Not the Sharpest Tool

Other than the usual suspects in the topmost Favorites menu item (e.g., web browser, shell, text editor, GUI file manager), BackBox Linux includes a handful of security tools, such as Ettercap (for man-in-the-middle network attacks, among other things), the msfconsole interface to the all-powerful Metasploit Framework (for pen testing), Wireshark (for sniffing network connections), the venerable ZAP (automated security testing) [9], and Zenmap (a graphical front end to the prodigious and unmatched Nmap security tool).

A click on the Auditing link in the right-hand menu presents a carefully compiled list of security areas on which you might focus (Figure 2). Choosing any topic reveals their many associated submenus.

Figure 2: The Auditing option offers a number of interesting areas to explore. Source: BackBox Linux [2].

My Privacy Is Private

The Anonymous menu option presents a group of three that addresses privacy: anonymous start , anonymous status , and anonymous stop . Clicking anonymous start presents a pop-up terminal informing you that a simple script will attempt to stop common information leaks from your system. It also advises where to configure the relevant values (the config file is located at /etc/default/backbox-anonymous). As you might guess, it offers a friendly warning that what you do with your computer determines how much information is ultimately leaked to the outside world.

The simple anonymity script uses Tor to protect your privacy, including which DNS ports you'd like to use, the local IP address ranges you'd like to prevent being routed out via Tor, and processes that might reveal information you don't want shared that you'd like to have stopped dead in their tracks. BackBox can even instruct BleachBit precisely what to tidy up after you've stopped running the anonymity script (e.g., system cruft and file history).

Antisocial Behavior

As I mentioned in the introduction, one of the most successful types of attacks that has been present since time immemorial – way before computers were around – is simply tricking people to reveal something they probably shouldn't.

I'm referring to social engineering, which is considered one of the biggest threats to security in modern times. The premise of social engineering is simple and yet still massively successful: persuade or trick individuals into revealing information that attackers can use to their advantage.

That information might be a password but could be all sorts of other types of information, like the time of day for shift changes or the type of tool used to perform a certain task. In fact, the possibilities are so broad that the venerable Social Engineering Framework (SEF) website [10], which provides the Security Engineer Toolkit (SET) that I'll look at shortly, calls such activities a "blend of science, psychology, and art." I think that sums up cybersecurity as a discipline pretty well, too! If you're interested in this area, a friend directed me to a fascinating article online [11] for more insight.

The SEF website further defines social engineering as "any act that influences a person to take an action that may or may not be in their best interests." Figure 3, from the SEF website, lists the different attacks more succinctly. Another categorization [12] lists six principles used to take advantage of someone's good nature and their perfectly normal desire to return a favor.

Figure 3: Categories of social engineering. Source: SEF website [13].

For social engineering attacks in this article, I focus on the SET toolbox previously mentioned earlier. According to the SEF website, SET was created by David Kennedy (ReL1K), with input from the open source community. The SEF website describes SET as a toolkit specifically focused on performing advanced attacks against the "human element" during a penetration test.

Under the menus on BackBox Linux, you can run setoolkit from the Auditing | Social Engineering option. You're presented with a gentle reminder that you should be giving the author a hug, or a bourbon, or indeed a beer for his sterling efforts. Another nice reminder encourages you to improve the industry for all involved by helping out where possible.

Finally, a warning reminds you to do good and not evil. Consider yourself suitably warned that all BackBox Linux tools, including SET, should be used on systems, people, or networks on which you have permission to run them.

After agreeing with the terms, you are offered a nice, clean ASCII menu within a terminal window that lets you know the latest version of SET available and the one you're currently running (Figure 4). It also points you at the GitHub page [14] for more information.

Figure 4: The SET menu system is slick and easy to use.

The GitHub page is also very helpful if you're not using BackBox Linux to run SET, offering the various dependencies required for different operating system (OS) flavors (e.g., Debian derivatives like Ubuntu and Mint, etc.). To install the dependencies yourself, you would enter:

$ apt install -y git apache2 python-requests libapache2-mod-php python-pymssql build-essential python-pexpect python-pefile python-crypto python-openssl

The GitHub README file has a link to a PDF that acts as a nicely written and relatively easy-to-follow tutorial and manual.