Review: BackTrack 5 Wireless Penetration Testing

Vivek Ramachandran. Published by Packt Publishing (ISBN: 978-1-849515-58-0). Price: $49.99, 208pgs, paperback.

It says something for the ubiquitious nature of wifi that this subject warrants a book to itself. Wireless networks are everywhere - some would argue they’re in too many places. And as we discuss in the article on pg.14 of this issue, the technologies that are supposed to secure wireless networks are proving not to be up to the task. Of course, that very insecurity is what makes this book possible. 

It also says something about the popularity of BackTrack that it’s Ramachandran’s platform of choice for this subject. This makes a lot of sense: BackTrack effectively provides a standardised reference platform with all the necessary tools either built in or easily available. This saves a lot of time and effort for the author who doesn’t need to go through endless pages of installation procedures.

For wireless pen-testing, you do need one other piece of equipment, and that’s a wifi adapter. Many laptops come with built-in devices, of course, but these are often Broadcom cards that can have issues with things like promiscuous mode. This book is based on an Alfa USB adapter which is cheap, easy to obtain worldwide and highly amenable to the tasks asked of it here. And Ramachandran guides you through setting up a lab network for testing the methods detailed here.

Once it’s got you set up, the book wastes no time in delving into a hands-on session with wireless networking. By page 29 you’re already sniffing packets. And that pretty much sets the tone for the rest of the book. The pace is fast and the emphasis is on actually doing it. You’re soon cracking WEP and WPA passwords, becoming an evil twin with MAC spoofing, setting up rogue access points and conducting man in the middle attacks. The book doesn’t just go for the easy scores, either: there’s a chapter on attacking WPA-Enterprise and Radius-based systems. All the way through there are lots of screengrabs, so you can see what should be happening on your screen.

This is an excellent tutorial in the current state of the art when it comes to hacking - or testing - wireless networks.

Available from Amazon.co.uk and Amazon.com.

Review: Practical Lock Picking

Deviant Ollam. Published by Syngress (ISBN: 978-1-59749-611-7). Price: $34.95, 230pgs, paperback.

Picking locks and hacking have gone hand-in-hand right from the earliest days. Back in those heady years at MIT, when the term ‘hacking’ carried only positive connotations, lock picking was seen as part and parcel of the inquisitive nature that drove hackers.

Today, lock picking presentations and demonstrations are a common feature of hacker conferences, such as Defcon and ShmooCon. Indeed, one of the more popular presenters at such events is the author of this book, Deviant Ollam.

There are numerous lock picking books around. What’s interesting about this one is that it’s from a publisher - Syngress - that specialises in computer books. The clue to the reason for this is in the subtitle: “A physical penetration tester’s training guide”. Ollam’s assertion is that this book is needed because penetration testing is on the rise (true) and that customers for these services are increasingly demanding full-on tests that include testing of the physical security of their premises.

Hmm. I’m a bit less convinced of that. What I hear from pen-testers is that firms say they want a full test but really only want a vulnerability scan so they can tick their compliance boxes.

But let’s not quibble, because the truth is that it’s a damn good excuse for publishing a fine book on a subject dear to the heart of real hackers.

Why you want to pick locks is up to you. Hackers do it because they don’t like barriers. Ollam’s assumption is that you have no evil intent, and so he (thankfully) wastes little time on ethics lectures, other than explaining the lock picker’s credo that you should desist from picking locks you do not own, or on which you rely.

The bulk of the book focuses on pin tumbler locks, for the very good reason that these represent about 90% of the locks you’re likely to want to pick. Wafer locks are dealt with too, although when it comes to technique Ollam is understandably at a loss here. The most common way of dealing with these is the technique of raking, which is easy to do and hard to describe.

Tubular, cruciform and dimple locks are all covered fairly briefly, although this is fair enough. The principles of how these locks are picked are the same as for standard pin tumbler versions. There’s no coverage of lever locks, however. I wonder if this displays a slight US bias - something Ollam is generally at great pains to avoid through most of the book. There’s also only the most fundamental nod to automative locks. Ollam mentions that jiggler keys are a popular tool for picking double-sided wafer locks used for car ignitions. I don’t know if that’s another bit of US bias, but certainly most recent European cars come with more complex locks.

The real strength of this publication is in its illustrations. The numerous diagrams and photographs make both the principles and techniques crystal clear. In fact, Ollam is so good at explaining the subject that you’ll keep wanting to put the book down - to go and pick a lock. I was only about half-way through chapter one by the time I’d raked open our office filing cabinets.

The book also comes with a DVD with animated versions of the illustrations and a number of entertaining videos, some of them featuring Ollam at conferences.

Because this book is focused on lock picking (and not locksmithing), and because it is intended to be a practical guide for pen-testers, there’s no waste or padding here. Ollam provides just the background information you need to understand how locks work, what you need to do, why it’s sometimes easy (because lock manufacturers need to make their products mass-producable and attractively priced) and why it’s sometimes difficult (because they have invented some cunning countermeasures).

So, buy some tools off the Internet (it’s scarily easy) and by the time you’ve finished this book you will be popping open locks all over the place. Of course, this is just a beginning. There are tougher and more complex locks out there and a great deal more to learn both about lock technology and ways to deafeat it. This is very much a beginner’s book. But as such, it’s hard to beat.

Practical Lock Picking is available from Amazon.co.uk and Amazon.com.

UPDATE (06/10/2011): Deviant Ollam tells me that he didn’t cover lever locks because they’re something of an advanced topic, which makes sense. Maybe they could be the subject of his next book!

Review: Metasploit: the penetration tester’s guide

By David Kennedy, Jim O’Gorman, Devon Kearns and Mati Aharoni. Published by No Starch Press (ISBN: 978-1-59327-288-3). Price: $49.95, 300pgs, paperback.

Metasploit has been such a key weapon in the penetration tester’s armoury for so long that a book like this is long overdue. Yes, there are other titles that provide a general guidance to the software, but this one is very focused on the needs and methods of pen-testers.

The Metasploit Framework (MSF) is a complex set of tools, so 300 pages isn’t going to be enough to provide an in-depth manual for the software. But it is enough to get you up to speed on the fundamentals of how it works, how all the pieces fit together and how you would typically use the software in a pen-testing environment. So that’s exactly what the authors do.

Those authors have highly appropriate pedigrees for this job. David Kennedy is CISO at Diebold and a key member of the team at Offensive-Security that produces BackTrack, the Linux distribution for pen-testers and security professionals. Jim O’Gorman is a pen-tester with CSC’s StrikeForce, co-founder of Social-Engineer.org and an Offensive Security instructor. Devon Kearns is also an Offensive-Security instructor and one of the developers of BackTrack. And Mati Aharoni created BackTrack and founded Offensive-Security.

The book doesn’t just cover Metasploit. It touches on other tools that are typically deployed in conjunction with MSF in pen-testing situations, many of them accessible from with MSF itself. For example, NMAP is to go-to tool during target enumeration and this book shows not only how to run it from the MSF command line but also how to record its output in a database. Similarly, it briefly covers tools such as Nessus and NeXpose, and gives over whole chapters to the Social-Engineer Toolkit and the Python-based Fast-Track tool, which uses MSF for payload delivery and client-side attacks.

It’s worth noting that MSF can be used on a number of platforms and with a variety of database backends. On BackTrack, for example, you may find that it’s installed using MySQL as the database engine. This book, however, largely assumes that you’re running the software on Linux and are using PostgreSQL for your database. It also assumes that you will have enough technical knowledge to adapt the examples given for your own environment, should it differ from this - not unreasonable given the intended readership.

An introductory chapter on the basics of penetration testing is mercifully brief and mostly points readers to the Penetration Testing Execution Standard (PTES). From there, it’s straight into hands-on coverage of actually using Metasploit. The authors have made a wise decision to focus on the free, command-line version of MSF. Rapid7, which now owns the rights to Metasploit, also markets the paid-for Express and Pro versions, which offer additional capabilities, ease of use and integration with other tools. However, the book is aimed at those just getting to know MSF and who are unlikely to be at the stage where it is a professional tool of such value that they can justify expensive software licences.

After a run-through of the basics of how to issue commands, select exploits, load payloads and so on, the book quickly gets into how it is used in pen-testing environments. This starts with target enumeration and vulnerability scanning before moving on to executing exploits - the job for which Metasploit is best known. Meterpreter, which is capable of providing a shell on the target system running in memory, gets a chapter to itself, which is appropriate considering how important it is to stealthy intrusion. And talking of stealth, the next, short chapter covers the important topic of avoiding detection. 

It’s obvious from the way the book is constructed that this is a practical publication. It’s not a manual for Metasploit, nor a comprehensive reference work for what is, after all, a highly complex suite of utilities. This is a guide for people who really want to use the software in real-world scenarios. And so following chapters include: exploitation using client-side attacks; Metasploit’s auxiliary modules (including how to write them); the Karmetasploit wireless tools; how to build your own modules and create your own exploits; and Meterpreter scripting.

Thanks to numerous screenshots and command examples, the authors make it very easy to understand how all this works, so it’s impossible to get very far into the book without wanting to fire up Metasploit and try the techniques for yourself. As Metasploit is all about exploiting vulnerabilities, practising these techniques against other people’s systems would be unethical and, in many cases, illegal. And trying them out on your own production systems would be unwise: make a mistake and you could bring them crashing down.

The answer is to read Appendix A before you really get started on the main contents of the book. This guides you through the process of setting up a target system running virtualised versions of Windows (preferably an unpatched version of Windows XP Service Pack 2) and Linux. This provides a safe environment in which to learn the intricacies of Metasploit.

This isn’t the only resource that will help you do that. One of the issues that book publishers have to face these days is competition from the web. Indeed, much of the information in this book - and much, much more - is freely available on the Metasploit Unleashed website, some of it supplied by the same authors. The website is also more easily updated - something highlighted by the fact that this book is based around MSF3 and version 4 of the framework was released very shortly after its publication.

However, this book provides all the key information you need to get going with Metasploit in one easily read and referenced package. In practical terms, the differences between MSF3 and MSF4 are sufficiently minor that, at least for the beginner, you’re unlikely to hit any major problems.

The conciseness of the book, its step-by-step tutorial style and simple, clear writing style mean that it’s easier to get to grips with MSF than trying to wade through the massive amount of information available at Metasploit Unleashed. Once you understand the basics, and are comfortable with Metasploit’s environment, commands and concepts, you can them move on to the website, or perhaps Offensive-Security’s highly regarded training courses.

This post is based on a review in the September issue of Network Security.

Metasploit: the penetration tester’s guide is available from Amazon.com and Amazon.co.uk.