Backtrack 5 Complete Tutorial

The Backtrack 5 Complete Tutorial is a series of tutorials that show how to use every tool included in the Backtrack 5 Live CD. They are separated into the groups in which they appear on Backtrack:

Information Gathering Vulnerability Assessment Exploitation Tools Privilege Escalation Maintaining Access Reverse Engineering RFID Tools Stress Testing Forensics Reporting Tools Services Miscellaneous

Backtrack 5 Information Gathering

1. Network Analysis
o

Bluetooth Analysis bluediving btscanner DNS Analysis dnsdict6 dnsenum dnsmap dnsrecon dnstracer dnswalk fierce lbd

Network Analysis Bluetooth Analysis

bluediving
Bluediving is a software suite specializing in Bluetooth penetration testing. Bluediving itself comprises of several tools, such as Bluebug and BlueSnarf. Using these tools, Bluediving is able to provide a single platform for launching nearly every type of Bluetooth based attacks. Bluediving presents a simple, easy to use command line where the user is given the option of choosing attack targets, choosing attack methods, and ever enumerating various Bluetooth devices discovered. The top level menu looks like this:
[MAIN MENU] menu: [1] [2] [3] [4] [5] [6] [7] Scan Scan and attack Scan and info Scan for... Add known device Change preferences Show preferences [a] Action [e] Exploit [i] Info [t] Tools

[8] Show logfile -=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [x] Exit -

btscanner
btscanner is a utility used to gather as much information as possible from an unpaired Bluetooth device. It is specifically aimed at extracting information from unpaired devices, such as IEEE OUI numbers, and possible host identification. The below example shows how to use btscanner to scan for available Bluetooth devices. Example Usage: btscanner Enter i to begin a scan for devices, and then a to abort the scan once devices are found. Select the discovered device by pressing Enter to see more information about the target.

DNS Analysis
dnsdict6
dnsdict6 is a utility used to enumerate a domain for IPv6 DNS entries, meaning it will try to find as many IPv6 (AAAA records) DNS records for the selected domain as possible. This is useful for finding sub domains that may be invisible to the public, but still exists in DNS records. Often, these forgotten about domains are outdated and can be a vector for exploit based attacks against the domain. dnsdict6 uses a dictionary list which is used to guess possible DNS entries. Example Usage: dnsdict6 google.com

dnsenum.pl
dnsenum is a Perl utility used to collect as much information as possible regarding a domain. It collects basic information such as A records(host addresses), nameserves, and MX records (mail hosts), but also extracts useful information such as BIND versions and searches for unlisted subdomains using a dictionary based attack. dnsenum also has reverse lookup utilities that can perform reverse DNS lookups for C class network ranges. In the example below, we use dnsenum in order to look for as much information as possible for the technology-flow.com domain.

Example Usage: ./dnsenum.pl enum -f dns.txt update a -r technology-flow.com

dnsmap
dnsmap is a utility used to create a list of hosts and DNS records for a domain. It uses a word list to search for possible subdomains, and can output results in several different formats, such as CSV or plain .txt. In the examples below, we use the dnsmap utility to attempt to map the hosts that technology-flow.com uses. In the second example, a wordlist is used to guess subdomains, and then the results are written to /root/results.txt. The final example simply writes the results to /root/results.txt. Example Usage: dnsmap technology-flow.com Example Usage: dnsmap technology-flow.com -w wordlist.txt -r /root/results.txt Example Usage: dnsmap technology-flow.com -r /root/results.txt

dnsrecon
dnsrecon is a Python based utility. Currently, dnsrecon has 6 features that make it great for gathering information about a domain or IP address from DNS records: 1. 2. 3. 4. 5. 6. Reverse lookups for IP blocks Top level domain expansion DNS host and domain bruteforce A, NS, SOA and MX record lookups Zone transfer for each NS server found Find SRV records

In the example below, dnsrecon is used in order to guess (brute force option of -t brt) subdomains for technology-flow.com, using dictionary.lst as a dictionary file to pull entries from. Example Usage:./dnsrecond.py -t brt -d technology-flow.com -D dictionary.lst

dnstracer
dnstracer is a program that reports the chain of DNS servers that a DNS request takes in order to do a DNS lookup. It tells the user which servers have authority for a zone, and the intermediary DNS nodes the were found in the way. This tool is very simple to use; the below example uses dnstracer to verbosely find DNS server information for a lookup for technology-flow.com.

Example Usage:dnstracer -v technology-flow.com

dnswalk
dnswalk is a Perl script that helps debug DNS servers. It can run zone transfers for domains, and can help check for consistancy and accuracy of records. While originally intended for use as a DNS debugger, dnswalk can be used in order to gather information about a particular target domain or target DNS server. In the example below, we look up information for the technologyflow.com domain. Note the tailing ., which is an important part of the domain name system. Also note that dnswalk provides as much information in its error/warning messages (many servers dont allow zone transfers), as it does in successfully completed queries and transfers. Example Usage:./dnswalk technology-flow.com.

fierce
fierce is a Perl program that aims to scan for non contiguous IP address space. This means it uses a brute force DNS lookup method in order to search for allocated/unallocated IP addresses for a domain. This information is useful for other scanners, such as nmap, nessus, or nikto, since IP information is needed for these utilities. In the first example below, we scan for IP adresses in the 111.222.333.0/24 range, using ns1.nameserver.com as the nameserver. Next, we use fierce in order to scan a particular domain, technology-flow.com. Example Usage:./fierce.pl -range 111.222.333.0-255 -dnsserver ns1.nameserver.com Example Usage:./fierce.pl technology-flow.com

lbd
lbd is a proof of concept shell script that attempts to detect whether a domain uses a load balancing system. In order to do this, it looks for both DNS and HTTP load balancing, and attempts to calculate if it is used. This is useful in gathering iformation regarding a domains architecture, as well as how a domain may react to a sudden increase in traffic, such as those caused by a Distributed Denial of Service (DDoS) attack. In this example, we check whether technology-flow.com uses load balancing (it does not): Example Usage:./lbs.sh technology-flow.com

Forensics
Anti Virus Forensic Tools

chkrootkit rkhunter Install truecrypt hexedit bulk_extractor evtparse exiftool missidentify mork pref PTK readpst reglookup stegdetect vinetto fatback foremost magicrescue recoverjpeg safecopy scalpel scrounge-ntfs testdisk hashdeep md5deep

Digital Anti Forensics Digital Forensics Forensic Analysis Tools

Forensic Carving Tools

Forensic Hashing Tools

sha1deep sha256deep tigerdeep whirlpooldeep air dc3dd ddrescue ewfaquire PTK Setup Autopsy Sleuthkit Driftnet p0f tcpreplay Wireshark Xplico CmosPwd fcrackzip samdump pdfid pdf-parser peepdf pdfbook pdgmail PTK Volatility

Forensic Imaging Tools

Forensic Suites

Network Forensics

Password Forensics Tools

PDF Forensic Tools

RAM Forensics Tools

Anti Virus Forensic Tools

chkrootkit
chkrootkit is a utility that will check for signs that a device is infected with a rootkit. It runs on Linux, FreeBSD, and OSX versions. It uses standard utlitities such as awk, grep, netstat, cut, echo, and more in order to detect signatures that suggest rootkits. The standard use of chkrootkit should contain an alternate path to trusted binaries (dont trust binaries on a machine you are scanning), along with the path to the directory to be scanned. Example usage: chkrootkit -p [path-to-trusted-binaries] -r [root-path-to-scan]

rkhunter
rkhunter is another utility used to check for signs of rootkits on Unix based systems. Usually, you will want to run the scan against a mounted filesystem, using a trusted set of binaries. In the below example, the sk option sets it so that a keypress isnt required after each test run. Example Usage: rkhunter -c sk

Digital Anti Forensics

Install truecrypt
This script is used to install Truecrypt, software that is used to create encrypted files using various encryption ciphers. It contains features such as hidden partitions inside the encyption file, as well as the ability to use files and text passwords as keys to the encryption file. Look here for a more in depth Truecrypt tutorial

Digital Forensics
hexedit
hexedit is a program that gives the user the ability to view a file in hexadecimal and ASCII view. It offers the ability to read a device as a file. It includes build in key shortcuts to make it fast and easy to edit and analyze file, including skipping to specific memory locations, cutting and pasting, changing views, modes, and syntaxes similar to that of emacs. Example usage: hexedit [filename]

Forensic Analysis Tools

bulk_extractor
bulk_extractor is a utility that scans many types of information storage (files, folders) and outputs information that it finds in them. What separates bulk_extractor from other similar tools is its speed. bulk_extractor doesnt look at file system structures on the input, so it is able to process the scan faster, and thus, more thoroughly. This tools outputs information found, such as ccn.txt (credit card numbers), email.txt (email addresses), exif.txt (EXIF data from media files), url (URLs found), and more. Example usage: bulk_extractor -o [output directory] input Note that the output directory must not already exist.

evtparse.pl
This utility takes .evt files, which contain log information for use by the event manager, and parses them into something useful for investigators. Specifically, it dumps the events as a timeline. Example usage: evtparse.pl -e [event_log]

exiftool
exiftool allows users to read or write metadate (like EXIF) to image, video, and audio files. Here are a few examples from the exiftool manpage: Example usage: exiftool -a -u -g1 [image_file] Example usage: exiftool -Comment=Enter a comment in quotes here [image_file]

missidentify
The missidentify tool finds Windows 32 executable files. It can search recursively through folders in order to find them, and then displays the results back to the user. Standard usage would usually include searching recursively (-r options). Example usage: missidentify -r [location]

mork.pl
A Perl script that will strip information from a Mork database file. Mork files were previously used by Mozilla programs to store information, such as Firefox browsing history, and Thunderbird contacts. While newer Firefox versions use SQlite database files to store browser information now, Thunderbird continues to use Mork files. The following example uses mork.pl to create an HTML file with information from a Mork file input. Example usage: mork.pl html [Mork_file]

pref.pl
This Perl script parses the content of Windows XP and Windows Vista prefetch files and directories. The output can be set to comma separated values (.csv) for easier viewing. In the following example, pref.pl is used to parse data from a folder containing prefetch files from Vista (default is XP) and output it as a csv file. Example usage: pref.pl -v -f [prefetch_file] -c

ptk
PTK is a forensics toolkit, similar to the Sleuthkit toolkit. It contains built in modules in order to analyze nearly any type of media or filetype that may be encountered in a forensics investigation. It is browser based, and first needs to have a MySQL database configured. Leave all fields as default, and use the password toor for the root user in MySQL. It should setup successfully, at which point you need to register for the free version. Copy the license file you received into the config directory for PTK located at /var/www/ptk/config.

http://technology-flow.com/wp-content/uploads/2011/05/ptk.png

http://technology-flow.com/wpcontent/uploads/2011/05/ptk.png

Next, log in as either admin or investigator, and open a new case. Fill out the necessary information, then add an image file to begin. It can even be a RAM dump. From here, the built in tools will help you pull information from the image(s).

Volatility
Volatility is a framework writen in Python that specializes in RAM analysis. The Volatility Framework can analyze volatile memory dumps from any system type, and can provide a deep insight into the state of the system while it was running. The Volatility Framework has been tested on Windows, OS X, Linux, and even Cygwin. In the example below, we use Volatility in order to list processes that were running on the system while the RAM image ram.img was taken. Example Usage:volatility plist -f ram.img