Backtrack 4 Wireless Sniffing with Meterpreter Class

Adrian Crenshaw (aka Irongeek) has posted several videos from the Kentuckiana ISSA 2011 Network Sniffers Class on his website. Topics covered include Wireshark, TCPDump, Meterpreter, ARP Poisoning, Ettercap, Cain, NetworkMinor, Firesheep and Xplico.

Check out Adrian’s website for all the videos, talk slides, and a list of the commands used.

Advertisements

Backtrack 5 Screenshots Released

The ever popular Backtrack Linux security distro will soon have a new family member. Backtrack-Linux.org has released some screenshots of their next installment:

Backtrack 5!

According to their blog, Backtrack 5 development is slightly behind schedule, but to satiate the hungry crowds, they released a series of three screenshots. I have to admit the KDE 4 theme looks pretty sharp indeed.

No solid release date as yet, but believe you me, when they do release it, people will be lining up to download it. Backtrack Linux is hands down the best security distro out there.

Check it out!

 

Caught in the Hack! Network Security Monitoring vs Backtrack Autopwn

This will be the first in a series of articles analyzing attacks used against networks and what can be done to catch them.

For this part of the series I will be using three machines – a target machine, an attacker system and a third computer running the Network Security Monitoring (NSM) Security Onion Live CD. The NSM machine will be connected to the target machine via a mirrored port (DualComm’s DCSW-1005PT) so all the incoming attacks can be monitored in realtime.

This article is for informational use only. Do not attempt anything found in these articles on any network or computer system without written permission from the owners. Doing so could get you into trouble and you may end up in jail. 

For quite a while now, I wanted to write some articles about NSM. Today, I finally set everything up and ran some tests. The first test I wanted to run was to pit the ever popular BackTrack 4 R2 Fast-Track “Autopwn” program against NSM and see what would happen.

Autopwn is a great program for new users to try their hand at penetration testing. Autopwn basically does all the work for you. All you need to tell the program is what you want to attack, and the program does the rest.

The program runs nmap and looks for open ports. It then uses that information to create a tailored attack against the target system using Metasploit. Quick, simple and easy.

You boot up your Backtrack 4 system, start networking, go to the Backtrack menu, select “penetration” menu, “Fast-Track” and finally “Fast-Track Interactive”.

You should have a screen that looks like this:

 

Just run the updates, option #1, then run Autopwn – option #2. Provide it with a single IP address or a range of addresses that you want to attack, then what kind of payload shell you want. I always pick “reverse” – connect back to me.  That’s it. The program then automatically attacks the systems and tries to open a reverse shell to it.

Wow, pretty impressive, but what can be done to detect this type of attack? Well, while this attack was running against my target machine, my NSM system monitored every packet coming into the system through a mirrored port. The NSM system runs Snort which detects intrusion attempts and displays the alerts in the network security analyst program Sguil.

The result?  Sguil lit up like a Christmas tree. See the Sguil interface screenshot below:

The alerts are color coded for severity and list the Source, or attackers IP address. You can click on each alert and find out more about it, or view the actual packets involved in the alert in Wireshark.

So even though this attack was not detectable by the target machine, my NSM machine captured the whole event, while it happened, in realtime.

Okay, we have a readout displaying that an attack occurred, which is nice to have, but how do we stop this type of attack?

Autopwn uses the standard exploits in Metasploit. The best defense in this case is to keep your machine and software patched, and updated. Also make sure that your firewall is on. If you do, then the attacker should see the screen below on his Backtrack system:

No Active Sessions. That’s a good thing for us, this means that none of the exploits worked and the attack was unsuccessful! 

And with Sguil and NSM, we also have an electronic packet trail of the attack and his source IP!

 

Bypass Windows 7 UAC with Backtrack 4 Meterpreter

I have mentioned in earlier posts how important it is to have Windows User Account Control (UAC) running, even at the lowest level, to thwart some hacker attacks. UAC effectively blocks several hacker techniques, especially on Windows 7.

There are a few several-step techniques to disable or bypass UAC, but I figured it would only be a matter of time before an easy to use script was created.

Security programming master David Kennedy recently released the above video on bypassing UAC with Backtrack 4 Meterpreter. Kevin Mitnick needed to bypass UAC for a penetration test, and together with David, came up with this script.

The script was just added to Metasploit today. For more information check out David’s Secmaniac site.