Author: Joe Barr
In the field of penetration testing, BackTrack is today’s premier Linux distribution. Designed for, created by, and used by security professionals around the globe, BackTrack is the result of a merger between two earlier, competing distributions — WHAX and Auditor Security Collection. The most recent beta version was released on June 10.
BackTrack 3.0 beta (BT3) is showing up in a lot of places these days. There was a presentation in February at ShmooCon, an annual hacker convention. At this year’s National Collegiate Cyber Defense Competition (NCCDC), it was the distro of choice for the Red Team — the attackers — made up of experienced security professionals.
BT3 live or installed
BT3 is distributed as an ISO image for a live CD or as a larger USB drive version in RAR format. You can grab the image online from any of several mirrors, then either burn a bootable CD or install it on a bootable USB drive.
From a CD, it takes about two minutes to go from boot to full-blown desktop, shown in Figure 1. That includes autoconfiguration of all devices, including wired and wireless NICs. Running from the CD is probably the most secure way to run BT3, but many, including myself, have installed it on their hard drives for performance reasons. If you do the same, keep in mind that you’re running as root, and don’t use BackTrack for your normal chores.
The hard drive install procedure is experimental; in my case, it didn’t work unless I first partitioned and formatted the drive prior to installation. Also, note that BackTrack is designed for use by technically savvy folk, so there is not a lot of hand-holding. You’re expected to bring a lot of knowledge to the table, and newbies like me are pretty much left to sink or swim on their own.
When booting from the live CD, the default destination is the KDE desktop, but you can choose from several other options at boot time, including Fluxbox, KDE to RAM, VESA mode, and several text modes. When you boot from an installed version of BT3, you go directly to the command line. Not a CLI kind of person? Don’t be frightened; your choices are described clearly on the screen, along with the username and password to log in with. Once you’re logged in, enter the
startx command to get to the comfort of your KDE GUI, or enter
flux to get to Fluxbox. But it’s the CLI, after all, and from it you can do just about anything you want, including setting it up to boot directly into the window manager or environment of your choice.
BT3 is a SLAX/Slackware derivative, and if you’d like, you can use the Slackware repositories to install packages not included in the ISO. BT3 comes with menu options for using Slapt-get, but it doesn’t work right out of the box. Check the forums for threads about setting up package management.
In addition to the security tools, BT3 comes with a lot of the standard KDE offerings: two browsers (Firefox and Konqueror), three chat/IM clients (XChat, Pidgin IM, Kopete IM), remote desktop software (VNC and RDP servers are supported), editors, graphics tools, and so on. But if you’re really interested in KDE instead of the security tools, you’re looking at the wrong version of Linux. Conspicuous in their absence from the menu tree are categories for Office and Games. The point is, this is not your typical distro — it’s for security testing, not day-to-day use.
Whether you’re running from the live CD or an installed version of BackTrack, a large arsenal of security tools is at your disposal. Figure 2 shows the first level down into the BackTrack menu category. Drilling down further into the BackTrack menu, you’ll find the Metasploit Framework (Frameworks 2 and 3), the Milw0rm exploit archive, FastTrack, and Inguma.
Metasploit Framework and Milw0rm are famous, so they don’t really need an introduction. FastTrack is a Python script (fast-track.py) written by ReL1K — a.k.a. David Kennedy — of SecureState. In addition to providing quick and easy installation and updating major applications, including itself, FastTrack has a tutorial section that includes topics such as Metasploit AutoPwn, SQL 1433 Hacking, SQL Injection HOWTO, FTP Brute Forcer, Spawning a Shell, Exploits, and more. At least it did until I used the script to update itself, and found the tutorial is no longer part of the latest version. ReL1K told me on IRC, however, that it will soon appear on the SecureState site. In the mean time you can enjoy a multimedia video tour.
I chose the Metasploit AutoPwn menu item in FastTrack to launch an attack against a test box running Ubuntu 8.04. I only had to enter the IP address; the fast-track.py script handled all the rest for me, including the creation of an SQLite database Metasploit uses to store the results. Then I just sat back and watched AutoPwn run exploit after exploit trying to pwn the box.
Other categories and tools included in BT3 are Maltego in Information Gathering, Nmap in Network Mapping, and Cisco Passwd Scanner, which searches a range of IP addresses for Cisco routers still set to the default password, OpenSSL-Scanner by Solar Eclipse, and SQL Ninja in Vulnerability Identification. These are far from the only entries in those categories.
Exploring the wireless wilderness
I drilled down into the BackTrack application menu on the KDE desktop to find the right tool to begin my exploration. That led me to BackTrack -> Radio Network Analysis -> 80211 -> Analyser, where I was given the choice of Kismet or Wicrawl. I opted for Kismet.
Your ability to use many of the wireless security tools included in BT3 — like Kismet — depends entirely on the driver available for your wireless NIC. My experience may be radically different from yours if you’re not using the same equipment. The laptop I installed BT3 on comes equipped with an onboard Atheros-based wireless NIC. It works fine for ordinary wireless access to the Internet, but it can’t handle the commands required for wireless snooping and intruding. To handle those commands, I had to use a Netgear WPN511 PCMCIA card and a Multiband Atheros Driver for Wi-Fi (MadWifi).
To further complicate matters, different wireless security applications are written to work with specific drivers, and even though your own driver may have the needed capability, the application you want to use may not support it. It’s up to you to determine this ahead of time, and if your card is not supported, to get one that is or to abandon your plans.
I wanted to record packets to and from my WEP-protected, Linksys WRT54G2AP access point (AP) to see how difficult it would be to crack the key using 64-bit WEP keys generated programmatically from a passphrase. I followed these steps to get the Netgear card working properly with Kismet:
- Set up the Netgear card as ath1 using
- Disable the onboard wireless card using
ifconfig ath0 down.
- Copy /usr/local/etc/kismet.conf.backtrack to /usr/local/etc/kismet.conf.
I wasn’t interested in scanning for other APs, and I knew what channel the AP was operating on, so I tweaked the config file to start on channel 6 and disable channel hopping. In retrospect, it seems easy and straightforward enough, but it took me several hours to be able to run Kismet.
After running Kismet long enough to record about 10,000 packets, it was time to try to crack the WEP protection. Fourteen different applications are listed under 80211 -> Cracking. I tried Aircrack-ng first, since it was at the top of the list. No joy. After running for a minute or two, it gave up, saying it had found about 1,100 initialization vectors (IVs) and suggesting that next time I try it with about 5,000 IVs.
Undismayed, I tried again with the same data but used wep_crack instead of Aircrack-ng. It reported this a few seconds later:
success: seed 0x00696d19, [generated by aAAax,(a] wep key 1: 7f ca 20 ef d1 wep key 2: 4c c6 42 84 1d wep key 3: c3 00 5f 1f 3e wep key 4: ed 22 58 11 12 1734298 guesses in 11.55 seconds: 150133.28 guesses/second
No wonder so many security professionals warn against using WEP for wireless security. If a doddering old geek like me is able to crack WEP keys this quickly and this easily, imagine what all those bright, young, script kiddies and evil hackers out there can do.
Backtrack is not for everyone. It’s not a general-purpose distribution, but rather a focused, powerful, and demanding distribution. If you’re a security professional, you’ll probably love it. But if you’re an ordinary Linux user like me, you may find that it requires more of you than you have the time or inclination to give.
Given the sheer number and the quality of the tools included in BT3, it’s easy to understand why the FBI, the NCCDC, and thousands of other entities and individuals are using it, and why it has become the top gun in its field.