Book Image

Penetration Testing with BackBox

By : Stefan Umit Uygur
Book Image

Penetration Testing with BackBox

By: Stefan Umit Uygur

Overview of this book

Table of Contents (15 chapters)

The organization of tools in BackBox

The entire set of BackBox security tools are populated into a single menu called Audit and structured into different subtasks as follows:

  • Information Gathering

  • Vulnerability Assessment

  • Exploitation

  • Privilege Escalation

  • Maintaining Access

  • Documentation & Reporting

  • Social Engineering

  • Stress Testing

  • Forensic Analysis

  • VoIP Analysis

  • Wireless Analysis

  • Miscellaneous

In this book, we will be performing our practical actions by using nearly half of the tools included in BackBox Linux.

We have to run through all the tools in BackBox by giving a short description of each single tool in the Auditing menu. The following screenshot shows the Auditing menu of BackBox:

Information Gathering

Information Gathering is the first absolute step of any security engineer and/or penetration tester. It is about collecting information on target systems, which can be very useful to start the assessment. Without this step, it will be quite difficult and hard to assess any system. We will be quickly running through this menu and giving a short definition of the tools in it:

  • Arping: This is a utility that sends ARP requests to the hosts on a specific subnet.

  • Arp-scan: This is a command-line tool designed for system discovery and fingerprinting. It assembles and sends ARP requests to specified IP addresses, displaying any responses that are received.

  • Automater: This is an automated tool for intrusion analysis based on URL, IP address, or hash.

  • Knock: This is a Python script designed to enumerate subdomains on a target domain through a wordlist.

  • Nbtscan: This is an application to scan and get information about IP networks for NetBIOS name information.

  • Sslyze: This is designed to be fast and comprehensive and help organizations and testers to identify misconfigurations that are affecting their SSL Servers.

  • theHarvester: This is an information collector used to harvest e-mails, subdomains, hosts, and personal information about individuals.

  • Zenmap: This is the official Nmap Security Scanner GUI frontend.

  • Recon-ng: This is a full-featured Web Reconnaissance framework.

  • WhatWeb: This is an application that recognizes web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices.

  • Creepy: This is a web application security assessment report generator.

Vulnerability Assessment

After you've gathered information by performing the first step, the next step will be to analyze that information and its evaluation. Vulnerability Assessment is the process of identifying the vulnerabilities present in the system and prioritizing them. The tools are briefly described as follows:

  • Cvechecker: This is a tool that generates a report about possible vulnerabilities in your system by comparing the result with the information in its common vulnerability environment (CVE) database.

  • RIPS: This is a static source code analyzer for vulnerabilities in PHP web applications.

  • OpenVAS: This is a framework composed of several services and tools to deliver a comprehensive, powerful vulnerability scanning management solution.

  • Nikto: This is a web server scanner that tests web servers for dangerous files/CGIs, outdated server software, and other problems.

  • Skipfish: This is an active web application security reconnaissance tool. It prepares an interactive sitemap for a targeted site by undertaking a recursive crawl and dictionary-based probes.

  • ZAP: This is a web application vulnerability finder (Zed Attack Proxy by OWASP).


Exploitation is the process where the weakness or bug in the software is used to penetrate the system. This can be done through the usage of an exploit, which is nothing but an automated script that is designed to perform a malicious attack on target systems. The tools are briefly described as follows:

  • Sqlmap: This is an automated tool to detect other exploiting SQL flaws

  • MSF: This is a useful auditing tool that contains a lot of exploits and a development environment to modify or create them

  • Armitage: This is the graphical frontend of the Metasploit Framework

  • Fimap: This is a web application auditing tool for file inclusion bugs in web apps

  • Htexploit: This is a useful tool to exploit the .htaccess files

  • Joomscan: This is a tool that detects file inclusion, SQL injection, and command execution vulnerabilities of a targeted website that uses Joomla

  • W3af: This is a GUI-based web application attack and audit framework to find and exploit the vulnerabilities detected

  • Wpscan: This is a black box WordPress vulnerability scanner

Privilege Escalation

Privilege Escalation occurs when we have already gained access to the system but with low privileges. It can also be that we have legitimate access but not enough to make effective changes on the system, so we will need to elevate our privileges or gain access to another account with higher privileges. A quick tour of the tools and short definitions are as follows:

  • Dictstat: This is a password profiling tool.

  • Maskgen: This is an analyzer for output file produced by DictGen to generate optimal password mask collection for input to the Hashcat password cracker.

  • Policygen: This tool helps to generate passwords to be compliant for many policies.

  • Rulegen: This implements password analysis and rule generation for the Hashcat password cracker.

  • Hashcat: This is incredibly the fastest CPU-based password recovery tool.

  • Chntpw: This is a utility used for resetting or blanking local passwords in Wintel systems.

  • Crunch: This is a wordlist generator where you can specify a standard character set.

  • Fcrackzip: This is a fast password cracker partly written in assembler.

  • John: This (also known as John the Ripper) is a password cracking software tool.

  • Ophcrack: This is a Windows password cracker based on rainbow tables.

  • Pdfcrack: This is a tool for recovering passwords and content from PDF files.

  • Truecrack: This is a brute-force password cracker for TrueCrypt (Copyright) volume files.

  • Fang: This is a multiservice threaded MD5 cracker.

  • Medusa: This is a speedy, massively parallel, modular, login brute-force attacker, supporting many protocols.

  • Xhydra: This is a parallelized login cracker that can attack protocols such as TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, LDAP, SMB, SMBNT, MS-SQL, MySQL, REXEC, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, Cisco auth, Cisco enable, and Cisco AAA by using the Telnet module.

  • Driftnet: This is an application that listens to network traffic and picks out images from the TCP streams it observes.

  • Dsniff: This is a network traffic sniffer that analyzes and parses different application protocols by extracting the relevant information.

  • Ettercap: This is a comprehensive suite for man-in-the-middle attacks. It has a user-friendly GUI interface and supports passive and active dissection of the amount of protocols.

  • Ngrep: This (also known as network grep) is a network packet analyzer.

  • Sslsniff: This is an SSL traffic sniffer.

  • Sslstrip: This is a sniffer against secure socket layer protocol.

  • Tcpdump: This is a common packet analyzer that runs under the command line.

  • Wireshark: This is a free and open source network packet analyzer.

Maintaining Access

Maintaining Access is about setting up an environment that will allow us to access the system again without repeating the tasks that we performed to gain access initially. The tools are briefly described as follows:

  • Iodine: This is a free (ISC licensed) tunnel application to forward IPv4 traffic through DNS servers

  • Ptunnel: This is an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request and reply packets, commonly known as ping requests and replies

  • Weevely: This is a stealth PHP web shell that simulates a telnet-like connection

Documentation & Reporting

The Documentation & Reporting menu contains the tools that will allow us to collect the information during our assessment and generate a human readable report from them. The following are the tools for this section:

  • Dradis: This is an open source information sharing framework especially designed for security assessments.

  • MagicTree: This is a penetration test productivity tool. This is designed to allow easy and straightforward data consolidation, querying, external command execution, and report generation.

Reverse Engineering

The Reverse Engineering menu contains the suite of tools aimed to reverse the system by analyzing its structure for both hardware and software. There are many interesting tools in this menu and we list them along with a short description as follows:

  • Bokken: This is a GUI for the Pyew and Radare projects, so it offers almost all the same features that Pyew has and some features of Radare as well. It's intended to be a basic disassembler, mainly to analyze malware and vulnerabilities.

  • Dissy: This is a graphical frontend to the objdump disassembler.

  • Flasm: This is a command-line assembler/disassembler of Flash ActionScript bytecode.

  • Ghex: This is a simple binary GUI hex editor.

  • Nasm: This is a network wide assembler tool.

  • Ndisasm: This is a Netwide Disassembler, an 80 x 86 binary file disassembler.

Social Engineering

Social Engineering is based on a nontechnical intrusion method, mainly on human interaction. It is the ability to manipulate the person and obtain his/her access credentials or the information that can introduce us to such parameters. A brief description of the tools is as follows:

  • Honeyd: This is a small daemon that creates virtual hosts on a network

  • Thpot: This is a tiny honeypot to set up simple and fake services

  • SET: This (also known as Social-Engineer Toolkit) is designed to perform attacks against human interaction

  • BeEF: This is a penetration testing tool that focuses on web browsers

  • Websploit: This is used to scan and analyze remote systems in order to find various types of vulnerabilities

Stress Testing

The Stress Testing menu contains a group of tools aimed to test the stress level of applications and servers. Stress testing is the action where a massive amount of requests (for example, ICMP request) are performed against the target machine to create heavy traffic to overload the system. In this case, the target server is under severe stress and can be taken advantage of. For instance, the running services such as the web server, database or application server (for example, DDoS attack) can be taken down. A brief description of the tools is as follows:

  • Siege: This is an HTTP regression testing and benchmarking utility

  • Slowhttptest: This is a highly configurable tool that simulates Application Layer DoS attacks

  • Thc-ssl-dos: This is a proof-of-concept tool that exploits vulnerabities in SSL

  • Backfuzz: This is a protocol fuzzing tool

  • Tcpjunk: This is a TCP protocols testing and hacking utility

Forensic Analysis

The Forensic Analysis menu contains a great amount of useful tools to perform a forensic analysis on any system. Forensic analysis is the act of carrying out an investigation to obtain evidence from devices. It is a structured examination that aims to rebuild the user's history in a computer device or a server system. A brief description of the tools for forensic analysis is as follows:

  • Dcfldd: This is an enhanced version of GNU dd with features useful for forensics and security

  • Ddrescue: This is a data recovery tool that copies and attempts to recover data from one file or block device (hard disc, CD-ROM, and so on) onto another

  • Guymager: This is a fast and most user-friendly forensic imager, based on libewf and libguytools

  • DFF: This (also known as Digital Forensics Framework) is a digital data collector for forensic purposes

  • Foremost: This is a console application that helps you to recover files based on their headers, footers, and internal data structures

  • Photorec: This is a file carver data recovery software tool explicitly focused on image recovery from digital cameras (CompactFlash, Memory Stick, Secure Digital, SmartMedia, Microdrive, MMC, USB flash drives, and so on), hard disks, and CD-ROMs

  • Scalpel: This is a carver tool designed to recover deleted data from the system

  • Testdisk: This is a free data recovery utility

  • Ntfs-3g: This is an open source cross-platform implementation of the Microsoft Windows NTFS filesystem with read/write support

  • Dumpzilla: This is designed for extracting and analyzing all forensically interesting information from the browsers such as Firefox, Iceweasel, and Seamonkey

  • Steghide: This is a steganography program that is able to hide data in the image and audio files

  • Vinetto: This examines the Thumbs.db files for forensic purposes

  • Xplico: This is an application that extracts the application data from an Internet traffic capture

VoIP Analysis

The voice over IP (VoIP) is a very commonly used protocol today in every part of the world. VoIP analysis is the act of monitoring and analyzing the network traffic with a specific analysis of VoIP calls. So in this section, we have a single tool dedicated to the analysis of VoIP systems. The short description of the tool is as follows:

  • Sipcrack: This is a set of utilities to perform sniffing and cracking of SIP protocols

Wireless Analysis

The Wireless Analysis menu contains a suite of tools dedicated to the security analysis of wireless protocols. Wireless analysis is the act of analyzing wireless devices to check their safety level. A brief description of the tools included in this section is as follows:

  • Aircrack-ng: This is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs

  • Mdk3: This is a proof-of-concept tool to exploit common IEEE 802.11 protocol weaknesses

  • Pyrit: This is an application GPGPU-driven WPA/WPA2-PSK key cracker

  • Reaver: This is an application to perform brute-force attacks against Wi-Fi Protected Setup (WPS)

  • Wifite: This is an automated wireless auditing tool

  • Wirouterkeyrec: This is a tool to recover the default WPA passphrases of supported router models

  • Kismet: This is an 802.11 layer2 wireless network identifier and passive data package collector


The Miscellaneous menu contains tools that have different functionalities and can be placed in any section that we mentioned earlier, or in none of them. They all are quite interesting tools and we will list them with a short description as follows:

  • Cryptcat: This is a lightweight version netcat extended with twofish encryption

  • Hping3: This is an Active Network Smashing Tool

  • Httpfs: This is a FUSE-based filesystem

  • Inundator: This tool fills IDS/IPS/WAF logs with false positives to obfuscate an attack

  • Ncat: This is a command-line feature-packed networking tool for reading and writing TCP/UDP data connections

  • Ndiff: This is a tool to aid in the comparison of Nmap scans

  • Netcat: This is a command-line featured networking tool for reading and writing TCP/IP data connections

  • Nping: This is a tool for network packet generation, response analysis, and response time measurement

  • Proxychanins: This is a tool that allows you to run any program through HTTP or SOCKS proxy

  • Shred: This is a tool that repeatedly overwrites a file in order to make it difficult even for a very expensive hardware probing to recover data

  • Thc-ipv6: This a complete tool set to attack the inherent protocol weaknesses of IPV6 and ICMP6, and includes an easy-to-use packet factory library

  • Wipe: This is a secure file deletion application