BackTrack 4: Assuring Security by Penetration Testing

Master the art of penetration testing with BackTrack

Q: Which version of Backtrack is to be chosen?

A: On the BackTrack website (http://www.backtrack-linux.org/downloads/) or using third-party mirrors like http://mirrors.rit.edu/backtrack/ OR ftp://mirror.switch.ch/mirror/backtrack/), you will find two different formats of BackTrack version 4 (recently BackTrack 5 is out and hence you may not find version 4 on the official site but the mirror sites like http://mirrors.rit.edu/backtrack/ OR ftp://mirror.switch.ch/mirror/backtrack/ still provide it). One is formatted in ISO image file. You can use this file format if you want to burn it to a DVD, USB, Memory Cards (SSD, SDHC, SDXC, etc) or want to install BackTrack directly to your machine. The second file format is VMWare image. If you want to use BackTrack in a virtual environment, you might want to use this image to speed up the installation and configuration.

Q: What is Portable BackTrack?

A: You can also install BackTrack to a USB flash disk, we call this method Portable BackTrack. After you install it to the USB flash disk, you can easily boot up into BackTrack from any machine provided with USB port.

The key advantage of this method compared to the Live DVD is that you can permanently save changes to the USB flash disk. When compared to the hard disk installation, this method is more portable and convenient.

To create a portable BackTrack, you can use several tools including UNetbootin (http://unetbootin.sourceforge.net), LinuxLive USB Creator (http://www.linuxliveusb.com) and LiveUSB MultiBoot (http://liveusb.info/dotclear/). These tools are available for Windows, Linux/UNIX, and Mac operating system.

Q: How to install BackTrack in a dual-boot environment?

A: One of the resources that describe how to install BackTrack with other operating systems such as Windows XP can be found at: http://www.backtrack-linux.org/tutorials/dual-boot-install/.

Q: What types of penetration testing tools are available under Backtrack 4?

A: BackTrack 4 comes with number of security tools that can be used during the penetration testing process. These are categorized into the following:

Information gathering: This category contains tools that can be used to collect information regarding target DNS, routing, e-mail addresses, websites, mail servers, and so on. This information is usually gathered from the publicly available resources such as Internet, without touching the target environment.

Network mapping: This category contains tools that can be used to assess the live status of the target host, fingerprint the operating system and, probe and map the applications/services through various port scanning techniques.

Vulnerability identification: In this category you will find different set of tools to scan for vulnerabilities in various IT technologies. It also contains tools to carry out manual and automated fuzzy testing and analyzing SMB and SNMP protocols.

Web application analysis: This category contains tools that can be used to assess the security of web servers and web applications.

Radio network analysis: To audit wireless networks, Bluetooth and radio-frequency identification (RFID) technologies, you can use the tools in this category.

Penetration: This category contains tools that can be used to exploit the vulnerabilities found in the target environment.

Privilege escalation: After exploiting the vulnerabilities and gaining access to the target system, you can use the tools in this category to escalate your privileges to the highest level.

Maintaining access: Tools in this category will be able to help you in maintaining access to the target machine. Note that, you might need to escalate your privileges before attempting to install any of these tools on the compromised host.

Voice over IP (VOIP): In order to analyze the security of VOIP technology you can utilize the tools in this category.

BackTrack 4 also contains tools that can be used for:

Digital forensics: In this category you can find several tools that can be used to perform digital forensics and investigation, such as acquiring hard disk image, carving files, and analyzing disk archive. Some practical forensic procedures require you to mount the hard drive in question and swap the files in read-only mode to preserve evidence integrity.

Reverse engineering: This category contains tools that can be used to debug, decompile and disassemble the executable file.

Q: Do I have to install additional tools with BackTrack 4?

A: Although BackTrack 4 comes preloaded with so many security tools, however there are situations where you may need to add additional tools or packages because:

It is not included with the default BackTrack 4 installation.

You want to have the latest version of a particular tool which is not available in the repository.

Our first suggestion is to try search the package in the software repository. If you find the package in the repository, please use that package, but if you can't find it, then you can get the software package from the author's website and install it by yourself. However, the prior method is highly recommended to avoid any installation and configuration conflicts. You can search for tools in the BackTrack repository using the apt-cache search command.

However, if you can't find the package in the repository and you are sure that the package will not cause any problems later on, you can install the package by yourself.

Q: Why do we use the WebSecurify tool?

A: WebSecurify is a web security testing environment that can be used to find vulnerabilities in the web applications.

It can be used to check for the following vulnerabilities:

SQL injection

Local and remote file include

Cross-site scripting

Cross-site request forgery

Information disclosure

Session security flaws

WebSecurify is readily available from the BackTrack repository. To install it you can use the apt-get command:

# apt-get install websecurify

You can search for tools in the BackTrack repository using the apt-cache search command.

Q: What are the types of penetration testing?

A: Black-box testing: The black-box approach is also known as external testing. While applying this approach, the security auditor will be assessing the network infrastructure from a remote location and will not be aware of any internal technologies deployed by the concerning organization. By employing the number of real world hacker techniques and following through organized test phases, it may reveal some known and unknown set of vulnerabilities which may otherwise exist on the network.

White-box testing: The white-box approach is also referred to as internal testing. An auditor involved in this kind of penetration testing process should be aware of all the internal and underlying technologies used by the target environment. Hence, it opens a wide gate for an auditor to view and critically evaluate the security vulnerabilities with minimum possible efforts.

Grey-Box testing: The combination of both types of penetration testing provides a powerful insight for internal and external security viewpoints. This combination is known as Grey-Box testing. The key benefit in devising and practicing a gray-box approach is a set of advantages posed by both approaches mentioned earlier.

Q: What is the difference between vulnerability assessment and penetration testing?

A: A key difference between vulnerability assessment and penetration testing is that penetration testing goes beyond the level of identifying vulnerabilities and hooks into the process of exploitation, privilege escalation, and maintaining access to the target system. On the other hand, vulnerability assessment provides a broad view of any existing flaws in the system without measuring the impact of these flaws to the system under consideration.

Another major difference between both of these terms is that the penetration testing is considerably more intrusive than vulnerability assessment and aggressively applies all the technical methods to exploit the live production environment. However, the vulnerability assessment process carefully identifies and quantifies all the vulnerabilities in a non-invasive manner.

Penetration testing is an expensive service when compared to vulnerability assessment

Q: Which class of vulnerability is considered to be the worst to resolve?

A: "Design vulnerability" takes a developer to derive the specifications based on the security requirements and address its implementation securely. Thus, it takes more time and effort to resolve the issue when compared to other classes of vulnerability.

Q: Which OSSTMM test type follows the rules of Penetration Testing?

A: Double blind testing

Q: What is an Application Layer?

A: Layer-7 of the Open Systems Interconnection (OSI) model is known as the “Application Layer”. The key function of this model is to provide a standardized way of communication across heterogeneous networks. A model is divided into seven logical layers, namely, Physical, Data link, Network, Transport, Session, Presentation, and Application. The basic functionality of the application layer is to provide network services to user applications. More information on this can be obtained from: http://en.wikipedia.org/wiki/OSI_model.

Q: What are the steps for BackTrack testing methodology?

A: The illustration below shows the BackTrack testing process.