The quality of the tools that we use as penetration testers is part of what determines the quality of work that we perform. Other parts are, of course, skill, experience, and imagination. By building an excellent toolkit, we can better perform our penetration testing work and do a better, faster, and higher quality job. While the rest of this book will be focusing on individual tools and how to use them, in this chapter we will be talking about toolkits which contain a number of the tools we'll be discussing later and more.
We will also be talking about some of the technologies used to make carrying around your toolkit easier and safer. A good set of tools should always be stored in a good toolbox. In addition, we'll touch on some of the tools that you can use to build target systems for penetration testing. In Chapter 10, we'll talk about building a test lab, but here we'll talk about some of the kits that you can use within that lab.
This chapter may not be quite as interesting as the remaining chapters in this book since we will not be doing any actual penetration testing examples here. However, it is very important to have a solid foundation in the general tools available to you as a penetration tester prior to learning how to use those tools in real-world scenarios. You'll find that it saves you a lot of time later when we demonstrate using a tool if you already have a toolkit which contains it.
1.2. Approach
The general approach to building penetration testing toolkits is to minimize the amount of work spent maintaining tools and maximize the amount of time spent performing penetration testing. To do this, you generally start with a list of tools that are commonly used for either the specific type(s) of penetration testing that you are performing or a list of tools that can be used for a wide variety of purposes. This is akin to either selecting a knife custom designed for a specific purpose (e.g., a thin bladed knife for filleting) or grabbing a Swiss Army knife to cover a variety of situations.
Generally if you're building your own penetration testing toolkit from scratch, you'll take the approach of selecting your favorite or most commonly used tools. If you are building a toolkit for public use, it's usually best to include a wider variety of tools so that more general penetration testing needs can be met. This is the approach used by most of the people who put together these kits today.
The next decision that you have is the type of operating system that you'd like to use. There are a number of penetration testing tools which are built to run under Windows, but there are typically more tools available under the Linux platform. The challenge there is to determine which Linux distribution to use since there are such a wide variety to choose from. Some examples of popular Linux distributions are:
Many of these have served as the foundation for penetration testing toolkits over the years and your choice will often be driven by personal preference as much as any technical reasoning. Each distribution has their own unique release schedule and goals, which may play a part in your decision as well.
With the list of tools and the operating system choice out of the way, now it's time to determine how your penetration test toolkit will execute. Do you want to install the operating system and all tools on a desktop/laptop/etc. permanently or within a virtual machine? Would you prefer to boot off of an optical disk (CD/DVD)? Or maybe booting and running off of a flash drive or SD card is your preference. Whichever of these options works best for your needs is obviously the direction that you should go. Each has its own pros and cons.
For example, if you choose to do an on-disk installation, you should be aware that any corruption from a bad tool install or an erroneous command could mean reinstalling everything from scratch or restoring from a backup. On the other hand, you can make changes to your toolkit easily and know that those changes will be available for you the next time that you go to use the system. This tends to be a less portable solution, but takes advantage of the speed of the disk and makes saving changes easy.
Booting off of a CD or DVD works great for some toolkits, however, not all operating systems support running in this manner. In addition, you need to be sure that the machine you'll be using has a compatible drive and ensure that your disk doesn't get scratched or otherwise damaged. The risk of corruption is lower since changes are wiped out after the machine using the CD/DVD is powered off, but that also limits your ability to save changes that you actually want to keep such as tool updates.
Using a USB drive or SD card is another option similar to using a CD/DVD, but there are some additional advantages and disadvantages here. Not all systems support booting off of a USB drive and even fewer support booting off of an SD card so compatibility can be a problem. However, with correct partitioning, you can build a USB/SD penetration testing toolkit which supports persistent changes, meaning that all modifications that you make to the booted OS are saved to a special partition and reapplied the next time the toolkit is booted up. This is considered a “persistent Live USB” build and has the advantage of being able to be returned to a baseline state by removing the persistence partition. Alternately, you can build an operating system on the USB drive that is read/write like a normal hard disk.
Whether you're installing on a drive or building a bootable image, your next step is to install your tools. Many of the open source tools available share dependencies and in some cases conflict on the version of those dependencies that they support. While you may want to use the latest version of a specific driver, for example, there may be something new in that version that your chosen tools don't support. Always keep this in mind when doing your tool installations. The process of resolving incompatibilities and ensuring that the correct dependencies are there is very time consuming and requires a lot of effort.
1.3. Core technologies
There are a few core technologies that you need to be aware of when building your penetration testing toolkit. In this section, we'll talk about LiveCDs and how they work as well as some basics on how to build or modify a LiveCD. We'll talk about International Organization for Standardization (ISO) images and how to use those as well. Next, we'll go over how to make a bootable USB drive and then finish up by talking about how to make a persistent LiveCD environment.
1.3.1. LiveCDs
A LiveCD is basically a CD or DVD that is written with a bootable version of an operating system modified so that there is no need to write files to the disk the system is booted from. This allows you to use read-only media to boot a system into a fully functional operating system, leaving no data written to the hard disks of the system that you're using. It isn't even required for the system to have a hard disk since everything it needs will be coming off of the optical media.
LiveCDs started becoming popular in the early to mid 1990s and it's now common to find LiveCDs that support a majority of the common operating systems or distributions. Since most operating systems do need a place for temporary files, LiveCDs are built to create this temporary file area in memory or (less commonly) use an existing location on the system's hard disk. Files created while using the LiveCD that the user wants to keep can usually be written to a USB drive or a hard disk partition as well.
1.3.1.1. Creating a LiveCD
Depending on the operating system that you're using, a number of options exist on how to create your LiveCD. For Windows, one of the most popular methods of creating a LiveCD is to use Bart's Preinstalled Environment (BartPE) Builder to create a Windows-based bootable CD or DVD. This is free software and is available at
http://www.nu2.nu/pebuilder/. Using BartPE in combination with an original licensed Microsoft Windows DVD allows you to generate a bootable image very quickly and easily. We'll demonstrate the use of this tool in the
Open source tools section of this chapter.
WarningBartPE is not an official Microsoft product and is not officially supported by Microsoft. It was created as an alternative to Microsoft's Windows Preinstallation Environment (Windows PE) by Bart Lagerweij and Windows installations created by this tool are not supported by Microsoft.
Creating a LiveCD with Linux is a little more complex and can vary depending on distribution. For Ubuntu, this involves creating a number of directories and installing some packages on an existing Linux system, creating a copy of the operating system,
modifying it to work properly, building out the appropriate directory structures, then finally burning the CD or DVD. All of the steps and a detailed tutorial on this process can be found at
http://ubuntuforums.org/showthread.php?t=688872.
Using Fedora, the process is a little more streamlined. There is a LiveCD-tools package available which includes a tool called LiveCD-creator. This tool effectively goes through the following steps:
• Sets up a file for the ext3 file system that will contain all the data comprising the LiveCD
• Loopback mounts that file into the file system so there is an installation root
• Bind mounts certain kernel file systems (/dev, /dev/pts, /proc, /sys, /selinux) inside the installation root
• Uses a configuration file to define the requested packages and default configuration options. The format of this file is the same as is used for installing a system via kickstart.
• Installs, using yum, the requested packages into the installation using the given repositories in the kickstart file
• Optionally runs scripts as specified by the LiveCD configuration file
• Relabels the entire installation root (for SELinux)
• Creates a LiveCD-specific initramfs that matches the installed kernel
• Unmounts the kernel file systems mounted inside the installation root
• Unmounts the installation root
• Creates a squashfs file system containing only the default ext3/4 file (compression)
• Configures the boot loader
• Creates an iso9660 bootable CD/DVD
1.3.1.2. Modifying LiveCDs
Modifying LiveCDs is very similar to creating a LiveCD from scratch except that you have an easier foundation to work from. Basically, the contents of the LiveCD are extracted into a working area and modified as needed. This can include the addition of new files, modification of existing files, or deletion of files as required. Where this becomes complex is when you need to perform installations of packages and then build a new LiveCD using the updated versions.
To do this, there are a couple of methods that you can use. First, you can perform an install of the operating system to a machine, update all of the files or packages necessary, and then rebundle that modified version as a new LiveCD. Alternately, you can take the compressed images created when building some types of LiveCDs, mount those images, update them, and then use the updated images to create a new LiveCD. This is generally the method used with Knoppix as an example. An example of a similar method for Ubuntu can be found at
https://help.ubuntu.com/community/LiveCDCustomization.
1.3.2. ISO images
A common theme for all of these methods of creating a LiveCD is the use of an image at the end to write to the optical media. This image is typically an ISO image and is a standardized method of taking all of the data which will be extracted to a CD or DVD and archiving it into a single file. Instead of a directory structure with a bunch of different files, you have a single file which can be extracted to a hard disk or extracted and written simultaneously to optical media in real time using a number of tools.
In Windows 7, the ability exists natively within the operating system to burn an ISO image to an optical disk. In prior releases, the ISO Recorder “power toy” was required to perform this function or a variety of freeware or commercial tools could be used. In Linux, the cdrecord utility (part of the cdrtools collection) is typically used for this purpose. An example command line for this tool is:
This will burn the ISO to the first identified optical drive at the highest rate of speed and will default to building a data CD.
1.3.3. Bootable USB drives
In general, building a bootable USB drive is similar to creating a bootable CD or DVD. In both cases, the appropriate files and data structures must be copied to the media being used. Also, the disk must be made bootable. When burning an ISO image to an optical disk, this has frequently already been done and the boot record will be created when the image is written. This process is not automatic for USB drives and needs to be manually performed.
A number of methods exist for doing this, ranging from creating a boot sector on the USB drive from Windows to creating a multi-boot menu-driven system by using a variety of utilities. For our purposes, we'll go through two examples, one for Windows and one for Linux.
1.3.3.1. Creating a bootable USB drive using Windows 7 or Vista
This method will work to create a bootable Windows-based USB drive. As part of this, the USB drive will be formatted using NTFS. The steps described below are a step-by-step process on how to accomplish this task. Perform the following actions on an existing Windows 7- or Vista-based machine.
WarningIssuing the wrong commands when creating bootable USB drives can format your hard disk, so be careful.
1. Open a Command Prompt using Administrative privileges.
2. Run the command
diskpart.
3. Enter the command
list disk to determine which disk is your USB drive.
4. Use the command
select disk X where X is replaced with the number of the disk used by your USB drive.
5. Enter the command
clean to wipe the drive.
6. Enter the command
create partition primary to create a new primary partition on the USB drive.
7. Enter the command
select partition 1 to select the newly created partition.
8. Enter the command
active to mark the new partition as active.
9. Enter the command
format fs=ntfs to format the drive.
10. Enter the commands
assign and
exit to complete the formatting process.
11. Insert your Windows 7 DVD, change to the DVD drive in your command window, then change into the “boot” directory.
12. Run the command
bootsect.exe /nt60 X: where X: is the drive letter assigned to your USB drive.
1.3.3.2. Creating a bootable USB drive using Linux
A number of utilities exist for performing this task under Linux and we'll talk about one of them (UNetbootin) in the
Open source tools section of this chapter. However, to perform a similar process manually using Linux, you can go through the following steps:
WarningAgain, issuing the wrong commands when creating bootable USB drives can format your hard disk, so be careful.
1. Run the command
fdisk /dev/sda (assuming that your USB drive has been assigned to device sda).
2. Enter
d to delete a partition.
3. Enter
1 to select partition #1.
4. Enter
n and then
p to create a new primary partition.
5. Enter
1 to select partition #1 and press enter to accept the default starting cylinder.
6. Enter the size that you'd like for your partition, for example,
+4G for a 4
GB partition.
7. Enter
t to change the partition type.
8. Enter
1 to select partition #1.
9. Enter
b to select fat32 for the partition type.
10. Set the first partition as active by entering
a followed by
1.
11. Enter
w to write the changes.
12. Run the command
mkfs.vfat /dev/sda1 to format the new partition.
13. Run the command
grub-install /dev/sda to install the GRUB boot loader onto the USB drive.
NoteThese instructions are for example purposes only. Your success with these may be limited depending on the packages that you have installed and the disk layout of your individual machines.
1.3.4. Creating a persistent LiveCD
The major disadvantage of using a LiveCD is that you lose any changes that you make when the system is shut down. Of course, this is also one of its advantages in that your core boot image is always safe and unmodified. But what if you could accomplish both purposes? This is where the concept of a persistent LiveCD comes into play.
A persistent LiveCD is a standard LiveCD built using Linux with some extra features. Basically, while the core operating system is read-only, you can make changes and save them to a separate location. This is especially useful when using a LiveCD stored on a bootable USB drive as the media can easily be written to without modifying the hard disk of the system that is being booted with the LiveCD. This is currently possible using Ubuntu.
If you followed the instructions shown in the
Creating a bootable USB drive using Linux section, you're already partway there to being able to do this. There are just a few additional steps necessary to create the appropriate partition for persistence. After going through the steps to create the primary partition, you will need to follow these additional steps to create a second partition and format it correctly.
TipUsing the ext3 file system works well for this, but if you're constrained for space on your USB drive, consider using ext2 instead.
1. Run the command
fdisk /dev/sda (assuming that your USB drive has been assigned to device sda).
2. Enter
n and then
p to create a new primary partition.
3. Enter
2 to select partition #2 and press enter to accept the default starting cylinder.
4. Enter the size that you'd like for your partition, for example,
+4G for a 4
GB partition.
5. Enter
t to change the partition type.
6. Enter
2 to select partition #2.
7. Enter
83 to select Linux for the partition type.
8. Enter
w to write the changes.
9. Run the command
mkfs.ext3 -b 4096 -L casper-rw /dev/sda2 to format the new partition and label it as “casper-rw”.
Again, this method is specific to Ubuntu currently, but may be supported by other distributions as well. To use this, you will need to tell the kernel to boot into persistent mode. This can be done by adding “persistent” to the kernel arguments list either manually on boot or within your boot loader. In the event that you want to remove all of your changes and go back to the base LiveCD, simply wipe the “casper-rw” partition and you're back to the base install.
1.5. Case study: the tools in action
For this case study, we're going to focus on how to build out a penetration testing toolkit. This toolkit will be comprised of BackTrack R2 setup on a USB drive and configured for persistent changes. The process for this was created, refined, and tested by Kevin Riggins, who maintains a great security blog located at
http://www.infosecramblings.com/[1]. To perform this installation, the following tools and supplies are required:
• A USB drive with a minimum capacity of 8
GB
• A BackTrack LiveCD, another Linux-based LiveCD, or a blank USB drive or DVD
• UNetbootin (described in the
Open source tools section of this chapter) if you don't have an existing Linux-based LiveCD
Now that we have the goods in hand, we can get to cooking. This case study is based on booting BackTrack 4 first. This means that you need some form of bootable BackTrack 4 media. This can be a virtual machine, DVD, or USB drive. Use your favorite method of creating a DVD or USB drive or you can use UNetbootin to create the thumb drive.
Fig. 1.14 is a screenshot of using UNetbootin to install BackTrack 4 on a USB drive.
The setup is as simple as selecting the image we want to write to the USB drive and the drive to write it to, and then clicking the “OK” button. Make sure you pick the correct destination drive as this tool can potentially overwrite your boot sector and other data.
The next step is to boot up BackTrack 4 from our newly created media. With the release of BackTrack 4 Final, a 4
GB drive is required (8
GB recommended) if we are going to enable persistence. We will also need to figure out which drive is our target drive. The following command will show the drives available and you can determine from that which is the new USB drive:
We need to partition and format the drive as follows:
• The first partition needs to be a primary partition of at least 2.5
GB and set to type vfat. Also remember to make this partition active when you are creating it. Otherwise you might have some boot problems.
• The second partition can be the rest of the thumb drive.
Below are the steps to take to get the drive partitioned and formatted. A “#” indicates a comment and is not part of the command and user typed commands are bolded. One important note to keep in mind is that we will need to delete any existing partitions on the drive.
fdisk /dev/sdb # use the appropriate drive letter for your system
# delete existing partitions. There may be more than one.
Command (m for help):
d
Partition number (1-4):
1
# create the first partition
Command (m for help):
n
Command action
e
extended
p
primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-522, default 1):
<enter>
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-522, default 522): +
2500M
#create the second partition
Command (m for help):
n
Command action
e
extended
p
primary partition (1-4)
p
Partition number (1-4): 2
First cylinder (193-522, default 193):
<enter>
Using default value 193
Last cylinder, +cylinders or +size{K,M,G} (193-522, default 522):
<enter>
Using default value 522
# Setting the partition type for the first partition to vfat/fat32
Command (m for help):
t
Partition number (1-4):
1
Hex code (type L to list codes):
b
Changed system type of partition 1 to b (W95 FAT32)
# Setting the partition type for the second partition to Linux
Command (m for help):
t
Partition number (1-4):
2
Hex code (type L to list codes):
83
# Setting the first partition active
Command (m for help):
a
Partition number (1-4):
1
Command (m for help):
w
# now it is time to format the partitions
mkfs.vfat /dev/sdb1
mkfs.ext3 -b 4096 -L casper-rw /dev/sdb2 Two things to notice above in the format commands: 1) we are using ext3 instead of ext2 and 2) you must include the
-L casper-rw portion of the command. Being able to use ext3 is great because of journaling when there is enough space available. The
-L casper-rw option helps us get around the problem we had in the past where we had to enter the partition name in order to get persistence working. As you will see, that is no longer necessary.
The next steps are basically:
• Mount the first partition.
• Copy the BackTrack files to it.
Following are the commands to execute. Again, “#” denotes comments and user typed commands are bolded.
# mount the first partition, sda1 in my case.
mkdir /mnt/sdb1
mount /dev/sdb1 /mnt/sdb1
# copy the files (you will need to find where the ISO is mounted on your system)
cd /mnt/sdb1
rsync -r /media/cdrom0/∗ .
# install grub
grub-install --no-floppy --root-directory=/mnt/sdb1 /dev/sdb
That's it! We now have a bootable BackTrack 4 USB thumb drive. Now on to setting up persistent changes.
This is done much differently and more easily than it was in Backtrack 4 Beta or Backtrack 3. First of all, for basic persistence, we don't have to do anything at all. There is already a menu option that takes care of it for us. Unfortunately, it is only for console mode so we need to make a couple changes:
• Change the default boot selection to persistent.
• Set the resolution for our gui.
To do so, do the following:
cd /mnt/sdb1/boot/grub
vi menu.lst
# change the default line below to 'default 4' and append 'vga=0x317' (that's a zero) to the kernel line to set the resolution to 1024x768
# By default, boot the first entry.
default 4
.
.
title
Start Persistent Live CD
kernel
/boot/vmlinuz BOOT=casper boot=casper persistent rw quiet vga=0×317
initrd
/boot/initrd.gz
# save and exit
:wq
Reboot and either select “Start Persistent LiveCD” or just wait since we set it to auto-boot to persistent mode. To test it, create a file and reboot again. If your file is still there, everything is golden.