Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

BackTrack 4 R2 - SFISSA Presentation


Published on

This presentation was put together for a South Florida ISSA technical workshop.

Published in: Technology
  • Be the first to comment

BackTrack 4 R2 - SFISSA Presentation

  1. 1. BackTrack 4 – R2<br />Jorge Orchilles<br />Peter Greko<br />South Florida ISSA<br />
  2. 2. About Jorge Orchilles<br /><ul><li>Information * for over 8 years
  3. 3. Security Analyst – Fortune 10
  4. 4. Consultant by night – Orchilles Consulting
  5. 5. Master of Science and BBA in Management Information Systems – Florida International University
  6. 6. Author – Microsoft Windows 7 Administrator’s Reference (Syngress)
  7. 7. Certifications – CISSP, GCIH, CEH, CICP, CCDA, CSSDS, MCTS, MCP, Security+
  8. 8. Organizations:
  9. 9. President South Florida ISSA
  10. 10. OWASP
  11. 11. InfraGard
  12. 12. Miami Electronic Crimes Task Force
  13. 13. Hack Miami</li></li></ul><li>About Peter Greko<br />Local InfoSec Researcher<br />Security Analyst – Fortune 10<br />Hack Miami Board Member<br />Not one of “them 2”<br />Speaks at conferences<br />HOPE, Hacker Halted, AppSec DC <br />
  14. 14. Intro to Back Track<br />Live DVD for Penetration Testing<br />Can download VM as well<br />300+ tools installed<br />Saves a lot of time<br />Runs on Ubuntu<br />KDE<br /><br />
  15. 15. Let’s Get Started<br />Insert the Back Track 4 –R2 DVD and reboot your computer.<br />When the BIOS comes up, press F2, F12, etc depending on your BIOS for the Boot Menu – select DVD.<br />When BackTrack splash screen comes up press Enter.<br />To log in: <br />Username: root<br />Password: toor<br />
  16. 16. Configure<br />Start KDE: startx<br />Start networking: <br />Open a terminal: /etc/init.d/networking start<br />Wireless: KDE-Internet-Wicd Network Manager<br />SSID: SFISSA<br />WPA-PSK: SFISSArocks!<br />DHCP:<br />Static IP: <br />ifconfig eth0<br />route add default gw (not required)<br />DNS: echo nameserver <ip> > /etc/resolve.conf<br />Do not use:<br /><br /> – Level 1 Victim<br /> – Level 2 Victim<br /> - Metasploitable<br />Ping to ensure you are up.<br />
  17. 17. /pentest<br />Get familiar with the BackTrack GUI and /pentest directory<br />These are all the tools available to you<br />How many have you played with already?<br />
  18. 18. Ethical Hacking 101<br />0. Get Permission<br />Information Gathering<br />Recon – Scanning<br />Gain Access<br />Maintain Access<br />Cover Tracks – clean up<br />“Most of hacking is doing user and admin tasks with malicious intent.” – SANS SEC504 Class<br />
  19. 19. 0. Get Permission<br />You have permission to attack ONLY the following hosts:<br /><br /><br /><br />Anything else is considered illegal!<br />SFISSA<br />SFISSArocks!<br />
  20. 20. 1. Information Gathering<br />We will be probing three hosts which were already given.<br />Some background<br />100 and 110 are from<br />120 is called Metasploitable<br />Not much else to do here<br />No Google<br />
  21. 21. Real Scenario<br />You would most likely need to identify live hosts:<br />Ping sweep: nmap –sP<br />DNS Zone transfer: host –l <domain.local> <DNSserverip><br />Netdiscover – BackTrack KDE<br />Documentation<br />Create a txt file with identified hosts.<br />
  22. 22. 2. Recon<br />We will start by probing the hosts to determine open ports:<br />nmap<br />We can also run other automated tools, like a vulnerability scanner or web application scanner:<br />Nessus<br />Nikto<br />
  23. 23. nmap<br />Nmap is:<br />Free and open source<br />Tool to discover, monitor, and troubleshoot TCP/IP<br />Cross Platform<br />Simple to use<br /><br />
  24. 24. Using nmap 101<br />Millions of options<br />nmap –h<br />nmap [target] – scans 1000 most common TCP ports<br />nmap –F [target] – scans 100 most common TCP ports<br />nmap –iLfilename.txt – scans all hosts in file, one per line<br />
  25. 25. Using nmap 102<br />nmap –sS [target] – SYN Scan<br />nmap –O – os fingerprinting<br />nmap –p80 – scans port 80<br />-p- all ports<br />-p21,22,25,80 – scans those ports<br />nmap –v – verbose<br />nmap –n – do not resolve DNS<br />Many cheat sheets online and –h has many more<br />Example<br />nmap –sSV –n –O –P0 > 100TCP.txt<br />
  26. 26. Lab<br />Open a terminal<br />cd to location where hosts.txt is<br />nmap –n –F –iLhosts.txt<br />This will do a quick scan (100 most common TCP ports) for each live host<br />What did you find?<br />What now?<br />Documentation<br /><br />
  27. 27. Go at it<br />The intro and scenario has been set<br />Feel free to hack away at the three hosts:<br /><br /><br /><br />
  28. 28. Nessus<br />Nessus is NOT a part of BackTrack but the best vulnerability scanner available<br /><br />For BackTrack 4 download – Ubuntu 8.04 32bit.deb<br />Install:<br />dpkg –I *.deb<br />/opt/nessus/sbin/nessus-adduser<br />Register:<br />Start Nessus: /etc/init.d/nessusd start <br />https://localhost:8834/<br />
  29. 29. Nikto<br />Web Server Scanner<br /><br />/pentest/scanners/nikto<br />./ –host <websiteip>:<port><br />
  30. 30. 3. Gain Access<br />Leverage findings from steps 1 and 2<br />What have we found?<br />Use Hydra to brute force ssh using possible usernames.<br />
  31. 31. 3. Elevate Privileges<br />The user you cracked doesn’t have enough privileges… how do you find who does?<br />Cat /etc/passwd<br />Cat /etc/group<br />Bruteforce SSH with known user that has sudoprivs….<br />
  32. 32. Keep Going and Try Harder!!!<br />Each scenario is different<br />Use what you know and have experienced in the past in the current scenario.<br />Tools won’t do it all, use your head!<br />
  33. 33. Conclusion and Take Away<br />Get permission<br />Run some scans on your hosts<br />Nmap<br />Nessus<br />Nikto<br />Always be willing to learn more, try harder, and think harder<br />
  34. 34. Questions?<br />Jorge Orchilles<br /><br />Twitter: jorgeorchilles<br /><br />