Backtrack 5 Screenshots Released

The ever popular Backtrack Linux security distro will soon have a new family member. Backtrack-Linux.org has released some screenshots of their next installment:

Backtrack 5!

According to their blog, Backtrack 5 development is slightly behind schedule, but to satiate the hungry crowds, they released a series of three screenshots. I have to admit the KDE 4 theme looks pretty sharp indeed.

No solid release date as yet, but believe you me, when they do release it, people will be lining up to download it. Backtrack Linux is hands down the best security distro out there.

Check it out!

 

Caught in the Hack! Network Security Monitoring vs Backtrack Autopwn

This will be the first in a series of articles analyzing attacks used against networks and what can be done to catch them.

For this part of the series I will be using three machines – a target machine, an attacker system and a third computer running the Network Security Monitoring (NSM) Security Onion Live CD. The NSM machine will be connected to the target machine via a mirrored port (DualComm’s DCSW-1005PT) so all the incoming attacks can be monitored in realtime.

This article is for informational use only. Do not attempt anything found in these articles on any network or computer system without written permission from the owners. Doing so could get you into trouble and you may end up in jail. 

For quite a while now, I wanted to write some articles about NSM. Today, I finally set everything up and ran some tests. The first test I wanted to run was to pit the ever popular BackTrack 4 R2 Fast-Track “Autopwn” program against NSM and see what would happen.

Autopwn is a great program for new users to try their hand at penetration testing. Autopwn basically does all the work for you. All you need to tell the program is what you want to attack, and the program does the rest.

The program runs nmap and looks for open ports. It then uses that information to create a tailored attack against the target system using Metasploit. Quick, simple and easy.

You boot up your Backtrack 4 system, start networking, go to the Backtrack menu, select “penetration” menu, “Fast-Track” and finally “Fast-Track Interactive”.

You should have a screen that looks like this:

 

Just run the updates, option #1, then run Autopwn – option #2. Provide it with a single IP address or a range of addresses that you want to attack, then what kind of payload shell you want. I always pick “reverse” – connect back to me.  That’s it. The program then automatically attacks the systems and tries to open a reverse shell to it.

Wow, pretty impressive, but what can be done to detect this type of attack? Well, while this attack was running against my target machine, my NSM system monitored every packet coming into the system through a mirrored port. The NSM system runs Snort which detects intrusion attempts and displays the alerts in the network security analyst program Sguil.

The result?  Sguil lit up like a Christmas tree. See the Sguil interface screenshot below:

The alerts are color coded for severity and list the Source, or attackers IP address. You can click on each alert and find out more about it, or view the actual packets involved in the alert in Wireshark.

So even though this attack was not detectable by the target machine, my NSM machine captured the whole event, while it happened, in realtime.

Okay, we have a readout displaying that an attack occurred, which is nice to have, but how do we stop this type of attack?

Autopwn uses the standard exploits in Metasploit. The best defense in this case is to keep your machine and software patched, and updated. Also make sure that your firewall is on. If you do, then the attacker should see the screen below on his Backtrack system:

No Active Sessions. That’s a good thing for us, this means that none of the exploits worked and the attack was unsuccessful! 

And with Sguil and NSM, we also have an electronic packet trail of the attack and his source IP!

 

Network Security Monitoring made Easy with Security Onion LiveCD

Want an easy to use intrusion detection and monitoring solution that is easy to use and install? Look no further than Doug Burk’s (SANS GSESecurity Onion LiveCD.

This security Linux distribution marries the every popular SNORT Intrusion Detection System (IDS), and Sguil (Security analysis program created by a former member of the Air Force’s CERT team) in an easy to use package.

You can run Security Onion completely off the CD or install it and run it from a hard drive. I wanted to see how easy it was to use, so I installed it and ran it through the paces.

I chose to run it in LiveCD mode. Once it boots to desktop, you simply run the setup script, then choose advanced or quick setup:

I chose the quick setup. Next just choose a name and password for the Sguil server. Setup is now complete!

Next just double-click on Sguil, choose what interface to monitor and that is it. You now have a complete, up and running Intrusion Detection and Monitoring system. Very quick to set up and simple to use. 

Testing worked great, I did some simple attacks against the system with Backtrack 4. It detected the attacks and listed the events in the Sguil interface. Right clicking on the alerts brings up a menu where you can view a transcript of the attack, or even view the packet stream in Wireshark!

Security Onion runs on Xubuntu 10.04 and includes:

  • Snort updated to 2.9.0.3.
  • Suricata updated to 1.1beta1
  • Barnyard2 updated to 1.9 Stable.
  • Vortex updated to 2.9.0.
  • Installed OSSEC for host-based intrusion detection.
  • Installed Squert web interface for Sguil.
  • Installed Armitage GUI interface for Metasploit.
  • What an awesome tool for network defense. An intrusion detection and monitoring system used by many large companies, preconfigured and ready to use even on your small business or home system. This would work great with Dualcomm’s Network port mirroring device.  Check it out!

     

    Oracle VirtualBox on Ubuntu 10.10

    I am a huge fan of Ubuntu. Each new release seems faster, smoother and easier to use. The latest release called “Maverick Meerkat” is no exception. You can even run Ubuntu in a “Live CD” mode so no changes are made your system. If you are a Windows user and haven’t taken the Linux plunge, check out Ubuntu 10.10, you will not be disappointed. 

    Okay, Ubuntu praise aside, I am a huge VMWare fan and am somewhat skeptical of other virtual desktop software. I have seen several people using VirtualBox and decided to try it out. Wow, I was truly impressed.

    VirtualBox was developed by Sun Microsystems for home and corporate users and is open source software (translated “Free”). It also runs equally well under Windows or Linux. Having never run a virtual system on Linux, I decided to give it a test run under Ubuntu.

    Installation was painless, and quick. I just went to the VirtualBox site, picked the “Ubuntu” version and installation was automatic. When it was installed, creating a new virtual machine was extremely easy. You just hit the “New” button, pick what OS you will be installing, set a few options if you want, create the virtual disk then power it on and install the OS.

    The picture above is Windows XP running in a VirtualBox session on my Ubuntu system. The XP system was fast and responsive. The only problem I did have was getting my USB camera to connect to the session. But, since I had the same problem with VMWare on my Windows 7 desktop, I was not really surprised.

    According to the documentation, VirtualBox can read VMWare images and also has a cool RDP remote desktop option that I will have to try.

    I highly recommend both Ubuntu 10.10 and VirtualBox. If you get a chance, check them out, you will not be disappointed.