Today, the US Attorney’s Office announced that Jesse “GhostExodus” McGraw, has entered a guilty plea on two charges of transmitting a malicious code.  Jesse had compromised more than 14 computers at the Carrell Clinic in Dallas, Texas, where he worked as a night-shift security guard.  This included the system running the HMI (Human Machine Interface) for the hospital’s HVAC system.  To the best of my knowledge this is the only arrest and conviction of a hacker involved in a control systems/SCADA incident in the United States.

This story began last year, when I became aware of the HVAC compromise, and gathered information about it to turn over to FBI.  Throughout the process, I have been very impressed with the technical skill and responsiveness of the FBI agents.  I am also very happy with this outcome.  This may serve to educate organizations with control systems about the threats and vulnerabilities that are possible, and put other “script-kiddie” type hackers on notice that they can be tracked down and prosecuted for their actions.

The press release for the guilty plea is not yet available on the DOJ website, but the following articles are available:

I have a large collection of PDFs of court filings for this case, which I may post with commentary at some point soon, now that he has entered a guilty plea.  The PDFs make for interesting reading and a wild ride, and I don’t know of any other resources that have good documentation of a hacker case.  I’m looking forward to going through them again.

 

The idea for doing this comparison came to me after seeing some back-and-forth on twitter between @attritionorg and @dralijahangiri about the Live Hacking CD.  After @attritionorg called the point of the Live Hacking CD into question (when Backtrack 4 is already available), Dr. Ali Jahangiri made claims that “Live Hacking CD is much easier than BackTrack and its tools are updated”, and that “BackTrack is a great Distro but it has tons of tools that you do not use it frequently in PenTest”.  Dr. Jahangiri followed this up with an example that there are “old” tools in Backtrack: Kismet.

I had not used the Live Hacking CD before, so I figured that testing out these claims and comparing the two distributions might be worth doing.  I’m always interested in new live CDs, both for my own use, and as recommendations for students and others new to infosec.  Backtrack 4 is the current pentest-distro-of-choice around here.  It’s to the point now that a BT4 install is about as good as anything I’d roll myself for a pen-testing Linux install, and it’s also something I can recommend to the students for lab exercises, and our end-of-semester CTF.

One might ask, why would the Live Hacking folks want to re-invent the wheel?  If you are just a user of Backtrack, it may not have occurred to you, but there is a business rationale for competition in the pen-test Live CD arena.  The BT4 maintainers, Offensive Security, offer some very well-liked and technical training classes that use Backtrack in a classroom setting.  Live Hacking also holds workshops that teach similar material.  It would make sense, then, that one training company would not want to have students spending much of their time in class staring at an advertising vehicle for another company.

So, the Live Hacking CD makes sense for the Live Hacking training.  They don’t have students sitting and looking at their competitor’s logos throughout class.  They can load it up with the specific tools that they teach in the class and update it along with their material.  At the NFTC, we’ll likely soon be doing something similar with a forensics live distro, so I definitely “get it”.

The question is: if I am not currently in the Live Hacking training, is their Live CD something that is useful independent of the class?  The answer for Backtrack 4, with the new features for cleanly installing and package management, is a resounding “yes”.  Backtrack serves as a tough competitor, but Dr. Jahangiri seems to compare the Live Hacking CD favorably to BT4, so let’s take it to task:

Tools

I considered building a table that compared the two sets of tools, but there’s honestly no point.  Backtrack 4 is a DVD distribution, giving it a huge advantage over Live Hacking’s CD in this category.  You can view a list of tools that are on the Live Hacking CD here, though I am not aware of a list for Backtrack 4 (there is a Backtrack 3 list here, though it’s not quite accurate for BT4).

While Backtrack 4 has all but a few of the tools from Live Hacking (Relay Scanner, for example), there are some interesting omissions from Live Hacking.  The Live Hacking CD seems to focus on reconnaissance, spoofing, and wireless tools.  It’s missing a lot of vulnerability finding and exploitation tools.  For example, it’s very surprising to me to see a live CD meant for penetration testing that does not include the Metasploit framework.  I don’t see any web application tools, either.

I’m sure there’s good reason for this on the Live Hacking CD side of things.  If you’re building a CD to go along with exercises for a class, there’s no reason to put a tool on the disc that isn’t used in an exercise.  This doesn’t make for a good pen-testing disc for general use, though, and I’d have to say that Backtrack 4 wins hands-down on this.

Updates

There was a claim that the tools on the Live Hacking CD are “updated”.  I’ll take that as an opportunity to look at how they both handle updates.  This cuts to the very nature of each disc, really illustrating how they’re meant for very different purposes.

The Live Hacking CD is heavily based on the Ubuntu Desktop 9.10 ISO.  So much so, that VMWare Workstation detects the ISO as being Ubuntu 9.10 and offers to do a quick install.  If you check the sources.list, you will find that it even uses Ubuntu’s repositories.  Many of the pen-testing tools are installed from Ubuntu’s repositories, and have recent version numbers.  If a tool were to be updated in the 9.10 repositories, you would be able to update it in LHCD easily.

Other tools that aren’t in the Ubuntu repos (such as metoscan) or haven’t been updated in a while (Kismet) appear to have been installed manually.  To use Dr. Jahangiri’s example, Kismet in LHCD is from the January 2010 release (found by running ‘strings’ on the kismet_server binary).  On Backtrack 4, Kismet was built from SVN in July of 2009.

So, Kismet is newer on LHCD than on the Backtrack 4 DVD.  On Backtrack, however, Kismet is a package maintained by the BT4 developers.  Backtrack, like LHCD, is based on Ubuntu, but unlike LHCD, the Backtrack developers have put a lot of work into setting up their own repositories and providing updates and tools independently of Ubuntu.  Because of this, the BT4 developers could, at any time, rebuild Kismet from SVN and you would be able to apt-get it in.  If the LHCD maintainers were to update Kismet, it would likely require a new version of the disc.

So, while the Live Hacking CD might have slightly newer versions of some tools, Backtrack 4 has a better framework for keeping those tools up to date.

Ease of Use

I’m not sure how to measure this claim, but I hesitate to say that either one is “much easier” to use than the other.  Both are a collection of tools and you either know how to use them, or you don’t.  Backtrack 4 is a more popular distro than Live Hacking, and therefore you may be able to find help with problems on Google easier, but there’s not anything inherently easier about one over the other.

A claim was made that “BackTrack is a great Distro but it has tons of tools that you do not use it frequently in PenTest”.  If this is part of the argument that LHCD is easier, I would have to disagree.  There are many tools in BT4 that I don’t use, but they don’t get in my way, or reduce the ease at which I use the others.

Conclusions

If it weren’t for the claims made about the Live Hacking CD comparing it to Backtrack 4, I probably wouldn’t have looked at the two together or posted about it.  It really isn’t anything resembling a close-call.  They are two very different beasts.

The Live Hacking CD is a disc designed as a companion to a class, and I’m sure it fits that purpose well.  There are good reasons for developing custom live CD’s for classes.  It does, however, have limited use outside of the class.

Outside of the classroom, Backtrack 4 is a much better choice, in my opinion.  It has a much more comprehensive set of tools, a system for updating them, and a team of developers that are committed to keeping it relevant.  Unless you have a very specific need for something else, BT4 is as good as it gets for pen-testing Live CDs.

© 2012 McGrew Security Suffusion theme by Sayontan Sinha