BackTrack

in your back pocket

or
Accessing a BackTrack server via mobile phone
in some vaguely secure way
The Objective

Set up a Backtrack system that is accessible over the internet from the
phone in my pocket. What can I say? I like to practice my metasploit
syntax while waiting in the doctor's office.

Oh, and I'd also like to do it as cheaply as possible and in some

relatively secure fashion.
The Solution
BT4 R2 under VMWare
This would allow me to move it around as well as maintain a “Known Good”
snapshot
VNC and SSH
This would allow me to access the system from any computer that had a
tunneling ssh client, specifically my phone
Secure it
a good password, changed frequently (even better to use certificate authentication for ssh)
frequent reverts to the “Known Good” snapshot
tunnel VNC through SSH
changing the default SSH port from tcp/22
port knocking in order to gain access

note: sample configuration files will be in the Speaker Notes where appropriate
First, you will need BackTrack

"BackTrack is a Linux security distribution."

"Whether you’re hacking wireless, exploiting servers, performing a web application

assessment, learning, or social-engineering a client, BackTrack is the one-stop-shop for all
of your security needs.

BackTrack is a Linux-based penetration testing arsenal that aids security professionals in

the ability to perform assessments in a purely native environment dedicated to hacking."

This was all cribbed directly from their website: http://www.backtrack-linux.org

This is also where you can download the latest release. Make sure you download the one
for VMWare. (I know. I know. It doesn't really matter for you hardcore geeks)
Why VMWare?

VMWare allows us to not have to dedicate a whole system to

just BackTrack.

BackTrack has been kind enough to provide a VMWare virtual

appliance.

VMWare also provides us the the ability to take a "snapshot" of

the system. This means if the system ever gets breached or
you screw up configuration you can always return to your
"Known Good".
Booting up under VMWare

You can download VMWare Player for free (with registration)

from: http://downloads.vmware.com/

Extract the BackTrack files and open up the one with the ".vmx"
extension.

Login with userid: root / password: toor

No need to start XWindows, but if you really want to, type:

startx
'toor'? Really? You gonna keep that?

The default password is 'toor'. Change this immediately with:

passwd
Configure the local firewall
We want to setup the BackTrack firewall to block all but
necessary traffic. You will need to decide now which ports you
are going to use for port knocking and ssh. In this example we
will use the following:

port knocking: tcp/1111, tcp/2222, udp/3333

ssh: tcp/4444

Feed your config file to iptables-restore

iptables-restore < /etc/iptables.rules

* sample configuration file in the Speaker notes

Enable Networking
The BackTrack server is configured for DHCP, but the
interface is disabled by default. You can enable it with:

/etc/init.d/networking start

For static IP address you will need to edit:

vi /etc/network/interfaces*

You can set networking to auto-start on a reboot with:

update-rc.d networking defaults

* sample configuration file in the Speaker notes

Update BackTrack

Now that we have internet access, it's a good time to get the
OS up to date.

apt-get -y update
apt-get -y upgrade
apt-get clean
Enable and configure SSH
SSH will be your primary access to BackTrack. Luckily most of the tools you will
use in BackTrack are run from command-line anyway.
Edit the config file to change the default SSH port.
vi /etc/ssh/sshd_config*

Generate your ssh encryption keys (Do not enter passphrases)

ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key

ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key

Start the ssh server and set it to auto-start on a reboot

/etc/init.d/ssh start
update-rc.d ssh defaults

Advanced configuration using certificate based

authentication is at the end of this presentation
* sample configuration file in the Speaker notes
Port Knocking
You can think of port knocking as a "secret knock" used to
remotely open and close the ssh port.

Backtrack will start with all ports closed. After you send it a
special sequence of packets, the port knock server will issue a
command to open the ssh port. After you are finished using
ssh, you send it a different sequence to close the port again.

We will use knockd as our port knock server.

http://www.zeroflux.org/projects/knock
http://www.portknocking.org/
Port Knocking install and configuration

To install knockd:
apt-get install knockd

Edit the config file to set-up the ports you want to use:
vi /etc/knockd.conf

Start knockd in daemon mode:

knockd -d -i eth0

Is this just "security through obscurity"?

* sample configuration file in the Speaker notes

Start VNC

Even though we will rarely use a gui or XWindows, why not

have it? At the very least, it looks more impressive when you
show off.

Start VNC (you will be prompted to set a password):

vncserver

We will access VNC through an SSH tunnel.

Take a picture, it'll last longer

Take a VMWare snapshot and call it "Known Good". Every now

and again you can restore this snapshot in VMWare and come
back to exactly this point in your configuration.

VM -> Snapshot -> Take Snapshot

Dynamic DNS

If you don't have a static IP address you will probably want to

setup dynamic DNS on host. This is a free service that will keep
a hostname always registered to whatever your current, ISP
assigned, IP address. You can run the client on any machine
behind your router. There are many options. Here are two:

http://www.dyndns.com/services/dns/dyndns/
http://www.no-ip.com/
Configure the your Internet router
Your internet or wireless router will need to be configured to
forward external ports for both SSH and port knocking to the
BackTrack system. This is usually available in your router
administration.
Client side

That is it for the server. You now have it configured for port
knocking, ssh, vnc and remote access over the internet.

Now it's time to configure the client. You will need two clients.
One for port knocking and one for ssh/vnc.

My examples will be for the iPhone, but most smart phones will
have these types of clients available. Links for Android clients
are listed later.
iPhone:Install and configure KnockOnD
I chose KnockOnD as my port knocking client. Mainly because
it's free, ad free and it works.

http://bluezbox.com/knockond.html
iPhone : Install and configure iSSH
iSSH is not free. As of this writing it's about 10$USD. But it has
benefits that the others do not have. Not the least of which is
that it allows for tunneling VNC.

http://www.zinger-soft.com/iSSH_features.html
Android clients
For ssh/vnc use ConnectBot
ConnectBot

For port knocking use knock-android

Knock-Android
Amaze your Friends and Family

Amaze yer friends with your incredible 500P3R L337 H4X0R skills
Troubleshooting
Flush all iptables rules
/sbin/iptables --policy INPUT ACCEPT
/sbin/iptables --policy OUTPUT ACCEPT
/sbin/iptables --policy FORWARD ACCEPT
/sbin/iptables -F

verify SSH is working without the rules

verify knockd, ssh, vnc are running

ps ax | grep knockd
Troubleshooting
verify ports
netstat -an

verify iptables
iptables -L -n

kill processes
killall knockd
killall sshd
vncserver -kill :1
Advanced: SSH Certificate Authentication
Server setup

Change into your local .ssh config directory

cd /root/.ssh
Generate a RSA key pair (make sure to set a password)
ssh-keygen -v -t rsa
Authorize the key for 'root' access to the ssh server
cp id_rsa.pub authorized_keys
Advanced: SSH Certificate Authentication
Client setup

Copy your public key to an iPhone note.

cat /root/.ssh/id_rsa
Sync your iPhone and copy the note to your
iPhone clipboard.
Import (Paste) it to iSSH from
General Settings > Configure SSH Keys
> Import Key...
Change your Connection to "Use Key"
authentication
Verify connectivity
Advanced: Disable Password Authentication
Server setup
Edit the /etc/ssh/sshd_config*
PasswordAuthentication no
ChallengeResponseAuthentication no
Edit the config file to change the default SSH port
/etc/init.d/ssh restart

* sample configuration file in the Speaker notes

Thanks

I hope you found this useful. The original version of this presentation can be
found at:

https://docs.google.com/present/view?id=djjg73z_45k2rdzkzt