(For more resources on Open Source, see here.)
Getting files to and from victim machines
Getting root on a remote machine can be interesting and is definitely a major step in the right direction (and depending on your scope and the purpose of the test, could be the only step necessary). If your task is not complete, then you will need to find methods of transferring data to and from your victim machines. There are several tools that will assist in this task; here are a few that may make your life easier in the long run.
Installing and starting a TFTP server on BackTrack 5
TFTP can be very handy at times. Many systems will already have a TFTP client installed and using this protocol is quick and easy.
# apt-get install atftpd
Be sure that your BackTrack machine is Internet enabled during the installation. To familiarize yourself with the atftpd server type atftpd at the command prompt without any additional input.
Starting TFTP as a standalone daemon pointing to /tmp on the standard port and bound to IP address 192.168.75.12 can be accomplished by typing:
# atftpd --daemon --port 69 --bind-address 192.168.75.12 /tmp
You can check to see if the daemon started correctly by invoking netstat and grepping for 69.
# netstat -anu |grep 69
If everything started correctly you should see something similar to:
udp 0 0 192.168.75.12:69 0.0.0.0:*
Installing and confguring pure-ftpd
If your version of Backtrack does not have pure-ftpd installed it may be added by using the apt-get install pure-ftpd command. For full functionality of pure-ftpd you will need to add users and perform other minor confguration changes prior to use.
# echo /etc/pure-ftpd/pureftpd.pdb > PureDB
Adds /etc/pure-ftpd/pureftpd.pdb to the PureDB confguration fle:
# ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/50pure
Creates a symbolic link to the 50pure fle:
# groupadd -g 7777 ftpz
Adds a group to the BackTrack guest machine:
# useradd -u 7777 -s /bin/false -d /dev/null -c "pureFTP" -g ftpz Testerz
Create folders that will be used:
# mkdir /var/ftp /var/ftp/public /var/ftp/public/ftplogin
Modify the ownership:
# chown -R Testerz:ftpz /var/ftp/public/ftplogin
Adds the account to the system:
# pure-pw useradd ftplogin -u Testerz -d /var/ftp/public/ftplogin Password: password Enter it again: password
Sets up a virtual account that can be used with FTP connections:
# pure-pw mkdb
Reloads the database:
# pure-pw show ftplogin
Performs a quick lookup in the Pure-FTP database to let us know the user statistics.
Login : ftplogin Password : $1$/NF5jAg0$I0oRJKViA5NYs455Afelr1 UID : 7777 (Testerz) GID : 7777 (ftpz) Directory : /var/ftp/public/./ Full name : Download bandwidth : 0 Kb (unlimited) Upload bandwidth : 0 Kb (unlimited) Max files : 0 (unlimited) Max size : 0 Mb (unlimited) Allowed local IPs : Denied local IPs : Allowed client IPs : Denied client IPs : Time restrictions : 0000-0000 (unlimited) Max sim sessions : 0 (unlimited)
The following command will start pure-ftpd:
You will be presented with the following output:
Starting ftp server: Running: /usr/sbin/pure-ftpd -l pam -8 UTF-8 -E -u 1000 -O clf:/var/log/pure-ftpd/transfer.log -B
This server can be tested by connecting to localhost:
# ftp 127.0.0.1
The output should be similar to the following:
Connected to 192.168.75.12. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 1 of 50 allowed. 220-Local time is now 17:02. Server port: 21. 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 15 minutes of inactivity. Name (192.168.75.12:root): ftplogin 331 User ftplogin OK. Password required Password: 230-User ftplogin has group access to: 7777 230 OK. Current directory is / Remote system type is UNIX. Using binary mode to transfer fles. ftp>
Production versus a controlled test lab environment: Consider setting up a dedicated user account and appropriate security measures on your production BackTrack instance. Make certain to provide FTP accounts with the necessary permissions to write files otherwise; expect to receive errors when making these attempts from victim machines.