BackTrack 5 tutorial Part I: Information gathering and VA tools
December 18, 2011 Leave a comment
BackTrack 5, codenamed “Revolution”, the much awaited penetration testing framework, was
released in May 2011. It is a major development over BackTrack4 R2. BackTrack 5 is said to be built
from scratch, and has seen major improvements as well as bug fixes over previous
BackTrack is named after a search algorithm called “backtracking”. BackTrack 5 tools range from
password crackers to full-fledged penetration testing tools and port scanners. BackTrack has 12
categories of tools, as shown in Figure 1 of this tutorial.
To continue reading for free, register below or login
Figure 1: Categories of
tools in BackTrack 5
Penetration testers usually perform their test attacks in five phases:
1. Information gathering
2. Scanning and vulnerability assesment
3. Gaining access to the target
4. Maintaining access with the target
5. Clearing tracks
In this BackTrack 5 penetration testing tutorial, we will look at the information gathering and
vulnerability assessment tools in BackTrack 5.
Information gathering is the first and most important phase in penetration testing. In this
phase, the attacker gains information about aspects such as the target network, open ports, live
hosts and services running on each port. This creates an organizational profile of the
target, along with the systems and networks in use. Figure 3 of this BackTrack 5 tutorial is a
screenshot of Zenmap, the BackTrack information gathering and network analysis tool.
Figure 2: Zenmap UI in
The intense scan mode in
Zenmapovides target information such as services running on each port, the version, the target
operating system, network hop distance, workgroups and user accounts. This information is
especially useful for white box testing.
Other BackTrack 5 information gathering tools of interest are CMS identification and IDS-IPS
identification for web application analysis. CMS identification gives information about the
undelying CMS, which can be used to do a vulnerability research on the CMS and gather all the
available exploits to test the target system. The joomscan tool (for the Joomla CMS) is covered
later in this BackTrack 5 tutorial.
Another interesting and powerful tool is Maltego, generally used for SMTP analysis. Figure 4 of
this BackTrack 5 tutorial shows Maltego in action.
Figure 3: Maltego UI in
The Palette in Maltego shows the DNS name, domain, location, URL, email, and other details about
the website. Maltego uses various transformations on these entities to give the pen tester
necessary details about the target. Views such as mining view, edge weighted view, etc, provide a
graphical representation of the data obtained about a particular target.
The second phase in pen testing is vulnerability assessment. After gaining some initial
information and an organizational profile of the target through conclusive footprinting, we will
assess the weak spots or vulnerabilities in the system. There are a number of vulnerability
databases available online for ready use, but we will focus on what BackTrack 5 has to offer in
Web application scanners are used to assess website vulnerabilities. Figure 5 of this BackTrack
5 tutorial shows joomscan in action. Joomscan is meant Joomla-based websites and reports
vulnerabilities pre-stored in the repository.
Figure 4: Joomscan in
Joomscan can be run with the following command:
./joomscan.pl –u string -x proxy:port
Here string is the target Joomla website. Joomscan has options for version detection,
server check, firewall activity, etc. As can be seen in Figure 5 of this BackTrack 5
tutorial, the target Joomla website is running on an Apache server using PHP version 5.5.16.
OpenVAS (Open Vulnerability Assesment System) on BackTrack 5: Opening Applications –
Backtrack – Vulnerability scanners – OpenVAS will give you the list of options shown in
Figure 6 of this BackTrack 5 tutorial.
Figure 5: OpenVAS options in
OpenVAS is a powerful tool for performing vulnerability assessments on a target. Before doing
the assessment, it is advisable to set up a certificate using the OpenVAS MkCert option. After
that, we will add a new user from the menu in this BackTrack 5 tutorial.
The user can be customized by applying rules, or assigned an empty set by pressing Ctrl+D. Once
a new user has been added with login and other credentials, we can go ahead with the assessment
part of this BackTrack 5 tutorial.
Figure 6: Adding a user with
OpenVAS works on the client/server model in the assessment process. You should regularly update
the arsenal to perform efficient tests.
OpenVAS vs Nessus Scanner
Nessus Scanner is another vulnerability assesment tool for carrying out automated
assessments. Let’s take a look at the difference between the two in the next step of this Back
Track 5 tutorial.
Nessus has two versions, free and paid, while OpenVAS is completely free. Recent observations
have shown that the plugin feeds of these two scanners are considerably different, and depending on
only one tool is not recommended, as automated scanners can throw up lots of false positives.
Clubbing manual scanners with other tools, alongside automated scanners, is recommended for
doing a comprehensive assessment of the target. BackTrack 5 also offers other tools under this
category including CISCO tools, which are meant for CISCO-based networking hardware. Fuzzers are
also available, categorized as network fuzzers and VOIP fuzzers.
It’s evident from the above tutorial that Backtrack 5 has a lot in offer in terms of information
gathering and vulnerability assessment. In this BackTrack 5 tutorial, I have made an effort to show
the one or two tools which I felt would be most useful to readers. It’s best to try out all tools
so that you have first hand experience of BackTrack 5, and the power it brings to a pen tester’s
arsenal. In subsequent tutorials, we shall see how Backtrack 5 facilitates exploitation of a