- Table of Contents
- Overview
- Web Application Security
- Operating System Security
- Network Security
- Hardening Your System
- Overview
- Start with the Operating System
- Protection/Prevention Tools
- Detection Tools: Snort
- Detection Tools: IDS for Windows
- Detection Tools: Honeypots
- Detection Tools: Honeyd
- Auditing Tools: KNOPPIX
- Auditing Tools: Fragroute
- Beginning SOHO Security
- Graphics Attacks
- Reverse Engineering and Program Understanding
- White Box vs. Gray Box Analysis
- Using Gray Box Techniques to Find Vulnerabilities in Microsoft SQL Server
- Using Cipher.exe
- Tor: An Anonymous Internet Communication System
- Using the Applied Watch Command Center to Manage Open Source Security, Part 1
- Using the Applied Watch Command Center to Manage Open Source Security, Part 2: Product Review of the Applied Watch Command Center
- Using the Applied Watch Command Center to Manage Open Source Security, Part 3
- Access Control Systems, Part 1
- Access Control Systems, Part 2
- Access Control Systems, Part 3
- Beginner's Guide to Programming for Security Practitioners
- Business Continuity Planning and Disaster Recovery Planning, Part 1
- Business Continuity Planning and Disaster Recovery Planning, Part 2
- Physical Security: The Often Neglected Information Security
- Breaking Physical Security
- Tracking with Flash "Cookies"
- The Evolution of Vulnerability Assessments
- Workstation Stress Testing
- Benchmarking Security
- Installing OpenSSH on Windows Vista
- Two Factor Authentication
- Wireless Security
- Mobile Security
- Data Forensics
- Legal and Ethical Issues of Security
- Home User Security
- Additional Resources
- Job Security for the IT Security Industry
- A Biased Book Review: Chained Exploits: Advanced Hacking Attacks from Start to Finish
- Security of Mechanical Locks
- Information Security in Academics
- Holiday Security: Hackers Don’t Take Holidays
- Gary McGraw on Building Secure Software
- Gary McGraw on Exploiting Online Games
- A Student-Hacker Showdown at the Collegiate Cyber Defense Competition
- The Collegiate Cyber Defense Competition Year 3: Revenge of the Red Cell
- Questions from RSA 2007
- How to Steal 80,000 Identities in One Day
Auditing Tools: KNOPPIX
Last updated Jan 1, 2004.
KNOPPIX (The Security Tool Distribution)
In almost every line of professional work, the practitioner has a group of tools they use to perform their daily tasks. Typically, the most used tools are kept close at hand on a utility belt, in a pocket, or a toolbox/bag. This same principle applies to the security professional who is typically is able to use the standard tools available on almost any operating system to perform basic trouble shooting. However, once the job gets a bit complicated, the security professional often requires a specific program that is not locally available. This means precious time must be spent downloading the programs to a local computer, or making a trip back to the lab for the necessary equipment. For times like this, we recommend KNOPPIX.
KNOPPIX is "a bootable CD with a collection of GNU/Linux software, automatic hardware detection, and support for many graphics cards, sound cards, SCSI and USB devices and other peripherals. KNOPPIX can be used as a Linux demo, educational CD, rescue system, or adapted and used as a platform for commercial software product demos." Or in short, it is a full OS with a wide range of programs that are run straight from the CD to allow a user to turn any PC based system into an instant Linux based security Swiss Army knife, with a full kitchen sink thrown in to boot.
Download and Installation
KNOPPIX is a freely available software package available at http://www.knoppix.net, or one of its mirrors (http://wwwknoppix.net/get.php). Until recently, it was possible to order a CD copy of this distribution, but thanks to greedy patent scrounging individuals and companies trying to claim ownership over "mouseclicks on online order forms", KNOPPIX is currently not available on a CD ROM. Regardless, you can still download this 700 MB file from numerous online mirrors.
Once you have obtained a copy, you simply need to burn it to a CD. Ironically, this is the most complex part of running KNOPPIX. First you need a 700MB CD, preferably a CD-RW so you can reuse the same CD when you download a KNOPPIX update. Second, you will need a CD burner with software that can create a bootable CD ROM from an ISO image. For Windows users, this includes Nero and EZCD Creator. In the case of Nero, you simply:
Open Nero (not in wizard mode)
Select File _ Burn Image
Locate KNOPPIX _V######.ISO
Click Burn!
After a few minutes waiting for the CD to burn, you are ready to install.
For the numerous GUI based operating systems I have installed, I have never experienced an easier installation than KNOPPIX. Before installing, I checked my computers (Dell 8200 Inspiron) BIOS to verify that the CD ROM was listed as an optional boot device, and then I simply placed the new CD in my computer and turned it on.
After a short pause as the PC performed its POST operations, KNOPPIX began to load. During the following few minutes, the OS will perform some automatic configuration and setup. Everything from the monitor, to the sound card, and even wireless network card are automatically detected and the appropriate drivers installed. I have tested my disc on several systems, ranging from a Gateway PII to my P4 laptop and have had equal success. In other words, KNOPPIX redefines what plug and play was meant to be.
The tools
This is only meant to be a short and non-technical intro to KNOPPIX. While this OS deserves a full 1000-page manual describing and defining the many tools and programs available, we leave the details of each tool and how they work for you to discover. We will cover the basic types of tools provided, with an example or two, and let you discover the rest. This will basically be a simplified version of the KDE program menu provided by KNOPPIX, as illustrated by the figure below. It is important to note that in each of these folders there is a RTFM link that directs you to literature on the tools included in each section. There is also a shell link in each folder that provides the user with numerous command line only tools. While there are many benefits to a GUI based environment, you will find that some of the best tools and programs are not available outside a text based command line.
)
Figure
20 KNOPPIX KDE Menu
Internet:
Contains your basic Internet tools that you need to get around online. Xchat for IRC, telnet, Mozilla web browser, Kmail, and even Lynks (a text based web browser) are available for your amusement and/or use.
KNOPPIX
Since KNOPPIX operates solely from the CD/RAM, there are some key components that you might want to setup before any extensive use. For example, printer configurations, SWAP file, network settings (if they are not provided by DHCP), modem settings, wireless card settings, and other pieces of an OS that are typically configured when an OS is installed are available for your management. Note that any update to these settings needs to be stored permanently if you want to save them. By default, all write access to the systems hard drives is disabled.
Utilities
This group of programs contains the typical applications that you will find in a default install of most any version of Linux. Games, system settings, text editors, office tools, etc. are all listed in this folder for your use. While these programs are most likely not the reason you would use KNOPPIX, they are some of the more common programs that would be greatly missed if they were not included.
Authentication
This grouping primarily focuses on FreeRadius, which is simply a Radius server that can be used to authenticate users to a network or service. One use for FreeRadius is to authenticate wireless users and allow them access to network resources.
Cracker
This small group of tools are all command line based programs. Their main purpose is to provide a user with a method to retrieve and then crack system passwords. For example, the infamous john is provided, which is a very common program useful for cracking DES encrypted passwords, which are found on most Unix systems.
Encryption:
If you want to protect data from intrusive elements, you need to encrypt it. This section provides the tools to get this done. From a simple ROT-13 encryption script, to cryptcat, SSL tools, and gpg, KNOPPIX provides its user with a solid set of encryption tools.
Firewall:
KNOPPIX includes two of the most commonly found firewall programs available on Linux. The first is the very well known iptables that uses a list of rules to determine if data is permitted to leave or enter the host computer. The second is Shorewall, which is much more than just a simple rules based firewall. If you are at all interested in either of these programs, then KNOPPIX is a great place to test these programs functionality.
Forensics:
While much of security focuses on detection, prevention, and penetration testing tools, forensics is equally as important. With tools such as The Sleuth Kit, a user can peer deep inside their system to see what data is hiding in unallocated space and memory. Other programs are available that can help prevent others from snooping on you, such as wipe.
Honeypot:
A honeypot is a program or system that is used to catch hackers and log their methods of operation. KNOPPIX provides two such programs. The first, LaBrea is essentially a hacker/worm tar pit. By taking advantage of the technicalities of a communication session, LaBrea will keep a worm or hacker stuck waiting for network replies, which are slowed to a crawl. The second, HoneyD is small program that emulates a whole network of computers, including services and programs. In theory, this type of program will cause an attacker to spend all their time probing the honeynet, thus keeping them away from the real network (which should not be available in the first place!).
IDS:
An Intrusion Detection System should be part of every network. While it offers no proactive protection, it can help an administrator determine if their network is under attack, and how an attacker gained access. KNOPPIX provides Snort as an IDS, with syslogd (log capturing) and Swatch (log monitoring) to help narrow in on any attack attempts. With these three programs, you can detect, log, and monitor everything from porn abuse, to IIS attacks.
Penetration Testing:
The first thing you should note about this group of tools is that they are all command line based. Ironically, there are more of these types of tools available with KNOPPIX then any other type. In the pen-test shell, you will find everything from dsniff, to sendmail attacks, ADM program, and more. Just be careful with these programs, as their use can constitute an illegal attack. The Figure below is a screen shot of the numerous command line tools available.
)
Figure
21 pen-test shell tools
Servers:
If you need to setup or test a server on your network, KNOPPIX is an excellent choice. You can narrow down the appropriate configuration settings, or server tests without worrying about breaking the OS. Included are samba, VNC, apache, bind, and more.
Sniffers:
The ability to sniff network traffic is essential to any network or security administrator. KNOPPIX includes numerous sniffers, and supporting programs such as ettercap and dsniff. In addition to sniffers, this section of tools also includes packet creation/injection tools, such as IPMagic and nemesis. With these programs you can create your own custom made packets for testing purposes.
Vulnerability Testers:
Vulnerability testing programs are used to test for the existence of potential problems in computers and program. Included in this section are programs like nessus and nmap, both of which have a reputation for being able to detect open services, and problems with those services. Other programs like chrootkit (checks local system for indication of root kits), are also available to detect any existing vulnerabilities on the local system.
Wireless Tools:
This section is the reason I have a copy of KNOPPIX with me at all times. In a matter of three minutes I can turn my laptop into a fully function wireless auditing tool. Using kismet, airsnort, or wardrive, and a network card, I can detect wireless networks, capture the data on the network, and even crack the WEP encryption that is widely used. If you are interested in testing out the power of Linux with regards to WLAN analysis, KNOPPIX is definitely the place to start.
Summary
This short overview of KNOPPIX does not do it justice. However, if any of what you read interests you, please just download and burn off a copy for yourself. This is one packaged collection of software that will not fail to impress you. From the standard office programs (one of which I am using to write this overview), to the more nefarious penetration testing tools, KNOPPIX provides a powerful system in the palm of your hand. Now, if only they would make a version of KNOPPIX for my PDA!
Cain and Abel
Windows users have long been left out in the cold when it comes to high quality security auditing programs. While there are some exceptions, many Windows users do not know what ARP-Spoofing is, or even how a sniffer works. This is due to the limited functionality built into the operating system, and also because Windows OSs are not really meant to be security tools. In some way, this restrictiveness of Windows has helped the Linux OS become so popular. True computer geeks want control over the OS and do not want to be limited by proprietary and closed system software. This is why Cain caught our eye. In this a rather small, but extremely feature rich and free program, the authors of Cain have provide a plethora of auditing tools that are typically associated with Linux.
As the author describes it, "Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary & Brute-Force attacks, decoding scrambled passwords, revealing password boxes and analyzing routing protocols." While this description works, C&A is much more than a simple password cracker. Instead of a simple passive cracker, such as the infamous L0phtCrack (arguably the icon of NT account password cracking), C&A is an active discovery tool that proactively searches a network for communication sessions from which it can collect passwords to be cracked. In other words, C&A is part password cracker, part sniffer, part spoofing tool, and part forensic program. With this one program, an auditor can sit at their desk and capture passwords from web request, telnet sessions, VNC sessions, and even SMB logon session to Windows servers.
Installation
Since C&A is a Windows program, the installation isn't very difficult, with one minor exception. You will first need to download C&A from http://www.oxid.it/cain.html. Please note that you should download the latest version for Windows NT/2000/XP. There is an earlier version, which is targeted to Windows 9x users. While this program is a valuable tool as well, the newest version is much more feature-packed.
To enable the sniffer option in C&A, you must first download the Winpcap driver. This is a special driver that enables Windows based network cards to operate in promiscuous mode. Under normal operation, a network card will only accept traffic that has its addressed associated with it, or traffic that is meant for all network cards. This keeps the network card from processing irrelevant data, because the host system does not need it. Promiscuous mode allows a card to accept all data that it comes in contact with, regardless of the intended destination. By enabling this mode in C&A, you turn the program into a network sniffer capable of collecting data from remote computers, instead of just the one C&A is installed. Therefore, when you are installing C&A, and it prompts you to install WinPCap, you should accept this option. By doing so, you will launch another installation procedure, which will require a reboot.
Operation
Due to the numerous features, when you start up C&A, you will be confronted with a screen similar to the figure below.
)
Figure
1: Opening dialog with Cain & Abel
From this first screen, you can see that this is not your normal password-cracking tool. While the dictionary options, and brute-force options allow you to setup the character sets and heuristics you want to implement when cracking a password, the Sniffer, and in particular the APR tab hint at the true power of this program.
Once you click OK, you will be taken to the program information screen. From this screen, you are able to access all the programs in Cain. Starting with the top left tab and moving right, the programs are as follows:
Protected Storage: This screen will show you the local password information used for items such as email accounts.
LSA Secrets: The Local Security Authority contains information related to the currently logged on user, assuming you are logged in an administrator.
Network: Contains a network browser that can use IPC$ shares to enumerate local account information, shares, and services running on the target computer, and more.
Sniffer: Discussed in next section.
Cracker: Provides a breakdown of captured password currently being cracked. From this screen, you can enable/disable the crack process, and determine which method (i.e. Dictionary vs. brute force) of cracking is to be used.
Traceroute: A enhanced trace route program that provides great detail about the routers a trace passed through.
CCD: A SNMP configuration file download tool.
In addition to these tools, Cain includes several quick password crackers/validators on the top tool bar. They include the following:
Base64 Decoder
Access MDB cracker
Cisco Type-7 and PIX decoder
VNC Decoder
Stars Revealer
Hash calculator
RSA SecurID Token Calculator
As you can see, there is quite a selection of tools available. However, all these tools are fairly basic run of the mill type of password crackers. The real power of Cain is found in its sniffer functionality and in Abel, both which are discussed next.
The Cain Sniffer
A sniffer is a program that can capture data as it travels on a network. As previously discussed, the amount of traffic the sniffer has access to depend on whether or not the network card is in promiscuous mode. In addition, with the advent of the switch, a computer no longer has access to all the data flowing on the network. Thanks to smart switching devices, a computers network card will only be passed information to which it is addressed, or if the data is meant for all connected computers (broadcast). As a result, even if a network card is placed in promiscuous mode, it is not necessarily going to be able to sniff network traffic.
When a switch is initialized, it determines the MAC address of the card connected to each port. As the network cards communicated, the switch monitors the data and creates a table linking IP address with MAC address. Then when a data packet enters into the switch, it compares the destination IP address with the list of devices in its MAC address table to see which port it is to send the data on to. This table is called the ARP table.
The Address Resolution Protocol (ARP) is the standard that defines how MAC addresses are linked to IP addressed. However, there is a sight weakness in the protocol that allows a user to lie to a computer about the IP to MAC address translation. As a result, it is possible to trick two network devices into passing all their network traffic to a deceitful computer that can simply capture and then pass the information on to the intended target. This process is known as ARP Spoofing, and it allows a computer to sniff network traffic even if there is a switch.
As a result of this, Cain can capture any number of passwords from numerous types of network traffic. The following list contains the types of passwords captured.
FTP
HTTP
IMAP
POP3
SMB
Telnet (entire session is capture)
VNC
TDS
SMTP
NNTP
MSKerb5-PreAuth
MSN
Radius-Keys
Radius-Users
ICQ
IKE-PSK
To help with the configuration of ARP spoofing, or as Cain and Abel puts it APR (ARP Poising Routing), there are several tabs at the bottom of the Sniffer window that allow you to enter the target computers you wish to ARP spoof. In short, you will need to click the "+" sign on the toolbar and select the two IP addresses/MAC addresses that you want to spoof, as illustrated in this figure.
)
Figure
2: Setting up ARP Poising Routing.
Once the list is selected, simply click the Yellow circle icon in the top left to start spoofing. You will see connections being established, however, be forewarned that by spoofing a connection you are turning your computer into a virtual router. This will slow down the targets connection noticeably.
The power of ARP spoofing is illustrated clearly by the three associated APR tabs at the bottom of the sniffer window. The following will summarize their puposes.
APR-DNS: With this, you can turn your computer into a DNS server and redirect network requests to a target of your choice. For example, with this, you could setup a fake Paypal.com website, and redirect all Paypal users to your computer where they would happily log in, thus providing you their user/password.
APR-SSH-1: This feature collects SSH traffic and allows you to play man in the middle to a SSH session, which means you can capture all traffic that is sent between client and server, or in other words, completely bypassing all security measures SSH is well known for.
APR-HTTPS: When a user connects to a HTTPS site, their traffic is encrypted using SSL certificates, which makes sniffing the data useless. However, with Cain a user can place their computer between the target and the requested HTTPS website, which bypassed all security measures in place due to SSL encryption.
As you can see, Cain provides a level of sniffing that equals the type of auditing available on Linux. However, this program goes way above and beyond a simple sniffer with its second feature, Abel.
Abel
Cain and Abel is a two-part program. The previous discussion focused on Cain, which is for active sniffing and password collection. The accompanying part is Abel, which en-'Abels' a C&A user to take the Cain to a remote computer.
Simply put, Abel is a remote extension to Cain that can be installed remotely, and provide a remote connection to the target computer. In addition to a command shell, Abel allows a Cain user to pull the computer account information, including the LSA information, which could provide valuable and sensitive data. This is all accomplished by selecting a computer from the list under the Network tab, and clicking into the objects until the 'Services' option is available. If the computer is properly protected against remote administration, accessing the Services will require you to provide a valid username/password. Once connected, simply right click on Services and select 'Install Abel'. After a quick refresh you will be granted access to a list of options, as illustrated in the figure below. Note the clearly depicted Command Line access to the remote computer.
)
Figure
3: Abel in action with Command Line power.
Summary
Cain and Abel is a powerful yet remarkably easy to use program full of all kinds of surprises. Obviously a tool like this can easily end up in the wrong hands, which makes understanding this program all the more important. Whether you use it for password audits, or just to see what kind of websites you users are logging into online, C&A should make you more familiar with what is traveling on your network.
Digg
Del.icio.us
Your Account
Account Sign In
View your cart