May « 2011 « Security related discussions, articles, and tutorials

Backtrack 5 ships with some very nice features, however I will be discussing Metasploit and PostgreSQL within this post.  Backtrack 5 ships with metasploit and postgresql out of the box, which means that postgres is already running within BT5.  One thing to note here is that you may need to install the postgres gem and specify the db_driver within msf.  I installed the gem using ruby version 1.8.7, I get errors installing the postgres gem using ruby version 1.9.2_dev.  There are some very nice how-to’s for this over at the BT5 forums. Update 6/1/2011 – MSF does not contain any postgres drivers if launched from ‘/pentest/exploits/framework3′ however, if launched from you path then drivers are available and postgresql is initialized and connected.  However, it is not running on the default 5432 tcp port, instead postgres is running on localhost:7175.  A quick ‘netstat -antp | grep 7175′ command will display if any service is running on a port.

But, if we try to stop the postgres service using /etc/init.d/postgresql-8.4 stop, we get no luck no service is running called postresql-8.4.  Hmm, lets display all services with the ‘service –status-all’ command.  We see the following, which indicates that the installation of postgresql is associated with msf by default within BT5.  As we can see this service is called ‘framework-postgres NICE =)

What does this mean, it means we know the service name so we can start and stop the service, stop auto-run at boot time, and we know that the installation of postgres is associated primarily with metasploit.  But hey, the postgres config files are not in there default location.  Well ok, letf find where they are.  Lets start with where metasploit is installed.  the ‘framework3 directory within the ‘/pentest/exploits/’ directory is a symbolic link to ‘/opt/framework3/msf3′.  Therefore, we look inside these directories and see a postgresql directory within the ‘/opt/framework3′ directory.  However if we start metasploit and try to connect to the database with user and password of ‘root:toor’  we get an authentication error.  So what is the user and password combo used?

After going through some of the directories within the ‘/opt/framework3′ directory, I find an interesting directory called config which has a file named ‘database.yml’ within it.  Let’s cat the contents of the file and see what it tells us.  As we can see from the screenshot below it tells us the username and password.  Nice info, however, instead of specifying the username and password everytime we connect to msf and want to use the postgresql database, we can use the ‘db_connect command with the database.yml file.

As we can see, we have a username of msf and a randomly generated password.  I am running a few different BT5 virtual machines and each one has a different password.  Nice.  Now to connect msf to the database we just use the db_connect command with the right syntax to use the yml file, with the absolute path to the file specified.

Now we are in business.  I figured I would do a little write-up on this since I have not seen a lot of documentation for this anywhere, hope you enjoy.  To be honest I am finding more and more very nice features the BT5 developers introduced.  Nice work.

To sum this all up I really wanted to try out my Alfa AWUS051NH usb card with the new BT5 distro. Injection worked flawlessly and I was able to crack my seclab WEP enabled WAP within a few minutes of injection. However, this was a 64bit WEP key, stronger encryption will take a bit longer and more IV’s to crack. Lets get this going.

The Setup:

BT5 KDE x32 – Virtual Machine
Alfa AWUS051NH USB card
Wireless Access Point running WEP

The Results:

Alfa AWUS051NH in monitor mode.

Start airodump-ng to see where my AP is.

Airodump-ng refined command specifying the BSSID and channel of my target AP.  (sorry guys) =)

Now to start the arp injection using aireplay-ng while airodump-ng is capturing only IV packets.

And now for what everyone has been waiting for =)  Cracking the WEP key, using aircrack-ng.

Easy as 1,2,3 =)  Glad my card works out of the box with BT5.  Hope you all enjoyed this brief post. Till the next time.

-bostonlink

Today May 10th 2011 was the release date of Backtrack 5.  As far as I can tell, it is the best backtrack release to date.  It is highly polished and a easy install.  In my personal and professional opinion this release is a game changer to the industry.  I know I am going to be busy for days exploring all the new tools and features of BT5.  I have also installed BT5 on my XOOM wifi with the BT5-GNOME-ARM edition release as well.  My initial thoughts are the ARM edition is not as polished as the x32 or x64 editions, however, we all knew that.  To be honest I don’t know how practical having BT5 installed on my XOOM is or will become however the coolness factor is there =)  I just couldn’t resist.

That being said, I would like to thank all of the backtrack developers for their hard and continuous work on backtrack.  I can truly say I am in love with this new release and will be testing it out within my lab environment at home and at client engagements while at work.  Thanks again and to the devs your hard work pays off, I hope you all feel appreciated.  Nice work guys.

Moto Xoom BT5 pictures:

Creating a lab environment gives the user an opportunity to explore new technologies, test configurations, test exploitation methods, create scripts, and more. This is why creating a lab environment is an imperative task. In this article I will go over building lab environments specific to penetration testing. However, any one could modify these lab guidelines and create their own specific lab environment. This article is not a definitive guide on how to setup a lab environment to suit everyone’s needs. Instead it is an overview of how to start a penetration testing lab environment.

A lab environment is necessary to learn specific penetration testing techniques that would be illegal if not given specific permission to test public facing systems. Thus, setting up a private environment of your own in which you can launch any attack, tool, exploit, and do whatever you like within the environment is essential to the learning process, plus it is a lot of fun. Another reason for a pentest lab is if you are tasked with a penetration test of a client, and are unfamiliar with an exploit that one of their systems may be vulnerable too, then you can setup a test system that mirrors the original client’s system configuration to the best of your knowledge to test and/or rewrite the exploit to make sure it acts as described. On another note, personally I like to re-write all exploits that are not directly ported within an exploit framework. This assures that the exploit does and performs exactly how I want it too; additionally it gives me peace of mind to know what the shellcode within the exploit does. However, this is out of the scope of this article.

The lab can be small or large but gives you the ability to run multiple operating systems, different configurations, and software to test. Virtualization makes an excellent lab environment and cuts down on the need of a lot of hardware. There are many virtualization solutions on the market today. However, in my opinion VMware products are the best. I may be biased since I started with VMware for this reason this article will be focused on using VMware technology since all of my labs are setup within VMware.

Depending on your setup at minimum you should have a dedicated box or if you don’t want to go the dedicated route the desktop or laptop running your lab should be able to at least run 2-3 virtual machines consecutively without degrading the performance of your system and making it inoperable. Within my lab environments, I have two dedicated servers each with 12GB of ram running Vmware esxi 3.5 and 4.0. However, you do not need a setup like this if you just want too setup a couple of virtual machines to get started with and test against. I do have a VMware workstation lab environment on my desktop as well with 8GB of ram. Additionally, since I travel a lot I installed 8GB or ram on my laptop so I can test against VM’s locally if needed while at a client site or in a hotel room.

That being said I suggest you start off with VMware workstation or server. Workstation is much more robust then VMware server, however it is not free like VMware server edition. It is up too you which virtualization platform you want too run. However, if you are a student VMware does offer educational discounts for VMware Workstation and Fusion (If you have a Mac).

VMware workstation and fusion also gives the user the ability to choose what kind of networking you want too enable on the host. There are three default options, bridged, NAT, and host only. Here are some high –level definitions of the three types of networking. (For more information read the VMware documentation)

Bridged Networking – Assigns the guest system a IP address within the Physical LAN that the host is on.

NAT – Uses Network address translation to assign the guest a NATed IP address which can reach your LAN and the internet through your hosts internet connection.

Host-only – will assign a IP address to the guest that is only accessible on the host system. Host-only basically sandboxes the network to your host, you will not be able to access the Internet or any resources on the LAN which the host is on.

This is good since it gives you many options for your host. However, I highly suggest sticking with host-only when running exploits or testing malware within your lab environment. This will restrict the exploits to a sandboxed network and the exploit or malware will not have the ability to access resources on your production LAN.

Another thing to consider is where to get iso images of operating systems you want too install to play with or test against. For Microsoft builds this can be costly. However, I suggest a technet professional subscription, it will allow you to download Microsoft operating system iso’s for development purposes. Additionally you will want a variety of vm’s setup to test different exploits and tools against. At the least setup the following victim machines within you lab environment:

Windows XP SP2
Windows XP SP3
Windows Vista
Windows 7
Windows Server 2003
Windows Server 2008
Server 2008 R2
Several Linux flavors I like Ubuntu and CentOS
PFsense or Monowall Firewall (Optional)
BT4 and Soon BT5 (Attacker)

This will give you many targets within your environment, which you can test against. As well as, an attacking box, I love backtrack, and the guys who make the backtrack linux distribution possible do a phenomenal job. Backtrack is my preferred attacking box within my lab and while conducting a real-life penetration tests. It is highly recommended since it has the majority of the tools you will need to learn and get to know intimately pre-installed.

To add, once you have all of your test victim machines setup. I highly suggest you store them and make clones and snapshots of the systems this will enable you to revert the systems if they get hosed or corrupt. Clones also come in handy when having to install new vulnerable software on the system. Clones enable you to just clone an existing virtual machine instead of having to install an OS from scratch thus saving precious time.

Overall, having a virtual lab environment for testing purposes can go a long way, as well as, allow you to learn many tasks and methods that you may not have used before. Within your lab environment you are only limited by your mind. I hope you enjoyed my high-level overview of setting up a basic lab environment, and the main idea is to learn and have fun while learning new technology and testing methodologies. I hope you learned how important having a virtual lab environment could be professionally and personally you can learn so much and actually see how many types of technology and operating systems work and how they are different. Therefore, have fun, setup a nice lab and I hoped this article will help you out. Till next time =)

-bostonlink