BackTrack 5 “Revolution” Released
The most popular security and penetration testing Linux distribution has been updated once again, this time built from scratch! BackTrack 5, codenamed “Revolution”, is based on Ubuntu Lucid LTS with kernel 2.6.38, and brings with it full 32 and 64-bit support, an ARM-compatible image, forensics and stealth modes, KDE (4.6) and Gnome (2.6) desktop environments, and (allegedly) over 350 updated security tools including Metasploit 3.7.0. Best of all it’s “aligned with industry methodologies”! Whatever that means ;)
It appears BackTrack 5 will only be available torrents for the time being. The torrents are available in the following flavours: Gnome ISO (32bit, 64bit, ARM img), Gnome 32-bit VMware Image, KDE ISO (32bit, 64bit). Here’s the BackTrack downloads page. Those of you wondering which flavour to get between Gnome and KDE, it’s largely dependent on one’s taste, but the BackTrack guys appear to be favouring Gnome (which was the default Ubuntu graphics environment). If you have no idea what to get, then grab the Gnome 32-bit ISO (or VMware image) using the links above. I recommend Transmission (Mac) or uTorrent (Mac/PC) for BitTorrent clients. For anyone who hasn’t used BT before, the default username and password is root/toor.
BackTrack is a great tool for network security specialists and penetration testers, but it’s an even more valuable resource for people looking at learning more about application and network security (and Linux). Although I do have an Ubuntu install, I tend to use BackTrack more often due to the convenience (when I’m not using OSX that is ;).
It’s not possible to upgrade from BT4r2 to BT5, so those of you with installations of BackTrack 4 will need to reinstall (or download the new VM).
Check out their shiny promotional video below!
[Updated] BackTrack 5 R2 is now available, and brings a new kernel and 42 new tools. You can update your existing BT5 (R1) installation by running:
echo “deb http://updates.repository.backtrack-linux.org revolution main microverse non-free testing” >> /etc/apt/sources.list
apt-get update
apt-get dist-upgrade
BackTrack 5 “Revolution” in Development (Screenshots)
Click to enlarge
BackTrack 5 – codenamed “Revolution” – is currently under development, and the team is working on updating both system and tools. At the moment it’s running a 2.6.38-rc5 kernel, improved wireless drivers, and a new KDE 4 theme is being put together.
An initial release won’t be available for at least a couple months. If you have any requests or recommendations, now’s the time to make them on the BackTrack forums.
Here are a few teaser screenshots of BT5.
[Updated 10/5/2011] BackTrack 5 is out!
Single Packet Authorization with simpleSPA
I was just made aware of simpleSPA, a recently-released Java implementation of Single Packet Authorization by Chris Chrysler. The package provides a Linux-only server-side daemon, and a Linux and Windows client. Although I haven’t testing it yet, I assume the client will also work on Mac OS X. This implementation requires a Linux server as it relies on iptables being the firewall. simpleSPA uses two RSA keys in order to encrypt the authentication information. The first key encrypts the username of the user requesting access, while the second key is used to encrypt a pre-shared key and a timestamp (for freshness). The resulting authorization packet is then sent via UDP to the server. Although a timestamp is used, there doesn’t appear to be an explicit check for previously-received packets (ie. using a hash), so there may be some for time-limited replay attacks. Because RSA and public-keys are used, it’s a shame to see that it doesn’t use digital signatures to protect the payload.
simpleSPA does not allow for dynamic configuration of the firewall. As such, upon receiving a valid authorization packet (using Jpcap to sniff the wire), the server looks at a pre-defined config file that defines the firewall port(s) to be opened for the requesting user. Furthermore the port is opened for the IP that made the request, thus not allowing the client to embed an IP within the request and open a port out-of-band. The author states that this implementation is primarily an academic proof-of-concept at this point, and so is nowhere near as complete as other implementations such as fwknop (Perl/C) and Aldaba (C). It is nice, however, to see continued research and development into SPA as well as a Java implementation!
OpenBSD IPSec Possibly Probably Not Backdoored by FBI
In a post to the OpenBSD mailing list, developer Theo de Raadt reveals an email from an ex-contributor (Gregory Perry) alleging that money was accepted from the FBI around 2000-2001, in return for implementing a backdoor into the IPSec stack. Such a backdoor would give the FBI the ability to eavesdrop on any IPSec connection made using OpenBSD, or any other projects that have since made use of its IPSec code.
Clearly this would be a big deal if true, and although we know that open source projects are regularly backdoored by rogue developers or ‘hackers’ (such as the recent ProFTPd backdoor), it is not often that we hear of governments inserting some themselves. Should we be surprised? After all it is known that the NSA was involved with the development of DES by altering the algorithm’s S-Boxes and suggesting a shorter key length. There are also rumors of a covert backdoor in several versions of the Windows OS. That said, many people are smelling a troll in this case.
Following this information (can we call it a leak rumor?), OpenBSD’s IPSec code will undoubtedly come under quite a bit of scrutiny, and I’m sure we will hear a lot more about it should anything untoward be uncovered.
Read the full mailing list post here, archived below for posterity.
[Update] Scott Lowe denies being affiliated with the FBI, and Jason Wright denies having inserted a backdoor. This is sounding more and more like a trolling. To what end, I couldn’t speculate. It’s also worth noting that this kind of activity would probably not fall under a normal NDA, but under a government-level Top Secret classification which lasts at least 25 years…
An interesting observation about OpenBSD IPSec and Stuxnet. Read more
ProFTPD 1.3.3c Briefly Backdoored by Hackers
Servers of the widely popular FTP server, ProFTPD, were compromised (probably with 0day) on the 28th of November 2010. During the attack, some source code was modified to insert a backdoor. The source files affected were for ProFTPD version 1.3.3c., between the 28/11/2010 and 02/12/2010.
The backdoor introduced by the attackers allows unauthenticated users remote root access to systems which run the maliciously modified version of the ProFTPD daemon.
If you installed or updated ProFTPD from one of the official mirrors during that time, it is recommended that you recompile from a known good version of the code. The source modification was spotted and rectified on 01/12/2010. MD5 sums for the valid source tarballs:
8571bd78874b557e98480ed48e2df1d2 proftpd-1.3.3c.tar.bz2
4f2c554d6273b8145095837913ba9e5d proftpd-1.3.3c.tar.gz
Hit the jump for details on how the backdoor is triggered. A Metasploit module is available to automate the exploit. Read more
Armitage: Metasploit Attack Management GUI
Armitage, by Raphael Mudge, is a great little user interface for Metasploit which allows you to easily discover targets, deliver exploits, and manage your attacks to do things like pivots without any hassles.
Getting started with Armitage in Backtrack 4 R2 is easy. First, start the MySQL DB with /etc/init.d/mysql start (root/toor), and then start the Metasploit RPC daemon:
cd /pentest/exploits/framework3
./msfrpcd -f -U msf -P test -t Basic
Once msfrpcd is running, simply launch Armitage using the script provided and click Connect (you may need to check the Use SSL checkbox).
Armitage is written in Java, and works in Linux, Windows and Mac OS X. Download it here.
[Update] Armitage has been added to the Backtrack repos. Here’s a short tutorial, and check out the video tutorial below.
[Updated 21/01/2011] Hak5 episode 882 features a tutorial with mubix and Mudge (Hak5).
Pauldotcom Episode 221 – Talking Single Packet Authorization
Episode 221 of Pauldotcom Security Weekly is available for download. In it I give a tech segment about Single Packet Authorization, briefly describe how to configure your firewall and use fwknop to dynamically open ports.
The podcast is available on iTunes, and by direct download. Check out the show notes for full details. Thanks for having me on the show guys!
Here is a short video I made showing fwknop in action:
BackTrack 4 r2 “Nemesis” Released
[Update 10/5/2011] BT4r2 is now superceded by the new and improved BackTrack 5!
BackTrack 4 r2 (codename “Nemesis”) has been released and brings a number of updates aimed at improving “desktop responsiveness, better hardware support, broader wireless card support, streamlined work environment”.
Updates include an updated kernel (2.6.35.8) with improved wireless support, USB 3.0, faster responsiveness, pruned and new packages, and a new BackTrack wiki for more documentation and support.
Users with existing BT4 installs/VMs can simply perform an update using:
apt-get update && apt-get dist-upgrade
BackTrack 4 r2 is available as a 2GB ISO, or 2.4GB VMWare image, on the downloads page (the BT4 download links appear to have been removed in favour of BT5).
Loading ...
