CBT Nuggets: BackTrack and Kali Linux | 40x MP4 | Video Training | Compressed: 2.34 GB
BackTrack (BT) and Kali Linux are the “Swiss Army Knife” of penetration testing, information gathering and vulnerability assessment tools (all conveniently packaged in a free Linux distribution). Learn all about them in this series with trainer Keith Barker !
Welcome to the tools of BackTrack and Kali Linux
In this introduction, Keith shares important information on how to stay safe (and legal) when using the powerful tools included in BackTrack and Kali, as well as how to get the most out of this series. All the tools demonstrated in this series should only be used on networks/systems where appropriate authorization is provided.
What is BackTrack?
BackTrack (BT) is the “Swiss Army Knife” of penetration testing, information gathering and vulnerability assessment tools (all conveniently packaged in a free single Linux distribution). In this video, Keith introduces this package of tools, as well as options available for running it.
Install BT on a Virtual Machine
BackTrack can be run on live hardware or virtual hardware. In this video, Keith explains where to get BackTrack and Virtualization software for free and walks you through the installation of BT in a VirtualBox-emulated computer. Settings used by Keith are explained in the video and are also available as a download from the NuggetLab download area.
Connecting to the Network
An IP address can be configured via DHCP or through static configuration. The choice is yours on how you want BackTrack to operate. In this video, Keith walks you through configuring a static IP address and how to modify the Linux configuration files so that the same IP address is used next time the system boots. You’ll also see a demo on how to enable SSH. You are encouraged to practice the configurations that you learn in this video. Commands used at the Command Line Interface (CLI) for this video are available in the NuggetLab download area.
Updating S/W and Using Integrated Help
Using built-in help tools, such as man pages are terrific – if you know how to use them. In this video, Keith shares with you how to use both the man pages and built-in help that are often associated with commands at the CLI. The Advanced Package Tool (apt-get) also is presented and demonstrated as a utility to keep software up to date (also applies to new installations). You are encouraged to practice what you learn in this video, including using man pages, command prompt help and doing a system update on your implementation of BackTrack.
BT Wireless TX Power
In this video, Keith walks you through verifying and changing the wireless transmission strength for a wireless adapter that’s being used by BackTrack. This technique can be useful when the BT needs a slightly further wireless reach or when we want the BT to be more “quiet” in its environment.
Uncovering Hidden SSIDs
Security through obscurity. It’s not a bad idea, but it’s not always successful. If a criminal didn’t know there was a bank, he wouldn’t attempt a robbery. If a wireless Access Point (AP) isn’t broadcasting its Service Set Identifier (SSID), it’s likely the average user won’t see the AP and try to using it. Turning off the advertisement of the SSID does very little on its own to protect the AP. In this video, Keith demonstrates how discovering the SSID is a simple task that can be done with a few easy commands. You are encouraged to practice these tools on networks you are authorized on to perform work. Commands used in this video are available in the NuggetLab download area.
Bypassing MAC Address Filters
Wireless Access Points (APs) don’t have to allow any client to connect. By setting up an Access Control List (ACL) at the AP based on the MAC addresses of individual customers, client machines with MAC addresses that are not on the list won’t be associated with the AP. In this video, Keith demonstrates how to utilize tools that can be used to “borrow” a MAC address that is on the list in order to gain access. Commands used in this video are available in the NuggetLab download area.
Breaking WPA2 Wireless
First there was WEP, then WPA and now WPA2 for wireless security. But even using the WPA2 with a pre-shared key (PSK) has risks. For example, if a weak key is chosen you are still vulnerable to an attack. In this video, Keith walks you through several familiar wireless tools (and a new one!) included with BackTrack that can be used to discover the WPA2 PSK that’s being used on a wireless network. Commands used in this video are available in the NuggetLab download area.
Rogue Wireless Access Points
Normally, we would be on the watch for these, but in this video we get to implement one. In this Nugget, Keith walks you through converting the BackTrack computer into a wireless AP, including how to set up DHCP routing services so that clients who associate with your BackTrack device might not even notice they are walking into a man-in-the-middle (MITM) attack. Configuration commands used are available in the NuggetLab download area.
Wireless Mis-Association Attacks
Complimenting the techniques discussed in the previous video, Keith demonstrates additional techniques to learn what wireless networks a client previously used and then creating a matching AP SSID. By doing this, it’s easier (and perhaps not noticeable to the user) for a computer to associate with the BackTrack AP for another MITM type of an attack. Keith also demonstrates the “Wireless Evil Twin” attack. All the commands used in this video are available for download in the NuggetLab download area.
MITM using Wireless Bridging
In this video, Keith walks you through another method that can be used to implement a wireless man-in-the-middle (MITM) attack by bridging the AP logical interface and the physical Ethernet interface. Using Wireshark as a tool to interpret the captured data and the concept of bringing up multiple Access Points (APs) on a single BackTrack system are discussed. Configuration commands Keith uses in this video are available in the NuggetLab download area.
Nmap: King of Scanners
What devices are sitting on the network and what services are they offering? It’s a good question and one that the Nmap program can assist us in answering In this video, Keith walks you through the CLI, including options to gather OS identification and version information, as well as using Nmap with scripts. He’ll also look at the Graphical User Interface (ZenMap). Commands used in this video are available in the NuggetLab download area for this series.
Whether trying to implement a Denial of Service (DoS) attack or clearing the path for the introduction of a rogue DHCP server, consuming all the existing addresses from the real DHCP server is very easy. In this video, Keith demonstrates how to use Yersinia, one of the tools in the BackTrack distribution, to implement this attack.
Vote for BT – as the new STP Root Bridge
The Spanning Tree Protocol (STP) plays a critical role in identifying and removing layer 2 loops in a switched network. If left unprotected, the SPT topology can be changed by a rogue device, injecting what appears to be superior Bridge Protocol Data Units (BPDUs). In this video, Keith walks you though STP, with the BackTrack system acting as the STP root.
Cisco Discovery Protocol is an excellent tool to confirm the physical connections between Cisco devices. It’s also an excellent tool (when flooding a neighbor with tens of thousands of CDP advertisements per minute) to overwhelm and cause Denial of Service (DoS) attack. In this video, Keith demonstrates how to implement this attack on a test switch in the lab. This video also shows how to use a X-windows sever and SSH to redirect the GUI from a remote BackTrack system to a local windows computer.
Taking over HSRP
The Hot Standby Router Protocol (HSRP) is a First Hop Redundancy Protocol (FHRP) that provides a fault tolerance default gateway for customers to use in a network. By politely asking to be the active router, a BackTrack system can cause a DoS attack by getting the role, (while the production routers take a well deserved break) and then not performing routing for the subnetwork.
DTP and 802.1q Attacks
When an attacker can convert a “single-VLAN” access port to a trunk port, there are are many additional opportunities for the attacker on a network. In this video, Keith walks you through using Dynamic Trunking Protocol to transition a switchport that BackTrack is connected to from an access port to a trunk port. This video also demonstrates creating logical VLAN interfaces on the BackTrack system, creating direct access (via the new trunk) to the VLANs available through that trunk. The protocol capture file from this Nugget is available in the NuggetLab download area.
ARP Spoofing MITM
LAN switches do a fantastic job of forwarding layer 2 frames based on the destination MAC address in each frame. However, if a device that is encapsulating and sending the frame puts the incorrect destination address it can be forwarded to an unintended destination (that of the BackTrack system). In this video, Keith walks you through how to implement an ARP spoofing attack through poisoning the ARP cache of a host and its default gateway and perform a live MITM on an Ethernet network. Commands used in this video are available in the NuggetLab download area.
metasploit framework is an environment build for the discovery of vulnerabilities of systems and the compromise/exploitation of those systems. In this video, Keith demonstrates how to install a working copy (when needed) on the BackTrack system, and introduces you to the MSFConsole CLI and the GUI interfaces. Also, examples of synflood attacks are provided in this Nugget. The commands used in this video are available in the NuggetLab download area.
PWNing a System with MSF
In this video, Keith walks you through using both MSFconsole and Armitage to exploit a network device. Capturing keystroke logging and screen captures against a compromised system also are demonstrated. Commands used in this video are available in the NuggetLab download area.
Creating a ‘Pivot Point’
If we can’t directly access a network, we may be able to compromise a host that can, and from there launch attacks. Using a victim host as a pivot point, attacks can be launched (via proxy using the victim) to reach additional networks. In this video, Keith shows you how to make this process easier by using MSF with Armitage.
Social-Engineer Toolkit (SET)
One of the easier methods for compromising a system is to trick the user to run our code or click on a link that executes the code. The Social-Engineer Toolkit simplifies the process for setting up content, including web sites designed to compromise when connected to by users. In this video, Keith introduces SET, and how using it can create a malicious web server on the BackTrack system.
Ettercap and Xplico
Ettercap is a fantastic tool to implement a MITM attack. Xplico is great way of analyzing the data collected (in the middle). In this video, Keith demonstrates how to use both of these tools, as well as using wireshark to actually listen in on a voice conversation captured within the packets collected by a sniffer.
The Domain Name System is used by computers to resolve friendly names, such as google.com, to an IP address so that computers can reach those devices. Unfortunately, if we compromise the DNS function and reply with a hostile (BT) computer’s IP address as the Web server they are trying to reach, the client computer will willingly connect to the BT server and have the potential to be exploited. In this video, Keith demonstrates how to implement a DNS spoofing attack. The CLI commands used in this video are available for download in the NuggetLab download area.
A dictionary, as used in a dictionary attack, can contain millions of words and phrases for use as potential passwords. In this video Keith demonstrates using Hydra to implement a dictionary password guessing attack against a router with SSH and a server using FTP.
A large part of a pen-test is gathering information. Maltego is a fast and powerful tool that can be used to collect data from publicly available sources and create a graphical representation based on that information. In this video, Keith walks you through using this tool (including its transforms) to find specific information about a domain, its servers and IP addresses.
There’s a new flavor of BackTrack in town and the interesting part is that it isn’t called “BackTrack.” Kali Linux is a new Debian distribution that includes most of the tools from the previous BackTrack (5R3), but with additional care given to the packaging of those tools and other benefits. In this video, Keith discusses some of the new features and demonstrates an install of Kali Linux. Most of the tools shown in this video series are available on both BackTrack and Kali Linux.
There exists another world when it comes to interactions between a web client and server. Burp Suite is a set of tools that enables you to analyze the details of both the requests and responses between web clients and servers, as well as replay requests after making modifications to those requests. In this video, Keith introduces and demonstrates these tools, including setting up the proxy on a client and using the spider and replay options.
Raspberry Pi & Kali Linux
What is small enough to fit in a pocket, affordable and can be a serious threat to an unprotected network? The answer: Kali Linux running on a Raspberry Pi computer. In this video, Keith walks you through the steps to install and use Kali on a Pi. Included in the video are the hardware specifics for the Pi, the wireless adapter and the SD card (in the event you want to replicate this). Keith also shares the “correct” URL to download the customized ARM image of Kali for the Pi.
Scapy is a packet manipulation tool than can craft, send, capture and sniff network datagrams (segments, packets and frames). In this video, Keith introduces you to this toolset and provides an example of it being used successfully. Examples of why it would be used also are included in the video. The video uses Kali Linux running on a Raspberry Pi, using SSH and Xwindows, and similar results can be obtained by practicing at the local console of the BackTrack/Kali device.
A traditional PING uses ICMP and request/reply messages to verify connectivity between two devices over an IP network. But what if a firewall or the device itself is blocking the PING messages? What can be done? Have no fear, hping3 is here! In this video, Keith demonstrates how TCP and/or UDP options can be used to verify reachability and round trip time between two devices, even when ICMP isn’t allowed. Commands used in this video are available for download in the NuggetLab download area.
How easy is it to implement an MITM on an IPv6 network? If you use the parasite6 tool, it’s easy. In fact, way too easy. In this video, Keith discusses how Neighbor Discovery Protocol (NDP) is used in IPv6 (compared to IPv4′s ARP), and then how to use parasite6 to perform layer 2 spoofing on an IPv6 network. Commands used in this video are available in the NuggetLab download area.
IPv6 THC Tools
The Hackers Choice (THC) group has lots of great tools for IPv6 networks, and in this video, Keith demonstrates a few of his favorites. This nugget includes Neighbor Discovery Protocol (NDP) Router Advertisement (RA) manipulation including spoofing and flooding, DoS based on Duplicate Address Detection (DAD) and much more. Commands used in this video are available in the NuggetLab download area.
Custom Password Lists
Which is better? A password list of a million entries or one with 50 thousand, IF they both contain the correct passphrase used in a dictionary attack? In this case, smaller is better, as it will save time and CPU. In this video, Keith introduces and shares a tool called the “Common User Password Profiler” (CUPP) that will interview you, ask you questions about the subject of interest (the person whose password you want) and then build a customized password file surrounding the names, dates, numbers based on the input you supplied. This password file then can be utilized by tools such as Hydra or Medusa as part of a dictionary attack. The commands used in this video are available in the Nuggetlab download area.
Hashes and Cracking Passwords
Passwords aren’t normally stored in plain text files on a system such Windows or Linux. Instead, a hash is generated and that one-way hash value is stored. In this video, Keith walks you through using a BackTrack Live CD to boot a system that has Windows on the hard drive, and by mounting the Windows file system, get access to the SAM database and the hashes for the user accounts. With the hash files in hand, we can take those hash files and use off-line password cracking tools such as John the Ripper. Commands used in this video are available in the NuggetLab download area.
Rainbow Tables and Ophcrack
What’s faster than 241×34(9644/2)-1 ? The answer: the result of 39,511,467. In the world of comparing millions of hashes, it’s much faster to already have the hash (as in the result above) rather than having to create the hash before being able to compare it to another value. In this video, Keith demonstrates how a “Rainbow Table” (a pre-computed list of hashes) can be used to significantly improve the time it takes to break a password. Ophcrack also is demonstrated as a tool that can use a rainbow table. A supporting document listing some of the many of the steps shown in the video is available in the NuggetLab download area.
The king of open-source packet analyzers is Wireshark (previously named Ethereal). In this video Keith discusses methods for obtaining network data such as port mirroring and MITM. He then shares with you Wireshark options including the ability to create graphs and analyze the top speakers on the network, as well as apply filters to focus on specific traffic.
Virtual Test Environment
Practicing how to use the tools contained in BackTrack and Kali Linux is important. At the same time, it may not be a safe idea to practice on your company’s production network without authorization. One solution is to create a virtual environment that includes Backtrack or Kali (or both), as well as host machines that can interact with each other in a sandbox without needing to access the live production network. In this video, Keith demonstrates how to add a new host to Virtualbox, as well as use a pre-defined virtual machine named metasploitable that can be used when testing vulnerabilities.
A rootkit is software (normally malware of some kind) that provides unauthorized access to the computer for the attacker. A rootkit can be placed via a remote exploit or by physically running software at the computer. In this video, Keith demonstrates two software tools that can be used in a linux environment to detect if a rootkit is running. Commands used in this video are available in the NuggetLab download area.
Keith Barker is a trainer and consultant with more than 27 years of IT experience. He is the author of numerous Cisco Press books and articles.