14. Intro to Back Track Live DVD for Penetration Testing Can download VM as well 300+ tools installed Saves a lot of time Runs on Ubuntu KDE http://www.backtrack-linux.org
15. Let’s Get Started Insert the Back Track 4 –R2 DVD and reboot your computer. When the BIOS comes up, press F2, F12, etc depending on your BIOS for the Boot Menu – select DVD. When BackTrack splash screen comes up press Enter. To log in: Username: root Password: toor
16. Configure Start KDE: startx Start networking: Open a terminal: /etc/init.d/networking start Wireless: KDE-Internet-Wicd Network Manager SSID: SFISSA WPA-PSK: SFISSArocks! DHCP: 192.168.1.200-249/24 Static IP: ifconfig eth0 192.168.1.1XX/24 route add default gw 192.168.1.1 (not required) DNS: echo nameserver <ip> > /etc/resolve.conf Do not use: 192.168.1.1 192.168.1.100 – Level 1 Victim 192.168.1.110 – Level 2 Victim 192.168.1.120 - Metasploitable Ping 192.168.1.110 to ensure you are up.
17. /pentest Get familiar with the BackTrack GUI and /pentest directory These are all the tools available to you How many have you played with already?
18. Ethical Hacking 101 0. Get Permission Information Gathering Recon – Scanning Gain Access Maintain Access Cover Tracks – clean up “Most of hacking is doing user and admin tasks with malicious intent.” – SANS SEC504 Class
19. 0. Get Permission You have permission to attack ONLY the following hosts: 192.168.1.100 192.168.1.110 192.168.1.120 Anything else is considered illegal! SFISSA SFISSArocks!
20. 1. Information Gathering We will be probing three hosts which were already given. Some background 100 and 110 are from Heorot.net 120 is called Metasploitable Not much else to do here No Google
21. Real Scenario You would most likely need to identify live hosts: Ping sweep: nmap –sP 192.168.1.0/24 DNS Zone transfer: host –l <domain.local> <DNSserverip> Netdiscover – BackTrack KDE Documentation Create a txt file with identified hosts.
22. 2. Recon We will start by probing the hosts to determine open ports: nmap We can also run other automated tools, like a vulnerability scanner or web application scanner: Nessus Nikto
23. nmap Nmap is: Free and open source Tool to discover, monitor, and troubleshoot TCP/IP Cross Platform Simple to use http://nmap.org/
24. Using nmap 101 Millions of options nmap –h nmap [target] – scans 1000 most common TCP ports nmap –F [target] – scans 100 most common TCP ports nmap –iLfilename.txt – scans all hosts in file, one per line
25. Using nmap 102 nmap –sS [target] – SYN Scan nmap –O – os fingerprinting nmap –p80 – scans port 80 -p- all ports -p21,22,25,80 – scans those ports nmap –v – verbose nmap –n – do not resolve DNS Many cheat sheets online and –h has many more Example nmap –sSV –n –O –P0 192.168.1.100 > 100TCP.txt
26. Lab Open a terminal cd to location where hosts.txt is nmap –n –F –iLhosts.txt This will do a quick scan (100 most common TCP ports) for each live host What did you find? What now? Documentation http://192.168.1.100
27. Go at it The intro and scenario has been set Feel free to hack away at the three hosts: 192.168.1.100 192.168.1.110 192.168.1.120
28. Nessus Nessus is NOT a part of BackTrack but the best vulnerability scanner available http://www.tenablesecurity.com For BackTrack 4 download – Ubuntu 8.04 32bit.deb Install: dpkg –I *.deb /opt/nessus/sbin/nessus-adduser Register: http://www.nessus.org/plugins/?view=register-info Start Nessus: /etc/init.d/nessusd start https://localhost:8834/
29. Nikto Web Server Scanner http://cirt.net/nikto2 /pentest/scanners/nikto ./nikto.pl –host <websiteip>:<port>
30. 3. Gain Access Leverage findings from steps 1 and 2 What have we found? Use Hydra to brute force ssh using possible usernames.
31. 3. Elevate Privileges The user you cracked doesn’t have enough privileges… how do you find who does? Cat /etc/passwd Cat /etc/group Bruteforce SSH with known user that has sudoprivs….
32. Keep Going and Try Harder!!! Each scenario is different Use what you know and have experienced in the past in the current scenario. Tools won’t do it all, use your head!
33. Conclusion and Take Away Get permission Run some scans on your hosts Nmap Nessus Nikto Always be willing to learn more, try harder, and think harder