Penetration Testing With Backtrack kali Linux

utsavPenetration Testing



Penetration testing is a legal and authorized attempt to exploit a computer system with the intent of making a network or system more secure. The process include scanning system is vulnerable to attack from a real hacker. Penetration testing has several names such as pen testing, ethical hacking and white box hacking.   Steps of penetration testing

  1. Reconnaissance
  2. Scanning
  3. Exploitation
  4. Maintain access

Penetration testing Reconnaissance

Reconnaissance is also known as information gathering to know about your target. We want to begin a pen test by viewing the target website an auditor can use the tools provided in Backtrack to extract network information about a target. These tools perform valuable data mining techniques for collecting information through DNS servers, trace routes, Whois database, e-mail addresses, phone numbers, personal information, and user accounts. The more information that is gathered it will increase the chances for the success of penetration testing.

Metagoofil is a tool that utilizes the Google search engine to get metadata from documents available in the target domain. Currently it supports the following document types:

• Word document (doc, odt)

• Spreadsheet document (xls, ods)

• Presentations file (ppt, odp)

• PDF file

# ./ -d -l 20 -f all -o test.html -t test


The dnswalk tool can be used to find out information about the complete list of IP addresses and the corresponding hostnames stored in the targeted DNS server. It works by utilizing a DNS zone transfer. A DNS zone transfer is a mechanism used to replicate a DNS database from a master DNS server to another DNS server usually called a slave DNS server. With this mechanism, the master and slave DNS server database will be in sync. This sync feature in DNS protocol can be used by the penetration tester to gather information about the target domain.


Go to dnswalk directory


# cd /penetration/enumeration/dns/dnswalk


# ./dnswalk  target.


Routing information means in  network a route between  attacker machine and target machine Otrace use HTTP and SNMP to reach the firewall and then use a TTL (time-2-live)-based packet afterward. If there is a firewall misconfiguration, the firewall doesn’t rewrite the entire packet (which is common for native state full inspection firewall), and a firewall doesn’t use an application layer gateway or proxy (which is common in today’s company infrastructure). 0trace works by setting up a listener to wait for a TCP connection from the target device and it then performs a trace route using an already established connection.

Tcptraceroute is using udp or icmp echo to send out the packet with a TTL of one and incrementing it until reaching the packet it also use TCP SYC send out the packet to the target.


Theharvester tool is use for email account, username and hostname subdomain gathering tool it support various public sources such as google, ping, PGP and Linkedin.


Another all in one tool is Maltego in this tool we can find multiple things such as


Domain names

DNS names

Whois information

Network blocks

IP addresses


It can also be used to gather information about people, such as:

• Companies and organizations related to the person

• E-mail address related to the person

• Websites related to the person

• Social networks related to the person

• Phone numbers related to the person





GetDNSNames (excluding NS/MX)



All Transforms


Identify the target machine ip following ping command. The ping works by sending an ICMP echo request packet to the target host. If the target host is available and not blocking a ping request it will reply with the ICMP ECHO REPLY packet.


-c count: The number of ECHO_REQUEST packets to be sent.

-I interface address: The network interface of the source address.

Argument may be numeric IP address or name of device.

-s packet size: Specifies the number of data bytes to be sent. The default is 56, which translates into 64 ICMP data bytes when combined with the 8 Bytes of ICMP header data.


We have another tool in backtrack fping


The fping tool is used to send a ping request to several hosts at once. You can specify several targets on the command line or you can use a file containing the hosts to be pinged. fping works by monitoring the reply from the target host. If the target host sends a reply, it will be noted and removed from the target list. If the host doesn’t respond during a certain time, it will be marked as unreachable.


Fping –h

-h mean host name, you can use multiple hosts



Port scanning

Port scanning can be defined as a method to determine TCP and UDP ports that are open on the target machines. An open port means that there is a network service listening or not on the port. If a network service is vulnerable, then the attacker might be able to use that information to speed up the vulnerability analysis process. To be able to understand port scanning, let’s discuss the protocol used first. Network services use TCP or UDP.


Nmap is widely use for port scanning this tool also include several type of detection like


Host discovery

Service/version detection

Operating system detection

Network trace route


Nmap installation commands follows on linux system

# apt-get install nmap



# nmap

:to test your scan without any option


Nmap port specification

In the default configuration, Nmap will only scan the 1000 most common ports

randomly on each protocol. To change that configuration, Nmap provides several


-p port_range

Scan only the defined ports. To scan port 1-1024, the option is -p 1-1024. To scan port 1-65535, the option is -p-.

-F (fast)

This will scan only 100 common ports.

-r (don’t randomize port)

This option will set sequential port scanning (from lowest to highest)

–top-ports <1 or greater>

This option will only scan the N highest-ratio ports found in the nmap-service file.