IT Breathes!

Recently Backtrack 4 was released, Backtrack is a great resource to learn about security and penetration testing in general. It also has a lot of tools to perform a variety of task. One of the interesting features in Backtrack 4 is the /pentest folder. It contains tools and resources but it’s a little mystified in it’s presentation. Just a directory hanging out there.  For the next few months I’m going to attempt to de-mystify and test as many of the tools as I can. To make this even more exiting I’ll be doing it from A to Z. Starting with the first folder listed alphabetically and going from there.  Originally I had thought of just doing this as a folder by folder but after looking through everything I’ll just make a judgment call when I want to stop fiddling around. Some posts I’ll cover more than one folder and other times I might only cover a tool or two.

Pentest Folder Listing

So let’s get started shall we?

Not too many programs here!

This one is an easy one. There’s not too many Bluetooth tools here to begin with (mainly because a lot of the Bluetooth tools are built in to the OS (such as HCI Dump).

Taking a look at blueprint it’s a tool which allows you to profile a a Bluetooth device. You tell it the Bluetooth device ID and it will spit out as much information as it can

Bluesmash is a GUI tool designed for getting information from phones and exploiting a range of vulnerabilities.  Since I don’t really have access to Bluetooth on this machines I can’t go in to more detail than that. I have played with these tools in the past but since I didn’t have a vulnerable phone available at the time I couldn’t really test the vulnerabilities.

Moving on to the next folder, CISCO, we see there are a selection of tools for dealing with (and discovering) Cisco devices (what else did you expect?).  To test these tools out I used GNS3 (a Cisco router emulator) and setup my own virtual cisco 7200 router. Took me a while to set it up but your best bet is to follow the tutorials at BlindHog. I won’t be supplying any image files, I’ll leave that up to the reader to find.  The basic GNS3 configuration was setup like this:

Go go gadget Cisco emulator!

Since I’m running all these tests in my lab (with Virtual Box) on a virtualized internal network I had to run GNS3 on a virtual Windows XP instance. In the end, though,  it didn’t really give me too many problems getting it setup.

So once I had setup the practice router I was able to test all the tools available in the cisco folder.

A few more apps here

The first tool I took a look at was CAT, or Cisco Auditing Tool. To call it an auditing tool is a little bit of a misnomer since it’s really just a password brute force tool which connects over the telnet port (23). It has some other features for exploiting an old IOS bug but other than that it just takes a wordlist and attempts to guess the password. You’d be better served using something like hydra or medusa instead (we’ll get to those later on). But I have to say it did work at bruteforcing my password and successfully told me what the password was.

hack you? don't mind if I do

Cisco-Global-exploiter has some interesting functions:

Wish I could test all of these

However, since I didn’t have an image for any of the above cisco machines to try out I can’t really confirm if any of these work. But if you do have a cisco device and have tested this out let me know in the comments section.

Cisco-OCS simply scans for vulnerable Cisco devices. Turns out the device I was running wasn’t vulnerable, it was found but not vulnerable.

Ciscos-1.3 does the same as CAS but instead of trying multiple passwords it simply tries to connect to every IP trying the default password ‘cisco’.

And finally we’ve got copy-router-config. This really isn’t too hard to guess. Just start up the tftpd daemon in backtrack and provided you know the community name (an SNMP thing) it will strip out the full config. Letting you analyze it later and identify any weaknesses in the config.

And so ends part 1 of our series. As part of this series I’m going to also tell you how I put together my practice lab and a list of other tools that you can use in windows which are not included in the backtrack cd.

Update: So a friend brought to my attention that I was using an older version of the /pentest folder. Backtrack had released a new CD with a few more tools. Looking through I found two new tools: Redsnarf and Bluebugger. Redsnarf is a bluetooth tool designed to hunt down non-discoverable bluetooth devices (by guessing the last six bytes of the bluetooth address). Bluetooth bugger simply pulls down as much information from a bluetooth phone as it can. Unfortunately since I don’t allow Virtual Box access to my bluetooth hardware I wasn’t able to test these tools. If you have let me know in the comments.

 Further more in the Cisco folder I noticed a rather odd addition, a tool entitled ‘oscanner’. When I looked up what this tool does it doesn’t sound like it’s in the correct folder at all. This tool is really called ‘Oracle Scanner’ and is used to perform a slew of tests again an Oracle database. Since I don’t have Oracle installed I wasn’t able to test it out but from what I’ve read about the tool it sounds promising, if only it was located in the Database folder instead.