BackTrack 4: Assuring Security by Penetration Testing. Packt

Shakeel Ali, Tedi Heriyanto

Master the art of penetration testing with BackTrack

First published: April 2011
Production Reference: 1070411
Published by Packt Publishing Ltd.
32 Lincoln Road
Birmingham, B27 6PA, UK.
ISBN 978-1-849513-94-4
Cover Image by Faiz fattohi (

e-books shop
BackTrack 4:
Assuring Security by Penetration Testing

About the Authors
Shakeel Ali is the main founder and CTO of Cipher Storm Ltd, UK. His expertise
in the security industry markedly exceeds the standard number of security
assessments, audits, compliance, governance, and forensic projects that he carries
in day-to-day operations. He has also served as a Chief Security Officer at CSSProviders
S.A.L. As a senior security evangelist and having spent endless nights
without taking a nap, he provides constant security support to various businesses,
educational organizations, and government institutions globally. He is an active
independent researcher who writes various articles and whitepapers, and manages
a blog at He also regularly participates in BugCon Security
Conferences held in Mexico, to highlight the best-of-breed cyber security threats and
their solutions from practically driven countermeasures.
I would like to thank all my friends, reviewers, and colleagues
who were cordially involved in this book project. Special thanks
to the entire Packt Publishing team, and their technical editors
and reviewers who have given invaluable comments, suggestions,
feedback, and support to make this project successful. I also want
to thank Tedi Heriyanto (co-author) whose continual dedication,
contributions, ideas, and technical discussions led to produce the
useful product you see today. Last but not least, thanks to my pals
from past and present with whom the sudden discovery never ends,
and whose vigilant eyes turn an IT industry into a secure and stable environment.

Tedi Heriyanto currently works as a Senior Technical Consultant in an Indonesian
information technology company. He has worked with several well-known
institutions in Indonesia and overseas, in designing secure network architecture,
deploying and managing enterprise-wide security systems, developing information
security policies and procedures, doing information security audit and assessment,
and giving information security awareness training. In his spare time, he manages
to research, write various articles, participate in Indonesian Security Community
activities, and maintain a blog site located at
He shares his knowledge in the information security field by writing several

information security and computer programming books.
I would like to thank my family for supporting me during the
whole book writing process. I would also like to thank my friends
who guided me in the infosec field and were always available to
discuss infosec issues: Gildas Deograt, Mada Perdhana, Pamadi
Gesang, and Tom Gregory. Thanks to the technical reviewers who
have provided their best knowledge in their respective fields: Arif
Jatmoko, Muhammad Rasyid Sahputra, and Peter "corelanc0d3r"
Van Eeckhoutte. Also thanks to the great people at Packt Publishing
(Kartikey Pandey, Kavita Iyer, Tarun Singh, and Sneha Harkut),
whose comments, feedback, and immediate support has turned this
book development project into a successful reality. Last but not least,
I would like to give my biggest thanks to my co-author, Shakeel
Ali, whose technical knowledge, motivation, ideas, and suggestions

made the book writing process a wonderful journey.

About the Reviewers
Peter "corelanc0d3r" Van Eeckhoutte is the founder of Corelan Team
(, bringing together a group of people who have similar
interests: performing IT security/vulnerability research, sharing knowledge, writing
and publishing tutorials, releasing security advisories and writing tools. His Win32
Exploit Writing Tutorial series and Immunity Debugger PyCommand "pvefindaddr"
are just a few examples of his work in the security community. Peter has been
working on IT security since the late 90's, focusing on exploit development since 2006.
I would like to thank my wife and daughter for their everlasting
support and love, and the folks at the Corelan Team for being a truly
awesome bunch of friends to work with.

Arif Jatmoko (MCom, CISSP, CISA, CCSP, CEH) is an IT Security Auditor at Bank
Mandiri tbk, the biggest bank in Indonesia. Arif has spent over 15 years working as a
computer security specialist. Since 1999, he joined a top Fortune 500 company as the
IT security officer, runs several projects in government and military institutions, is a
pentester at big4 audit firm and a few major financial institutions.
Since his early school years, Arif has enjoyed coding, debugging, and other reverse
engineering stuff. These hobbies have given him the skill to perform security
incident analysis for many years. Later (during his more current jobs), Arif was
found to be most interested in incident analysis and computer forensics. Especially
as an auditor, he frequently deals with investigative analysis in criminals and other
fraudulent activities inside the company.

Muhammad Rasyid Sahputra currently works as a Security Consultant
at Xynexis International. His interests range from analyzing various bugs of
open-source and commercial software/products to hacking telecommunication

BackTrack is a penetration testing and security auditing platform with advanced
tools to identify, detect, and exploit any vulnerabilities uncovered in the target
network environment. Applying appropriate testing methodology with defined
business objectives and a scheduled test plan will result in robust penetration testing
of your network.

BackTrack 4: Assuring Security by Penetration Testing is a fully focused, structured
book providing guidance on developing practical penetration testing skills by
demonstrating the cutting-edge hacker tools and techniques in a coherent step-by-step
strategy. It offers all the essential lab preparation and testing procedures to reflect
real-world attack scenarios from your business perspective in today's digital age.
The authors' experience and expertise enables them to reveal the industry's best
approach for logical and systematic penetration testing.

The first and so far only book on BackTrack OS starts with lab preparation and
testing procedures, explaining the basic installation and configuration set up,
discussing types of penetration testing (black box and white box), uncovering
open security testing methodologies, and proposing the BackTrack specific testing
process. The authors discuss a number of security assessment tools necessary to
conduct penetration testing in their respective categories (target scoping, information
gathering, discovery, enumeration, vulnerability mapping, social engineering,
exploitation, privilege escalation, maintaining access, and reporting), following
the formal testing methodology. Each of these tools is illustrated with real-world
examples to highlight their practical usage and proven configuration techniques.
The authors also provide extra weaponry treasures and cite key resources that may
be crucial to any professional penetration tester.

This book serves as a single professional, practical, and expert guide to develop
hardcore penetration testing skills from scratch. You will be trained to make the best
use of BackTrack OS either in a commercial environment or an experimental test bed.
A tactical example-driven guide for mastering the penetration testing skills with
BackTrack to identify, detect, and exploit vulnerabilities at your digital doorstep.

What this book covers
Chapter 1, Beginning with BackTrack, introduces you to BackTrack, a Live DVD Linux
distribution, specially developed to help in the penetration testing process. You will
learn a brief history of BackTrack and its manifold functionalities. Next, you will
learn about how to get, install, configure, update, and add additional tools in your
BackTrack environment. At the end of this chapter, you will discover how to create
a customized BackTrack to suit your own needs.
Chapter 2, Penetration Testing Methodology, discusses the basic concepts, rules,
practices, methods, and procedures that constitute a defined process for a
penetration testing program. You will learn about making a clear distinction
between two well-known types of penetration testing, Black-Box and White-Box.
The differences between vulnerability assessment and penetration testing will also
be analyzed. You will also learn about several security testing methodologies and
their core business functions, features, and benefits. These include OSSTMM, ISSAF,
OWASP, and WASC-TC. Thereafter, you will learn about an organized BackTrack
testing process incorporated with ten consecutive steps to conduct a penetration
testing assignment from ethical standpoint.
Chapter 3, Target Scoping, covers a scope process to provide necessary guidelines on
formalizing the test requirements. A scope process will introduce and describe each
factor that builds a practical roadmap towards test execution. This process integrates
several key elements, such as gathering client requirements, preparing a test plan,
profiling test boundaries, defining business objectives, and project management and
scheduling. You will learn to acquire and manage the information about the target's
test environment.
Chapter 4, Information Gathering, lands you in the information gathering phase. You
will learn several tools and techniques that can be used to gather metadata from
various types of documents, extract DNS information, collect routing information,
and moreover perform active and passive intelligence gathering. You will also learn
a tool that is very useful in documenting and organizing the information that has
been collected about the target.
Chapter 5, Target Discovery, discusses the process of discovering and fingerprinting
your target. You will learn the key purpose of discovering the target and the tools
that can assist you in identifying the target machines. Before the end of this chapter
you will also learn about several tools that can be used to perform OS fingerprinting.
Chapter 6, Enumerating Target, introduces you to the target enumeration process and
its purpose. You will learn what port scanning is, various types of port scanning, and
the number of tools required to carry out a port scanning operation. You will also
learn about mapping the open services to their desired ports.
Chapter 7, Vulnerability Mapping, discusses two generic types of vulnerabilities, local
and remote. You will get insights of vulnerability taxonomy, pointing to industry
standards that can be used to classify any vulnerability according to its unifying
commonality pattern. Additionally, you will learn a number of security tools that
can assist in finding and analyzing the security vulnerabilities present in a target
environment. These include OpenVAS, Cisco, Fuzzing, SMB, SNMP, and web
application analysis tools.
Chapter 8, Social Engineering, covers some core principles and practices adopted by
professional social engineers to manipulate humans into divulging information or
performing an act. You will learn some of these basic psychological principles that
formulate the goals and vision of a social engineer. You will also learn about the
attack process and methods of social engineering, followed by real-world examples.
In the end of the chapter, you will be given hands-on exercises about two wellknown
technology-assisted social engineering tools that can assist in evaluating the
target's human infrastructure.
Chapter 9, Target Exploitation, highlights the practices and tools that can be used to
conduct real-world exploitation. The chapter will explain what areas of vulnerability
research are crucial in order to understand, examine, and test the vulnerability.
Additionally, it will also point out several exploit repositories that should help to
keep you informed about the publicly available exploits and when to use them.
You will also learn to use one of the infamous exploitation toolkits from a target
evaluation perspective. Moreover, you will discover the steps for writing a simple
exploit module for Metasploit Framework.
Chapter 10, Privilege Escalation, covers the tools and techniques for escalating
privileges, network sniffing and spoofing. You will learn the tools required to attack
password protection in order to elevate the privileges. You will also learn about the
tools that can be used to sniff the network traffic. In the last part of this chapter, you
will discover several tools that can be handy in launching the spoofing attacks.
Chapter 11, Maintaining Access, introduces the most significant tools for protocol
tunneling, proxies, and end-to-end communication. These tools are helpful to create
a covert channel between the attacker and the victims machine.
for documentation, report preparation, and presentation. These directives draw a
systematic, structured, and consistent way to develop the test report. Furthermore,
you will learn about the process of results verification, types of reports, presentation
guidelines, and the post testing procedures.
Appendix A, Supplementary Tools, describes several additional tools that can be used
for the penetration testing job.
Appendix B, Key Resources, explains the various key resources.

What you need for this book
All the necessary requirements for the installation, configuration, and running
BackTrack have been discussed in Chapter 1.

Who this book is for
If you are an IT security professional or network administrator who has a basic
knowledge of Unix/Linux operating systems including an awareness of information
security factors, and you want to use BackTrack for penetration testing, then this
book is for you.

Table of Contents
Preface 1
PART I: Lab Preparation and Testing Procedures
Chapter 1: Beginning with BackTrack 9
History 9
BackTrack purpose 9
Getting BackTrack 11
Using BackTrack 12
Live DVD 12
Installing to hard disk 13
Installation in real machine 13
Installation in VirtualBox 14
Portable BackTrack 19
Configuring network connection 21
Ethernet setup 21
Wireless setup 22
Starting the network service 24
Updating BackTrack 24
Updating software applications 25
Updating the kernel 26
Installing additional weapons 29
Nessus vulnerability scanner 30
WebSecurify 31
Customizing BackTrack 32
Summary 34
Chapter 2: Penetration Testing Methodology 37
Types of penetration testing 38
Black-box testing 38
White-box testing 39
Vulnerability assessment versus penetration testing 39
Security testing methodologies 41
Open Source Security Testing Methodology Manual (OSSTMM) 42
Key features and benefits 43
Information Systems Security Assessment Framework (ISSAF) 44
Key features and benefits 45
Open Web Application Security Project (OWASP) Top Ten 46
Key features and benefits 48
Web Application Security Consortium Threat Classification (WASC-TC) 49
Key features and benefits 50
BackTrack testing methodology 51
Target scoping 52
Information gathering 52
Target discovery 53
Enumerating target 53
Vulnerability mapping 53
Social engineering 54
Target exploitation 54
Privilege escalation 54
Maintaining access 55
Documentation and reporting 55
The ethics 55
Summary 56
PART II: Penetration Testers Armory
Chapter 3: Target Scoping 61
Gathering client requirements 62
Customer requirements form 63
Deliverables assessment form 64
Preparing the test plan 64
Test plan checklist 66
Profiling test boundaries 67
Defining business objectives 68
Project management and scheduling 69
Summary 70
Chapter 4: Information Gathering 73
Public resources 74
Document gathering 75
Metagoofil 75
DNS information 77
dnswalk 78
dnsenum 79
dnsmap 81
dnsmap-bulk 83
dnsrecon 84
fierce 85
Route information 86
0trace 86
dmitry 88
itrace 90
tcpraceroute 91
tctrace 92
Utilizing search engines 93
goorecon 93
theharvester 95
All-in-one intelligence gathering 96
Maltego 96
Documenting the information 101
Dradis 102
Summary 107
Chapter 5: Target Discovery 109
Introduction 109
Identifying the target machine 110
ping 110
arping 111
arping2 112
fping 113
genlist 115
hping2 116
hping3 117
lanmap 118
nbtscan 119
nping 121
onesixtyone 122
OS fingerprinting 122
p0f 123
xprobe2 124
Summary 126
Chapter 6: Enumerating Target 127
Port scanning 127
AutoScan 131
Netifera 134
Nmap 136
Nmap target specification 138
Nmap TCP scan options 139
Nmap UDP scan options 140
Nmap port specification 141
Nmap output options 142
Nmap timing options 143
Nmap scripting engine 144
Unicornscan 147
Zenmap 148
Service enumeration 152
Amap 152
Httprint 153
Httsquash 155
VPN enumeration 156
ike-scan 157
Summary 159
Chapter 7: Vulnerability Mapping 161
Types of vulnerabilities 162
Local vulnerability 162
Remote vulnerability 163
Vulnerability taxonomy 164
Open Vulnerability Assessment System (OpenVAS) 165
OpenVAS integrated security tools 166
Cisco analysis 169
Cisco Auditing Tool 169
Cisco Global Exploiter 170
Cisco Passwd Scanner 172
Fuzzy analysis 173
BED 173
Bunny 175
JBroFuzz 177
SMB analysis 180
Impacket Samrdump 180
Smb4k 181
SNMP analysis 182
ADMSnmp 183
Snmp Enum 184
SNMP Walk 186
Web application analysis 188
Database assessment tools 188
DBPwAudit 189
Pblind 190
SQLbrute 191
SQLiX 194
SQLMap 196
SQL Ninja 199
Application assessment tools 202
Burp Suite 202
Grendel Scan 204
LBD 206
Nikto2 207
Paros Proxy 209
Ratproxy 210
W3AF 212
WAFW00F 214
WebScarab 215
Summary 217
Chapter 8: Social Engineering 219
Modeling human psychology 220
Attack process 220
Attack methods 221
Impersonation 221
Reciprocation 222
Influential authority 222
Scarcity 223
Social relationship 223
Social Engineering Toolkit (SET) 224
Targeted phishing attack 225
Gathering user credentials 230
Common User Passwords Profiler (CUPP) 234
Summary 235
Chapter 9: Target Exploitation 237
Vulnerability research 238
Vulnerability and exploit repositories 240
Advanced exploitation toolkit 241
MSFConsole 242
Ninja 101 drills 246
Scenario #1 246
Scenario #2 248
Scenario #3 252
Scenario #4 261
Scenario #5 263
Writing exploit module 268
Summary 273
Chapter 10: Privilege Escalation 275
Attacking the password 276
Offline attack tools 277
Rainbowcrack 277
Samdump2 280
John 282
Ophcrack 284
Crunch 285
Wyd 286
Online attack tools 287
BruteSSH 287
Hydra 288
Network sniffers 289
Dsniff 290
Hamster 291
Tcpdump 294
Tcpick 295
Wireshark 296
Network spoofing tools 298
Arpspoof 298
Ettercap 300
Summary 304
Chapter 11: Maintaining Access 305
Protocol tunneling 305
DNS2tcp 306
Ptunnel 307
Stunnel4 308
Proxy 311
3proxy 311
Proxychains 312
End-to-end connection 313
CryptCat 313
Sbd 314
Socat 315
Summary 319
Chapter 12: Documentation and Reporting 321
Documentation and results verification 322
Types of reports 323
Executive report 323
Management report 324
Technical report 325
Network penetration testing report (sample contents) 326
Table of Contents 326
Presentation 327
Post testing procedures 328
Summary 329
PART III: Extra Ammunition
Appendix A: Supplementary Tools 333
Vulnerability scanner 333
NeXpose community edition 334
NeXpose installation 334
Starting NeXpose community 335
Login to NeXpose community 336
Using NeXpose community 336
Web application fingerprinter 338
WhatWeb 338
BlindElephant 339
Network Ballista 341
Netcat 341
Open connection 342
Service banner grabbing 342
Simple server 343
File transfer 343
Portscanning 344
Backdoor Shell 344
Reverse shell 345
Summary 346
Appendix B: Key Resources 347
Vulnerability Disclosure and Tracking 347
Paid Incentive Programs 349
Reverse Engineering Resources 349
Network ports 350
Index 357


e-books shop

Purchase Now !
Just with Paypal

Product details
 392 p
 File Size
 6,332 KB
 File Type
 PDF format
 2011 Packt Publishing 

═════ ═════

Loading... Protection Status