Review: Penetration Testing with BackTrack by Offensive Security Part 2

| September 14, 2009

pwb_box.jpgRyan Linn is back with Part 2 of his review of PWB. It’s shaping up to be a four-part series of weekly insights as he progresses through the course with a final compilation review to follow. This is a new format for us at EH-Net, so please let us know in the forums what you think as we experiment.

As a reminder, PWB is described by Offensive Security as, "‘Pentesting with BackTrack’ (previously known as Offensive Security 101) is an online course designed for network administrators and security professionals who need to get acquainted with the world of offensive security. This penetration testing course introduces the latest hacking tools and techniques, and includes remote live labs for exercising the material presented to the students. This course gives a solid understanding of the penetration testing process, and is equally important for those wanting to either defend or attack their network. The course can be taken from your home, as long as you have a modern computer with high speed internet."

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Linn}

Information Gathering

Starting fresh, I pop back into the course and start watching the first section of the class which was an introduction to BackTrack.  Each section of the course has class material, and then corresponding lab portions that cover the material in the class.  Much of the lab focuses on actually doing what was just presented in the class, in additional depth going step-by-step.  For almost every exercise, you get to see it done, hear it being talked about, and finally do it yourself.

The first section of the course focused on setting up BackTrack.  Most of the content was geared towards BackTrack 3, but it also worked on BackTrack 4.  We secured the system a little, setup services we’d use, and even learned how to create new packages to be distributed with BackTrack 3.  BackTrack 4 is different enough distribution-wise that I think that building packages for it will not match up with the class, but understanding how to build packages in general is still a good thing.

After the brief intro, we hopped right into doing some Information Reconnaissance (recon).  The exercises for this module had dual purpose.  The first was to do some basic information gathering, but all of the information gathering was done through Bash scripting.  I thought the examples were good, it was easy to follow, and the documentation in the lab guide was great.  I am already pretty comfortable in Bash, but if I’d never done much with cut and pipes, this would be a great introduction.

Next the course went through many of the core networking tools, and how to use them for recon.  Things like dig, ping, host, and NetCat were demonstrated through a number of exercises.  NetCat got a good workout in the module, and the core functionality was hammered in through exercises.  The module finished up with some Wireshark.  The Wireshark stuff initially seemed a little bit out of place, but an introduction was necessary in order to understand a lot of the material that came after this section, so it was probably the best place to put it.  Some good examples were given, and there was even some stuff that I hadn’t thought about that I was glad to see.

The exercises in the lab walked students thoroughly through the recon process.  I highly recommend going through all the lab sections, and, after a theme has concluded, there are bonus exercises to further your skill development.  Each section leads logically through a process. It isn’t just blind "type this then type this."  By the end of a module, you should have some actual skill.  That’s where the virtual lab comes into place.  Being able to VPN into the remote lab and try out these skills is awesome.  There isn’t as much worry about what happens when something goes wrong, and you have the opportunity to mess around with the scripts and techniques to see what happens.

Module 2 contained deeper, non-invasive information gathering skills such as utilizing Google and other web resources.  Information was given ranging from how to find email addresses to how to find exploits.  Module 2 was pretty short, but contained good information.   A lot of this information had been covered other places, so it wasn’t anything that I felt was ground-breaking, however if you aren’t familiar with this stuff, it does a good job explaining the impact and techniques for finding vulnerabilities and other pertinent information needed for a successful pen test.

Module 3 had some amazing stuff that I hadn’t seen before.  It wasn’t that the techniques were new.  The techniques have been fairly well documented such as SMB/SNMP enumeration, however there were a lot of tools used to get the information thoroughly and efficiently, and some of them I hadn’t encountered before.  After doing some of the labs, I can say that some of the data I was able to get through these tools was great.  Much of it would have required a lot of sifting to turn it into usable data if I didn’t have them. 

The first significant portion of time in Module 3 was spent on DNS gathering, a very valuable skill.  Multiple methods were used to gather the data, and I thought the exercises really reinforced the concepts.  There were extra challenges to try to better understand how to gather the same data using lower level tools in a more scripted fashion, which would definitely help folks who weren’t as comfortable with the structure of DNS at a low level. 

Overall I really enjoyed Module 3, and I can see this section helping out a lot during real world encounters.  Looking at the information gathering sections overall (Modules 1 – 3), I think that for both folks who have some sys-admin experience all the way through security pros will get some good tidbits.  If you are already proficient, go back and look at some of the additional challenges in the sections, and you will get to re-enforce what you already know.  Python is one of my weaker languages, so I am also using these previous sections to improve my Python skills.

My final thoughts so far… this seems to be a course that will offer you more the more you put into it.  There are tons of little nuances that have been demonstrated. I have actually hit a few moments where I have said to myself, "Hey, that’s MUCH easier," or found things where I could improve my skills and processes.  BackTrack is obviously a focus of the course, and there are tons of tools to go through.  I have missed some of these tools in the past, and as they are exposed, they will all be added to my toolbox.  So far, the class is giving me some valuable tips, I’m having a great time, and I can’t wait for more.


Ryan Linn, CISSP, MCSE, GPEN – Ryan is currently an Information Security Engineer at SAS Institute. Employed in the computer industry since 1997, he has held positions ranging from web developer to Unix Systems Programmer at a large university to his current position in Information Security. Ryan has been responsible for working with large scale deployments of various flavors of *nix, high availability web and database clusters, as well as for application programming in high availability environments. In the past few years, Ryan has incorporated Windows security into his responsibilities, and is now part of the team responsible for information security globally in one of the largest privately held software companies in the world.

Category: Linn

Comments are closed.