Review: Penetration Testing with BackTrack by Offensive Security Part 3

| October 19, 2009

pwb_box.jpgRyan Linn continues his insiders look at Offensive Security’s online training in Part 3 of this continuing review of ‘Pentesting with BackTrack.’ As a reminder, PWB is described by Offensive Security as, "An online course designed for network administrators and security professionals who need to get acquainted with the world of offensive security. This penetration testing course introduces the latest hacking tools and techniques, and includes remote live labs for exercising the material presented to the students. This course gives a solid understanding of the penetration testing process, and is equally important for those wanting to either defend or attack their network. The course can be taken from your home, as long as you have a modern computer with high speed internet."

Ryan will wrap things up in Part 4 of this new format of reviewing courses. EH-Net normally completes an entire course before publishing any content in a review article. So far, the Community seems to be enjoying it. Maybe this is yet another new trend that shall continue as we head full steam into 2010.

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Linn}

The third week of Pentesting With BackTrack (PWB) started by talking about basic buffer overflows.  The introduction to buffer overflows also works as the introduction to the exploitation sections of the class, to which I was really looking forward.  The explanation of buffer overflows was short but gave some good information on where to find more information on the topic as well as assembly programming in general.

After discussing what buffer overflows were the course lead directly into fuzzing.  Using Python, the section walks you through creating a basic fuzzer of an FTP service in order to find a crash.  From there you get a walkthrough of the process of creating an exploit.  It all starts with verifying the crash before OllyDBG joins the party.

I was excited to jump into the next portions of the course as that is where I really wanted to focus my energy.  I have written some exploits, but I had hoped to get some better process and structure out of PWB.  It delivered.  The next exercises in the course walked the students through getting an exploit buffer setup for an EIP overwrite, finding sufficient buffer space for an exploit and then writing out a working exploit in Python.  While that thought takes up just one sentence, the concepts involved in much of that are fairly complex, and PWB does a great job of walking through every step both in the videos and in the lab manual. By the end, I had some good confirmation that the methods that I have been using were good, but also that there were some shortcuts that I hadn’t thought about.  I was especially impressed by the flow and depth in this section, and it set-up the rest of the exploit sections very well.

After understanding how buffer overflows work, other framework and repositories are brought into play.  The exploit sections continue to explain how to find resources at SecurityFocus, from within the BackTrack Milw0rm archives and even Metasploit.  One of the best parts of the third section of the PWB class is that the course covers in-depth how to compile Windows exploits on BackTrack once you have found them on Milw0rm or SecurityFocus.  That functionality makes BackTrack valuable as a penetration testing platform.  I hadn’t seen a good explanation for that before now, which this course definitely offered.  In addition to the compilation, targeting, and usage of the pre-written exploits, this section went a bit into post-exploitation.  This information is critical as frameworks like Metasploit can assist in some of these activities, but one really needs to understood on their own how to deal with exploits which are not available within frameworks.  This section goes into how to get around interactive applications (such as ftp), once you have a shell via exploit and how to deal with maintaining access.

Once all the fundamentals have been laid down, PWB goes deep into Metasploit.  This was an area that I was pretty familiar with except for the final part, so I just glanced over a lot of this section.  If you aren’t as comfortable with Metasploit, then this section will cover it well enough so that you should leave feeling confident in your understanding of the material.  PWB will lead you through using Metasploit via the command line, msfconsole, and the web, so, regardless of how you choose to use Metasploit, you leave with a better understanding.

Once the Metasploit walkthrough was finished, the course turns to what is required to turn a Proof of Concepty (POC) exploit (like you might find on Milw0rm), and turn it into a working exploit within Metasploit.  I thought that this exercise was extremely helpful as I think there are plenty of times that you may find some piece of code on Milw0rm or on SecurityFocus and then want to turn it something that can be re-used.  This exercise walks through all of the steps necessary for exploit creation in sufficient depth that individuals who are unfamiliar with the process should be able to follow it easily.  I really liked this section, as this was something that took me a fair amount of time to pick up before taking the course.  In retrospect, I really wish that I had found something like this when first researching how to do it.  This section went through the entire process of taking a POC, turning it into a working exploit with OllyDBG and then adding all of the useful pieces into Metasploit to create a working exploit. Obviously an essential skill in real-world pen testing engagements, if you’re going to offer the client more than just a report generated from a simple Nessus Scan.

The portion that I did for this week was the port redirection section, where a variety of ways were investigated to see how to deliver payloads in environments where you may not have direct access between two points.  Proxies, ssh tunneling, and other methodologies were discussed to create tunnels between an attacker and a target. Each had great explanations, good graphical representations, and even a discussion of how IDS/IPS or other content inspection mechanisms might see this data.  Timing can be a funny thing in life, as I was working on a project outside of the course that required SSL for communication.  I found this particular information to be incredibly useful and immediately incorporated some of the concepts.  This section covered how to use Stunnel and other types of tunnels to deal not just with hiding data but also to talk to services which require SSL when you have exploits that do not talk SSL.  Each part was short but conveyed good information about the different types of tunnels.  I found this section pretty handy, especially the discussion of tunneling through proxies.

I stopped here for the third week as the next set of exercises started going into post-exploitation.  This was my favorite section of the class thus far.  I really enjoyed the in-depth look at exploits and OllyDBG, and I had a lot of fun working through the exercises.  The extra-credit portions of these chapters were especially challenging, and, when I finally got them to work, I will have to admit I was excited.  There are tons of great parts about this course, but this was the stuff that I was really hoping for and glad to find.

The next week is going to cover post-exploitation, web attacks, and the final extra credit portions of the course.  Check back to find out how the course ends, and then read the final review to find out what my experience was taking the exam and more thoughts on the class once the class was finished. See you next time.


Ryan Linn, CISSP, MCSE, GPEN – Ryan is currently an Information Security Engineer at SAS Institute. Employed in the computer industry since 1997, he has held positions ranging from web developer to Unix Systems Programmer at a large university to his current position in Information Security. Ryan has been responsible for working with large scale deployments of various flavors of *nix, high availability web and database clusters, as well as for application programming in high availability environments. In the past few years, Ryan has incorporated Windows security into his responsibilities, and is now part of the team responsible for information security globally in one of the largest privately held software companies in the world.

Category: Linn

Comments are closed.