Backtrack 5 Complete Tutorial The Backtrack 5 Complete Tutorial is a series of tutorials that show how to use every tool included in the Backtrack 5 Live CD. They are separated into the groups in which they appear on Backtrack:

• Information Gathering

• Vulnerability Assessment

• Exploitation Tools

• Privilege Escalation

• Maintaining Access

• Reverse Engineering

• RFID Tools

• Stress Testing

• Forensics

• Reporting Tools

• Services

• Miscellaneous

Backtrack 5 Information Gathering 1. Network Analysis

o Bluetooth Analysis bluediving btscanner

o DNS Analysis dnsdict6 dnsenum dnsmap dnsrecon dnstracer dnswalk fierce lbd

Network Analysis

Bluetooth Analysis

bluediving

Bluediving is a software suite specializing in Bluetooth penetration testing. Bluediving itself comprises of several tools, such as Bluebug and BlueSnarf. Using these tools, Bluediving is able to provide a single platform for launching nearly every type of Bluetooth based attacks. Bluediving presents a simple, easy to use command line where the user is given the option of choosing attack targets, choosing attack methods, and ever enumerating various Bluetooth devices discovered. The top level menu looks like this:

[MAIN MENU] menu: [a] Action [e] Exploit [i] Info [t] Tools

[1] Scan[2] Scan and attack[3] Scan and info[4] Scan for...[5] Add known device[6] Change preferences[7] Show preferences

[8] Show logfile-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [x] Exit -

btscanner

btscanner is a utility used to gather as much information as possible from an unpaired Bluetooth device. It is specifically aimed at extracting information from unpaired devices, such as IEEE OUI numbers, and possible host identification. The below example shows how to use btscanner to scan for available Bluetooth devices.

Example Usage: btscanner Enter ‘i’ to begin a scan for devices, and then ‘a’ to abort the scan once devices are found. Select the discovered device by pressing “Enter” to see more information about the target.

DNS Analysis

dnsdict6

dnsdict6 is a utility used to enumerate a domain for IPv6 DNS entries, meaning it will try to find as many IPv6 (AAAA records) DNS records for the selected domain as possible. This is useful for finding sub domains that may be invisible to the public, but still exists in DNS records. Often, these forgotten about domains are outdated and can be a vector for exploit based attacks against the domain. dnsdict6 uses a dictionary list which is used to guess possible DNS entries.

Example Usage: dnsdict6 google.com

dnsenum.pl

dnsenum is a Perl utility used to collect as much information as possible regarding a domain. It collects basic information such as A records(host addresses), nameserves, and MX records (mail hosts), but also extracts useful information such as BIND versions and searches for unlisted subdomains using a dictionary based attack. dnsenum also has reverse lookup utilities that can perform reverse DNS lookups for C class network ranges. In the example below, we use dnsenum in order to look for as much information as possible for the technology-flow.com domain.

Example Usage: ./dnsenum.pl –enum -f dns.txt –update a -r technology-flow.com

dnsmap

dnsmap is a utility used to create a list of hosts and DNS records for a domain. It uses a word list to search for possible subdomains, and can output results in several different formats, such as CSV or plain .txt. In the examples below, we use the dnsmap utility to attempt to map the hosts that technology-flow.com uses. In the second example, a wordlist is used to guess subdomains, and then the results are written to /root/results.txt. The final example simply writes the results to /root/results.txt.

Example Usage: dnsmap technology-flow.comExample Usage: dnsmap technology-flow.com -w wordlist.txt -r /root/results.txtExample Usage: dnsmap technology-flow.com -r /root/results.txt

dnsrecon

dnsrecon is a Python based utility. Currently, dnsrecon has 6 features that make it great for gathering information about a domain or IP address from DNS records:

1. Reverse lookups for IP blocks2. Top level domain expansion3. DNS host and domain bruteforce4. A, NS, SOA and MX record lookups5. Zone transfer for each NS server found6. Find SRV records

In the example below, dnsrecon is used in order to guess (brute force option of -t brt) subdomains for technology-flow.com, using dictionary.lst as a dictionary file to pull entries from.

Example Usage:./dnsrecond.py -t brt -d technology-flow.com -D dictionary.lst

dnstracer

dnstracer is a program that reports the chain of DNS servers that a DNS request takes in order to do a DNS lookup. It tells the user which servers have authority for a zone, and the intermediary DNS nodes the were found in the way. This tool is very simple to use; the below example uses dnstracer to verbosely find DNS server information for a lookup for technology-flow.com.

Example Usage:dnstracer -v technology-flow.com

dnswalk

dnswalk is a Perl script that helps debug DNS servers. It can run zone transfers for domains, and can help check for consistancy and accuracy of records. While originally intended for use as a DNS debugger, dnswalk can be used in order to gather information about a particular target domain or target DNS server. In the example below, we look up information for the technology-flow.com domain. Note the tailing “.”, which is an important part of the domain name system. Also note that dnswalk provides as much information in its error/warning messages (many servers don’t allow zone transfers), as it does in successfully completed queries and transfers.

Example Usage:./dnswalk technology-flow.com.

fierce

fierce is a Perl program that aims to scan for non contiguous IP address space. This means it uses a brute force DNS lookup method in order to search for allocated/unallocated IP addresses for a domain. This information is useful for other scanners, such as nmap, nessus, or nikto, since IP information is needed for these utilities. In the first example below, we scan for IP adresses in the 111.222.333.0/24 range, using ns1.nameserver.com as the nameserver. Next, we use fierce in order to scan a particular domain, technology-flow.com.

Example Usage:./fierce.pl -range 111.222.333.0-255 -dnsserver ns1.nameserver.comExample Usage:./fierce.pl technology-flow.com

lbd

lbd is a proof of concept shell script that attempts to detect whether a domain uses a load balancing system. In order to do this, it looks for both DNS and HTTP load balancing, and attempts to calculate if it is used. This is useful in gathering iformation regarding a domain’s architecture, as well as how a domain may react to a sudden increase in traffic, such as those caused by a Distributed Denial of Service (DDoS) attack. In this example, we check whether technology-flow.com uses load balancing (it does not):

Example Usage:./lbs.sh technology-flow.com

Forensics Anti Virus Forensic Tools

• chkrootkit

• rkhunter

Digital Anti Forensics

• Install truecrypt

Digital Forensics

• hexedit

Forensic Analysis Tools

• bulk_extractor

• evtparse

• exiftool

• missidentify

• mork

• pref

• PTK

• readpst

• reglookup

• stegdetect

• vinetto

Forensic Carving Tools

• fatback

• foremost

• magicrescue

• recoverjpeg

• safecopy

• scalpel

• scrounge-ntfs

• testdisk

Forensic Hashing Tools

• hashdeep

• md5deep

• sha1deep

• sha256deep

• tigerdeep

• whirlpooldeep

Forensic Imaging Tools

• air

• dc3dd

• ddrescue

• ewfaquire

Forensic Suites

• PTK

• Setup Autopsy

• Sleuthkit

Network Forensics

• Driftnet

• p0f

• tcpreplay

• Wireshark

• Xplico

Password Forensics Tools

• CmosPwd

• fcrackzip

• samdump

PDF Forensic Tools

• pdfid

• pdf-parser

• peepdf

RAM Forensics Tools

• pdfbook

• pdgmail

• PTK

• Volatility

Anti Virus Forensic Toolschkrootkitchkrootkit is a utility that will check for signs that a device is infected with a rootkit. It runs on Linux, FreeBSD, and OSX versions. It uses standard utlitities such as awk, grep, netstat, cut, echo, and more in order to detect signatures that suggest rootkits.

The standard use of chkrootkit should contain an alternate path to trusted binaries (don’t trust binaries on a machine you are scanning), along with the path to the directory to be scanned.

Example usage: chkrootkit -p [path-to-trusted-binaries] -r [root-path-to-scan]

rkhunterrkhunter is another utility used to check for signs of rootkits on Unix based systems. Usually, you will want to run the scan against a mounted filesystem, using a trusted set of binaries. In the below example, the –sk option sets it so that a keypress isn’t required after each test run.

Example Usage: rkhunter -c –sk

Digital Anti ForensicsInstall truecryptThis script is used to install Truecrypt, software that is used to create encrypted files using various encryption ciphers. It contains features such as hidden partitions inside the encyption file, as well as the ability to use files and text passwords as keys to the encryption file. Look here for a more in depth Truecrypt tutorial

Digital Forensicshexedithexedit is a program that gives the user the ability to view a file in hexadecimal and ASCII view. It offers the ability to read a device as a file. It includes build in key shortcuts to make it fast and easy to edit and analyze file, including skipping to specific memory locations, cutting and pasting, changing views, modes, and syntaxes similar to that of emacs.

Example usage: hexedit [filename]

Forensic Analysis Toolsbulk_extractorbulk_extractor is a utility that scans many types of information storage (files, folders) and outputs information that it finds in them. What separates bulk_extractor from other similar tools is its speed. bulk_extractor doesn’t look at file system structures on the input, so it is able to process the scan faster, and thus, more thoroughly. This tools outputs information found, such as ccn.txt (credit card numbers), email.txt (email addresses), exif.txt (EXIF data from media files), url (URLs found), and more.

Example usage: bulk_extractor -o [output directory] input

Note that the output directory must not already exist.

evtparse.plThis utility takes .evt files, which contain log information for use by the event manager, and parses them into something useful for investigators. Specifically, it dumps the events as a timeline.

Example usage: evtparse.pl -e [event_log]

exiftoolexiftool allows users to read or write metadate (like EXIF) to image, video, and audio files. Here are a few examples from the exiftool manpage:

Example usage: exiftool -a -u -g1 [image_file]

Example usage: exiftool -Comment=’Enter a comment in quotes here’ [image_file]

missidentifyThe missidentify tool finds Windows 32 executable files. It can search recursively through folders in order to find them, and then displays the results back to the user.

Standard usage would usually include searching recursively (-r options).

Example usage: missidentify -r [location]

mork.plA Perl script that will strip information from a Mork database file. Mork files were previously used by Mozilla programs to store information, such as Firefox browsing history, and Thunderbird contacts. While newer Firefox versions use SQlite database files to store browser information now, Thunderbird continues to use Mork files. The following example uses mork.pl to create an HTML file with information from a Mork file input.

Example usage: mork.pl –html [Mork_file]

pref.plThis Perl script parses the content of Windows XP and Windows Vista prefetch files and directories. The output can be set to comma separated values (.csv) for easier viewing. In the following example, pref.pl is used to parse data from a folder containing prefetch files from Vista (default is XP) and output it as a csv file.

Example usage: pref.pl -v -f [prefetch_file] -c

ptkPTK is a forensics toolkit, similar to the Sleuthkit toolkit. It contains built in modules in order to analyze nearly any type of media or filetype that may be encountered in a forensics investigation. It is browser based, and first needs to have a MySQL database configured. Leave all fields as default, and use the password “toor” for the root user in MySQL. It should setup successfully, at which point you need to register for the free version. Copy the license file you received into the config directory for PTK located at /var/www/ptk/config.

http://technology-flow.com/wp-content/uploads/2011/05/ptk.png

PTK on Backtrack 5 tutorial and walkthroughhttp://technology-flow.com/wp-

content/uploads/2011/05/ptk.png

Next, log in as either admin or investigator, and open a new case. Fill out the necessary information, then add an image file to begin. It can even be a RAM dump. From here, the built in tools will help you pull information from the image(s).

VolatilityVolatility is a framework writen in Python that specializes in RAM analysis. The Volatility Framework can analyze volatile memory dumps from any system type, and can provide a deep insight into the state of the system while it was running. The Volatility Framework has been tested on Windows, OS X, Linux, and even Cygwin. In the example below, we use Volatility in order to list processes that were running on the system while the RAM image ram.img was taken.

Example Usage:volatility plist -f ram.img