Updated: May 15, 2009
We have already had three articles on Linux forensics. This is the fourth.
In the first three parts, we had an introduction to basic concepts on and some common tools and two detailed reviews of Helix and Protech, Linux distributions specially designed for penetration testing, security auditing, incidence handling, system investigation and analysis, data recovery, and other useful tasks. Today, we will review another high-end, security-oriented distribution, BackTrack.
BackTrack is one of the more popular distributions in the white hat circles. It is specially suited for penetration testing, with more than 300 tools available for the task. Like both Helix and Protech, BackTrack is based on Ubuntu. This means good stability and hardware detection and a whole lot of software that can be easily obtained. Sound quite interesting. Let's see how it behaves. We're going to check version 4 Beta.
Like most Linux distros - and definitely all forensics/security-oriented tools, BackTrack works primarily as a live CD, with good hardware detection and low memory footprint, intended to make it usable even on older machines. It is also possible to install BackTrack, should one desire.
The boot menu is simple and elegant, with three options available.
The second option (Console no FB) stands for Console no Framebuffers, i.e. the failsafe mode with minimal graphics that should work well on all hardware. Thanks k finity! As to the third option, MSRAMDUMP, I did try booting it, but this produced an error and threw me back into the boot menu.
The distro maintains its elegance by booting into the best-looking console I have seen, with stylish color gradients and mirror effects. You can begin working instantly on the command-line or boot into GUI desktop by issuing startx command.
One thing worth noting in the screenshot above is the mounting error on hda1, which is formatted with Ext4, a relatively new filesystem. In fact, the system I booted BackTrack on hosts a Jaunty install, with the Ext4 root partition. This is something that will probably be solved in future releases.
The desktop is simple and functional, running a lightweight KDE3 manager. You get a simple wallpaper with dragon-like theme. Another interesting element is the Run box embedded in the panel, which allows you to run applications without invoking a terminal first. The network is not enabled by default and you'll have to fire it up manually.
BackTrack is all about lots and lots of hacking tools. Once again, I'm only going to present the tools, not show you how to use them. These tools are all double-edged swords, and without the right amount of respect, skill and integrity, you may cause more harm than good. Furthermore, do not deploy them in a production environment without the explicit approval from system administrators and INFOSEC people.
The tools can all be found under Backtrack in the menu, arranged into sub-categories. The collection is long and rich and it will take you a long time pouring over all of them, let alone mastering them. Most of the tools are command-line utilities, with menu items a link to the console with the relevant tool running inside it.
A few practical examples, there's the venerable nmap, Hydra and hping3:
You may also want to audit Bluetooth devices. On the test machine, there are no Bluetooth devices, which explains the error you see below.
Then, there's the gdb (GNU Debugger) for analyzing crash dumps and memory cores.
Last but not the least, you get the great Wireshark (formerly Ethereal):
BackTrack is mainly loaded with security applications, however it also has a reasonable assortment of "normal" programs. You get Firefox, already configured to use the exceptional Noscript extension.
You also get Synaptic, which makes software management easy and pleasant:
You also have Wine for Windows software.
And then, you can change wallpapers and get classic KDE looks.
How I miss that wallpaper! To the best of my knowledge, it has not been included in most KDE releases since Kubuntu 6.06.
You can find more stuff in the K-menu:
Being a beta, BackTrack 4 was not the most stable distro. In addition to the Ext4 error during the boot, there were some other problems. For example, both Lynx text browser and QtParted partitioning software refused to work.
One thing that may bother you is the issue with the documentation section on the official site. It's secure site, self-signed with an expired certified, at last when this article was written, although the expiration has been in effect since August 2008.
This is not something you expect to see on a site catering to the security-conscious audience. Furthermore, there's the small issue of inconsistency when it comes to application names. For example, BlueSmash shows up as blue-smash on the command line, hping3 has a capital H in the menus, etc. BackTrack itself also comes in two flavors, with both lowercase and uppercase Ts. Overall, there were no big issues, except for the occasional application errors.
BackTrack is a powerful hacking suite. It is well made, with stylish touches that add to the overall feel of the distribution. It runs very fast in the live mode, even faster than most installed distributions. Most importantly, the array of tool is rich, well balanced and overall quite impressive.
The Beta version did throw a few errors here and there, but it was nothing major. Small consistency issues also arise, and there's the lack of support for Ext4, which I expect will be solved soon. Documentation needs to be improved, starting with the website SSL certificate and continuing with lots of questions regarding the general usage.
Nevertheless, for security professionals looking for a complete testing package that has all their favorite gadgets neatly arrayed, on top of a stable, popular distribution and with Synaptic package management for easy replenishment of any missing bits, BackTrack is an excellent candidate for their work.