PENETRATION TESTING

Backtrack Penetration Testing:

What is Penetration Testing?

Penetration testing is the legal and authorized attempt to exploit a computer system with the intent of making a network or system more secure. The process includes scanning systems looking for weak spots, and launching attacks and prove that the system is vulnerable to attack from a real hacker.

Penetration Testing has several names:

• Pen Testing
• Ethical Hacking
• White Hat Hacking

As you learn more about the art of hacking, you will see three terms used a lot. The white hats, the black hats, and the gray hats. The white hats are the “good guys”. They hack systems and networks so that the black hats (“bad guys”) can not. The black hats, also known as “crackers” are those that use hacking with malicious intent. They’re the ones that want to steal company secrets or your credit card information. For this reason, it is important for the white hats to know the tools and tricks of the black hats to stay a step ahead of them. As for the gray hats, they’re a combination of white and black. They often hack just because they can or like the challenge.

If you have been following the security world, you may have hear of Kali Linux, also know as the newest Backtrack. Any lessons here can be used in both Backtrack 5 and Kali. I will be writing an article about any differences between the two sometime soon.

Hacking Lab

Having a place to practice is necessary to learn how to hack. This is were your own home hacking lab comes in. It is a place where you can control your attacks without harming any other systems. We want out lab to be isolated and have no chance of escaping to targets we didn’t mean to attack.

Option 1:

• Two computes
• Ethernet Cable
• A switch

Option 2:

• Use Virtual Machines
• You will need 3 or more virtual machines. One for backtrack, one for a windows machine, and one for another linux box. The linux box will act as out victim server: SSH, Webserver, FTP, etc.

Option 1 is in case you have older hardware that can’t handle running more than one VM. However, these days, modern hardware can handle them. Option 2 is the better choice because you only need one computer.

Steps in Penetration Testing

1. Reconnaissance
2. Scanning
3. Exploitation
4. Maintaining Access

Reconnaissance

Penetration Testing Reconnaissance

We want to begin a pen test by reviewing the target’s website. We may actually use a tool called HTT rack to make a page-by-page copy of the website. HTT rack is a free program that creates an identical, off-line copy of the target website. The copied website will include all the pages, links, pictures, and code from the original website; however, it will reside on your local computer. Using a website copying tool like HTT rack allows us to explore and thoroughly mine the website “off-line” without having to spend additional time traipsing around on the company’s web server.

To install HTTrack open the console and type:

sudo apt-get install httrack

Once it is installed, begin HTTrack by typing httrack in the console:

Next, name your project whatever you want. Select a path where you want to save the off-line copy. I just left it as default (/home/websites). Just hit enter to leave it as such. Then enter the site you want to copy. I am using my own site since I will not get in trouble for copying it. (Please do not copy my site… Thanks!).

Pick an action you want. If you want to copy the site, press 1 then enter. HTTrack has a few options for you to pick from including a proxy to help cover your tracks. I am just using the basics for demonstration. I recommend you use a proxy when doing a real pen test.

After HTTrack finishes, you will have a complete off-line copy of the target site which you can review for information.

The Harvester

The Harvester is a simple Python script written by Christian Martorella at Edge Security. This tool allows us to quickly catalog both e-mail addresses and subdomains that are directly related to the target system.

The Harvester can be used to search Google, and Bing for e-mails,

hosts, and subdomains. It can also search LinkedIn for user names.Often times you will find an email address, which could double as a login or user-name.

To use theHarvester first type in your console:

root@bt:~# cd /pentest/enumeration/theharvester

root@bt:~# ./theHarvester.py -d backtracktutorials.com -l 10 -b google.com

–d is used to specify the target domain.

A lowercase –l (that’s ‘L’ not a ’1′) is used to limit the number of results returned to us. In this case, the tool was instructed to return only 10 results. The –b is used to specify what public repository we want to search. We can choose among Google, Bing, PGP, or LinkedIn.

Scanning

The scanning process can be divided into three steps:

1. Determining if a system is active.
2. Port scanning the system.
3. Scanning the system for vulnerabilities.

Step 1 is the process of determining whether a target system is turned on and capable of communicating or interacting with our machine. This step is the least reliable and we should always continue with steps 2 and 3 regardless of the outcome of this test. Regardless, it is still important to conduct this step and make note of any machines that respond as alive.

Ports provide a way or location for software and networks to communicate with hardware like a computer. A port is a data connection that allows a computer to exchange information with other computers, software, or devices.

Common Ports and their Service

Port      Number Service

20        FTP data transfer

21     FTP control

22     SSH

23        Telnet

25     SMTP (e-mail)

53        DNS

80        HTTP

443      HTTPS

Pings and Ping Sweeps

A ping is a special type of network packet called an ICMP packet. Pings work by sending specific types of network traffic, called ICMP Echo Request packets, to a specific interface on a computer or network device. If the device (and the attached network card) that received the ping packet is turned on and not restricted from responding, the receiving machine will respond back to the originating machine with an Echo Reply packet. Aside from telling us that a host is alive and accepting traffic, pings provide other valuable information including the total time it took for the packet to travel to the target and return.

Pings also report traffic loss that can be used to gauge the reliability of a network

connection.

Ping google.com with the count argument -c 4 to ping 4 times.

The simplest way to run a ping sweep is with a tool called FPing. FPing is built into Backtrack and is run from the terminal. The easiest way to run FPing is to open terminal window and type the following:

fping –a –g 172.16.45.1 172.16.45.254>hosts.txt

The “–a” argument is used to show only the live hosts in the output. This makes our final report much cleaner and easier to read. The “–g” is used to specify the range of IP addresses we want to sweep. You need to enter both the beginning and the ending IP addresses. In this example, we scanned all the IPs from 172.16.45.1 to 172.16.45.254. The “>” character is used to pipe the output to a file, and the hosts.txt is used to specify the name of the file our results will be saved to.

Port Scanning

There are a total of 65,536 (0–65,535) ports on every computer. Ports can be

either TCP or UDP depending on the service using the port. We scan computers to see what ports are in use or “open”. This gives us a better picture of the purpose of the machine, which gives us a better idea about how to attack the box.

TCP 3-Way Handshake

Before we go on, we first have to know how computers on a network communicate with each other. When two computers want to communicate, they go through a processes known as the 3-way handshake. The first computer A will send a synchronize packet to the other computer B. Then, if computer B is listening (has its port open), it will respond back to A with a synchronize-acknowledgement packet. Finally, computer A will send an acknowledgement packet to computer B, and the two computers will communicate as usual.

Using Nmap

It is the official guide to using the nmap scanner. What more can I say? This book will cover nmap much more in depth than this site.

When we conduct a port scan, Nmap will create a packet and send it to each designated port on the computer just like the 3-way handshake. The goal is to determine what kind of a response we get from the target ports.

To use Nmap, open up the terminal and type:

nmap -p- 192.168.56.101

Here I scan a Windows XP machine on my network.

The “-p-” tells nmap to scan all ports on a target machine. The 10.0.2.15 is the local ip of the target machine.

Vulnerability Scanning

To scan systems for vulnerabilities, we will use a vulnerability scanner. There are several good scanners available, but we will be focusing on Nessus. To install Nessus type:

root@bt:~# apt-get install nessus

Then, to access Nessus via the GUI go to:

Applications -> Backtrack -> Vulnerability Assessment -> Vulnerability Scanner -> Nessus -> Nessus Start.

Exploitation

Medusa

Medusa is a log-in brute forcer that attempts to gain access to remote services by guessing at the user password. Medusa is capable of attacking a large number of remote services including FTP, HTTP, MySQL, Telnet, VNC, Web Form, and more. In order to use Medusa, you need several pieces of information including the target IP address, a username or username list that you are attempting to log in as, a password or dictionary file containing multiple passwords to use when logging in, and the name of the service you are attempting to authenticate with.

Medusa comes installed on Backtrack 5. However, if you are using a different version of backtrack without Medusa type:

apt-get update

apt-get install medusa

When using online password crackers, the potential for success can be greatly

increased if you combine this attack with information gathered from reconnaissance and scanning. An example of this is when you find usernames, passwords, and email addresses. Programs like Medusa will take a username and password list and keep guessing until it uses all the passwords. Be aware that some remote access systems employ a password throttling technique that can limit the number of unsuccessful log-ins you are allowed. Your IP address can be blocked or the username can be locked out if you enter too many incorrect guesses.

Backtrack includes a few word lists that you can use for your brute forcing adventures. You can find one list at:

/pentest/passwords/wordlists/

In order to execute the brute-force attack, you open a terminal and type the following:

medusa –h target_ip –u username –P path_to_password_dictionary –M service_to_attack

“-h” is used to specify the IP address of the target host. The “-u” is used for a single username that Medusa will use to attempt log-ins. “-P” is used to specify an entire list containing multiple passwords. The “-P” needs to be followed by the actual location or path to the dictionary file. The “-M” switch is used to specify which service we want to attack.