooth Analysis:

Bluediving: Bluediving is a software suite specializing in Bluetooth penetration testing. Bluediving itself comprises of several tools, such as Bluebug and BlueSnarf. Using these tools, Bluediving is able to provide a single platform for launching nearly every type of Bluetooth based attacks. Bluediving presents a simple, easy to use command line where the user is given the option of choosing attack targets, choosing attack methods, and ever enumerating various Bluetooth devices discovered. The top level menu looks like this:

[MAIN MENU] menu:

[a] Action [e] Exploit [i] Info [t] Tools

[1] Scan [2] Scan and attack [3] Scan and info [4] Scan for... [5] Add known device [6] Change preferences [7] Show preferences [8] Show logfile -=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [x] Exit -

Btscanner: btscanner is a utility used to gather as much information as possible from an unpaired Bluetooth device. It is specifically aimed at extracting information from unpaired devices, such as IEEE OUI numbers, and possible host identification. The below example shows how to use btscanner to scan for available Bluetooth devices. Example Usage:

Enter i to begin a scan for devices, and then a to abort the scan once devices are found. Select the discovered device by pressing Enter to see more information about the target.

(2) DNS Analysis:

dnsdict6: dnsdict6 is a utility used to enumerate a domain for IPv6 DNS entries, meaning it will try to find as many IPv6 (AAAA records) DNS records for the selected domain as possible. This is useful for finding sub domains that may be invisible to the public, but still exists in DNS records. Often, these forgotten about domains are outdated and can be a vector for exploit based attacks against the domain. dnsdict6 uses a dictionary list which is used to guess possible DNS entries. Example Usage: dnsdict6 google.com dnsenum.pl: dnsenum is a Perl utility used to collect as much information as possible regarding a domain. It collects basic information such as A records(host addresses), nameserves, and MX records (mail hosts), but also extracts useful information such as BIND versions and searches for unlisted subdomains using a dictionary based attack. dnsenum also has reverse lookup utilities that can perform reverse DNS lookups for C class network ranges. In the example below, we use

dnsenum in order to look for as much information as possible for the technology-flow.com domain. Example Usage: ./dnsenum.pl enum -f dns.txt update a -r technology-flow.com

Dnsmap: dnsmap is a utility used to create a list of hosts and DNS records for a domain. It uses a word list to search for possible subdomains, and can output results in several different formats, such as CSV or plain .txt. In the examples below, we use the dnsmap utility to attempt to map the hosts that technology-flow.com uses. In the second example, a wordlist is used to guess subdomains, and then the results are written to /root/results.txt. The final example simply writes the results to /root/results.txt. Example Usage: dnsmap technology-flow.com Example Usage: dnsmap technology-flow.com -w wordlist.txt -r /root/results.txt Example Usage: dnsmap technology-flow.com -r /root/results.txt Dnsrecon: dnsrecon is a Python based utility. Currently, dnsrecon has 6 features that make it great for gathering information about a domain or IP address from DNS records: 1. 2. 3. 4. 5. 6. Reverse lookups for IP blocks Top level domain expansion DNS host and domain bruteforce A, NS, SOA and MX record lookups Zone transfer for each NS server found Find SRV records

In the example below, dnsrecon is used in order to guess (brute force option of -t brt) subdomains for technology-flow.com, using dictionary.lst as a dictionary file to pull entries from. Example Usage:./dnsrecond.py -t brt -d technology-flow.com -D dictionary.lst Dnstracer: dnstracer is a program that reports the chain of DNS servers that a DNS request takes in order to do a DNS lookup. It tells the user which servers have authority for a zone, and the

intermediary DNS nodes the were found in the way. This tool is very simple to use; the below example uses dnstracer to verbosely find DNS server information for a lookup for technologyflow.com. Example Usage:dnstracer -v technology-flow.com

Dnswalk: dnswalk is a Perl script that helps debug DNS servers. It can run zone transfers for domains, and can help check for consistancy and accuracy of records. While originally intended for use as a DNS debugger, dnswalk can be used in order to gather information about a particular target domain or target DNS server. In the example below, we look up information for the technology-flow.com domain. Note the tailing ., which is an important part of the domain name system. Also note that dnswalk provides as much information in its error/warning messages (many servers dont allow zone transfers), as it does in successfully completed queries and transfers. Example Usage:./dnswalk technology-flow.com. Fierce: fierce is a Perl program that aims to scan for non-contiguous IP address space. This means it uses a brute force DNS lookup method in order to search for allocated/unallocated IP addresses for a domain. This information is useful for other scanners, such as nmap, nessus, or nikto, since IP information is needed for these utilities. In the first example below, we scan for IP adresses in the 111.222.333.0/24 range, using ns1.nameserver.com as the nameserver. Next, we use fierce in order to scan a particular domain, technology-flow.com. Example Usage:./fierce.pl -range 111.222.333.0-255 -dnsserver ns1.nameserver.com Example Usage:./fierce.pl technology-flow.com Lbd: lbd is a proof of concept shell script that attempts to detect whether a domain uses a load balancing system. In order to do this, it looks for both DNS and HTTP load balancing, and attempts to calculate if it is used. This is useful in gathering iformation regarding a domains architecture, as well as how a domain may react to a sudden increase in traffic, such as those caused by a Distributed Denial of Service (DDoS) attack. In this example, we check whether technology-flow.com uses load balancing (it does not):

Example Usage:./lbs.sh technology-flow.com

3.2 Forensics:
Anti Virus Forensic Tools chkrootkit rkhunter Install truecrypt hexedit bulk_extractor evtparse exiftool missidentify mork pref PTK readpst reglookup stegdetect vinetto fatback foremost magicrescue recoverjpeg safecopy scalpel scrounge-ntfs testdisk

Digital Anti Forensics Digital Forensics Forensic Analysis Tools

Forensic Carving Tools

Forensic Hashing Tools

10

hashdeep md5deep sha1deep sha256deep tigerdeep whirlpooldeep air dc3dd ddrescue ewfaquire PTK Setup Autopsy Sleuthkit Driftnet p0f tcpreplay Wireshark Xplico CmosPwd fcrackzip samdump pdfid pdf-parser peepdf pdfbook

Forensic Imaging Tools

Forensic Suites

Network Forensics

Password Forensics Tools

PDF Forensic Tools

RAM Forensics Tools

11

 Chkrootkit:

pdgmail PTK Volatility

3.2.1 Anti-Virus Forensic Tools:

chkrootkit is a utility that will check for signs that a device is infected with a rootkit. It runs on Linux, FreeBSD, and OSX versions. It uses standard utlitities such as awk, grep, netstat, cut, echo, and more in order to detect signatures that suggest rootkits. The standard use of chkrootkit should contain an alternate path to trusted binaries (dont trust binaries on a machine you are scanning), along with the path to the directory to be scanned. Example usage: chkrootkit -p [path-to-trusted-binaries] -r [root-path-to-scan] Rkhunter: rkhunter is another utility used to check for signs of rootkits on Unix based systems. Usually, you will want to run the scan against a mounted filesystem, using a trusted set of binaries. In the below example, the sk option sets it so that a keypress isnt required after each test run. Example Usage: rkhunter -c sk

3.2.2 Digital Anti Forensics:

Install truecrypt: This script is used to install Truecrypt, software that is used to create encrypted files using various encryption ciphers. It contains features such as hidden partitions inside the encyption file, as well as the ability to use files and text passwords as keys to the encryption file. Look here for a more in depth Truecrypt tutorial

3.2.3 Digital Forensics

Hexedit: hexedit is a program that gives the user the ability to view a file in hexadecimal and ASCII view. It offers the ability to read a device as a file. It includes build in key shortcuts to make it fast and easy to edit and analyze file, including skipping to specific memory locations, cutting and pasting, changing views, modes, and syntaxes similar to that of emacs. Example usage: hexedit [filename]

3.2.4 Forensic Analysis Tools:

bulk_extractor: bulk_extractor is a utility that scans many types of information storage (files, folders) and outputs information that it finds in them. What separates bulk_extractor from other similar tools is its speed. bulk_extractor doesnt look at file system structures on the input, so it is able to process the scan faster, and thus, more thoroughly. This tools outputs information found, such as

12

ccn.txt (credit card numbers), email.txt (email addresses), exif.txt (EXIF data from media files), url (URLs found), and more. Example usage: bulk_extractor -o [output directory] input Note that the output directory must not already exist. evtparse.pl: This utility takes .evt files, which contain log information for use by the event manager, and parses them into something useful for investigators. Specifically, it dumps the events as a timeline. Example usage: evtparse.pl -e [event_log] Exiftool: exiftool allows users to read or write metadate (like EXIF) to image, video, and audio files. Here are a few examples from the exiftool manpage: Example usage: exiftool -a -u -g1 [image_file] Example usage: exiftool -Comment=Enter a comment in quotes here [image_file] Misidentify: The missidentify tool finds Windows 32 executable files. It can search recursively through folders in order to find them, and then displays the results back to the user. Standard usage would usually include searching recursively (-r options). Example usage: missidentify -r [location] mork.pl: A Perl script that will strip information from a Mork database file. Mork files were previously used by Mozilla programs to store information, such as Firefox browsing history, and Thunderbird contacts. While newer Firefox versions use SQlite database files to store browser information now, Thunderbird continues to use Mork files. The following example uses mork.pl to create an HTML file with information from a Mork file input. Example usage: mork.pl html [Mork_file] pref.pl: This Perl script parses the content of Windows XP and Windows Vista prefetch files and directories. The output can be set to comma separated values (.csv) for easier viewing. In the following example, pref.pl is used to parse data from a folder containing prefetch files from Vista (default is XP) and output it as a csv file. Example usage: pref.pl -v -f [prefetch_file] -c Ptk: PTK is a forensics toolkit, similar to the Sleuth kit toolkit. It contains built in modules in order to analyze nearly any type of media or file type that may be encountered in a forensics investigation. It is browser based, and first needs to have a MySQL database configured. Leave

13

all fields as default, and use the password toor for the root user in MySQL. It should setup successfully, at which point you need to register for the free version. Copy the license file you received into the config directory for PTK located at /var/www/ptk/config.

3.3 Volatility:
Volatility is a framework writen in Python that specializes in RAM analysis. The Volatility Framework can analyze volatile memory dumps from any system type, and can provide a deep insight into the state of the system while it was running. The Volatility Framework has been tested on Windows, OS X, Linux, and even Cygwin. In the example below, we use Volatility in order to list processes that were running on the system while the RAM image ram.img was taken. Example Usage:volatility plist -f ram.img

14