Tuesday, December 2, 2008

security tools exploration with live bootable ubuntu DVD

For this Assignment I have re-mastered a Linux distribution called Ubuntu which is based off of Debain Linux. The main purpose of the assignment is to implement security tools from different categories and perspectives on a custom live bootable DVD. The tools I choose to include in this DVD are: nmap, zenmap, tripwire, snort, ettercap, wireshark, kismet and john along with default packages which are pre-installed on Ubuntu. Detailing the general purpose, use of the tools, where they are and how to run them in my distributable live Linux DVD will be described.

Nmap is a tool created by Fyodor and hundreds of other contributors whom helped develop the open source security audit tool. This security tool is one of the more popular ones; it provides port scanning of remote hosts among other features to customize the scan of network host or even subnets exploration. Nmap uses raw IP packets in different ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and versions) they are running, what type of packet filters/firewalls are in use, and the list goes on. This tool was successfully installed and tested on my live Linux by opening a terminal window and running command nmap google.ca the output shows that google.ca has ports 80 and 443 open. The path to the tool in the live Linux is /usr/bin/nmap.

Zenmap is a graphical user interface version of nmap which acts as a front-end and results viewer. It aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. The many options and switches that nmap provides are made easier when using zenmap because of the easy-to-use graphical user interface with menus as well as saving host scans and results to be viewd later. For more information visit the online guides. The tool was tested successfully on my live Linux by openening a terminal and typing zenmap which will then pop up a warning that some features should be run as root, clicking “ok” will still open the tool as user. If you would like to open the tool as root or super user then type sudo zenmap in the terminal. The path location of zenmap is /usr/bin/zenmap.

Tripwire is a data integrity tool, used for monitoring and alerting when specific file changes on a system occur. It functions as a host based intrusion detection system. There are many options to configure which files you would like to monitor the configuration files are located in the default locations in /etc/tripwire/ directory includes the twcfg.txt and twpol.txt files. To iniatilize the databse of tripwire I ran tripwire --init. The path for the tripwire command is /usr/sbin/tripwire.

Snort is an open source network intrusion detection and prevention system. It is capable of performing real time packet logging and traffic analysis on a desired network. To test snort I opened a terminal in the live boot, and typed snort in the command prompt, the various options were displayed on screen. To test various options of snort I ran snort -I to set the interface on which snort should listen on. The snort program is located at /usr/sbin/snort.

Ettercap is a suite for man-in-the-middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. To test if ettercap is working on my live Linux; I opened a terminal and typed ettercap - the options display on the screen, next I can use bridged or unified sniffing if I had two targets on the LAN for example ettercap first and second IP being target one and two respectively to be able to run the attack on them. The ettercap program is located at /usr/sbin/ettercap.

Wireshark is a GUI packet sniffer, created by Gerald Combs among hundreds of contributers. The program uses pcap to capture packets, there are many filtering options as well as highlighting of different protocols, and logical descriptions within the program display. For example when ARP is received the description shows “who is tell” which makes this a great learning tool for ACK and other packets and protocols in general. Wireshark can be run by typing wireshark in the terminal or by clicking the shortcut which is under “Application” > ”Internet” > ”Wireshark”. The wireshark program is located at /usr/bin/wireshark.

Kismet is a packet sniffer that can be put into permissive mode to sniff wireless network traffic and analyze or audit your wireless networks security. Also features intrusion detection, and will work on any wireless card that supports raw monitoring (rfmon). To test it on my live distro I opened the terminal and typed sudo kismet – the options show up on the screen, to further test this program I would need to have a wireless NIC which I currently don’t own, but will be very useful once I get a chance to boot this live DVD in a laptop. The path to kismet is /usr/bin/kismet.

John is the password cracking tool I choose. The full name of the program is john the ripper. Written by Solar Designer, it is one of the most popular password testing/breaking programs; it combines many password crackers inside it, the great thing is it auto-detects password hash types which include; DES, MD5, Blowfish, Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, MySQL and others. To see if the program is functioning I can unshadow a user and the hasked password, then cracked it with john pass.txt command in the terminal where pass.txt is the file with the hash inside it. The location for john in the distribution is /usr/sbin/john.

This was a very interesting challenge from both tool discovery and Linux distribution creation. I have imagined that making a live bootable DVD would be more time consuming then this project ended up taking. With the help of a neat open source program called remastersys which is fairly easy to install on Ubuntu it can then run to create a distributable Linux with the chosen packages, tools and some settings which get transferred on the a new image file which can then be burned to DVD or boot from a virtual machine software within the operating system for testing purposes. This DVD will come very handy in situations where a bootable system is required, with the packages that Ubuntu doesn’t normally come with. I enjoyed making the distribution as well as discovering new tools with many interesting and powerful features.

No comments: