Thursday, December 11, 2008

Linux Gateway automated Script by MAC addresses

Note: this script was tested in a pod environment and works in CentOS 5.2 - so this means it is likely to work on most red hat distributions (fedora, RHEL, CentOS) but has not been tested on fedora or RHEL.

First create a scripts directory in /
$ mkdir scripts

Now inside it create these files (works best by copying and pasting, I use vi so the command is:
$ vi /scripts/MAClist

(edit the MAC addresses as needed)
===============================================
#POD 1
#export P1W0= # Router's External Interface
#export P1W1=
#export P1W2=
#export P1W3=
#export P1W4=

#POD 2
export P2W0=00:16:76:35:81:38 # Router's External Interface
export P2W1=00:02:B3:1C:AE:CF # Internal - dhcp
export P2W2=00:16:76:35:83:3A # nfs
export P2W3=00:16:76:35:80:20 # dns
export P2W4=00:16:76:35:7E:66 # nis

#POD 3
#export P3W0= # Router's External Interface
#export P3W1=
#export P3W2=
#export P3W3=
#export P3W4=
===============================================


Next is the function file:
$ vi /scripts/functions
Located HERE with indentations
================================================
#!/bin/bash

getMAC() {
#
# this function will output all MAC addresses on the system
#
ifconfig -a | grep HWaddr | awk '{print $5}'
}

getInterface() {
# output all interface names (i.e. eth0, eth1) on seprate lines
iface=$(ifconfig -a | grep $thisMAC | awk '{print $1}')
}

isMAC() {
thisMAC=`getMAC`
#
# this function can only handle system with 1 NIC correctly
#
REQ=`echo $1 | tr '[a-z]' '[A-Z]'`
if [ "$REQ" = "${thisMAC}" ]
then
return 0
else
return 1
fi
}

existMAC() {
allMAC=`getMAC` # get all MAC in this system
#
# this function can handle system with more than one MAC address
#
iMAC=`echo $1 | tr '[a-z]' '[A-Z]'` # look for this MAC address
if [ "$iMAC" != "" ]
then
rMAC=`echo "$allMAC" | grep "$iMAC"`
if [ "$rMAC" = "$iMAC" ]
then
return 0 # do exist
else
return 1 # do not exist
fi
else
return 1 # non-exist MAC
fi
}

getDevName() {
MAC=$1 # to find out what device name is assign to this MAC
if [ "$MAC" = "" ]
then
: # OR echo need a MAC address
else
DevName=$(/sbin/ifconfig -a | grep HWaddr | grep $MAC | awk '{print $1}')
if [ "$DevName" = "" ]
then
: # OR echo No such MAC address
else
echo $DevName
fi
fi
}
================================================








And finally the main script:
$ vi /script/network.bash
Located HERE with indentations
================================================
#!/bin/bash

[ -f /scripts/functions ] && . /scripts/network/functions
#load getMAC(), isMAC(), existMAC(), and getDevName() functions

[ -f /scripts/MAClist ] && . /scripts/network/MAClist
# the file MAClist contains list of MAC addresses and which system they belong
# e.g. P1W0=00:16:2A:03:AB:1F:34 - external NIC interface in router on POD 1
# e.g. P1W1=00:39:00:32:23:FD:09 - internal NIC interface in router on POD 1
# e.g. P1W2=00:39:00:11:32:CC:10 - internal NIC interface in host 2 on POD 1

allMAC=`getMAC`
for thisMAC in $allMAC
do
for POD in 1 2 3 4 5 6 7 8 9 10
do
for WS in 0 1 2 3 4
do
A=P${POD}W${WS}
B=$(eval echo \$$A)

# find interfaces on machine
iface=$(ifconfig -a | grep $thisMAC | awk '{print $1}')

# set nis domain name
domainname nis.pod$POD.com


if [ "$thisMAC" = "$B" ]
then
if [ ${WS} -eq 0 ]
then
# WS 0 -> external interface
# get IP from Lab's DHCP server for the external interface

# setup NAT for the external interface
iptables -t nat -A POSTROUTING -o $iface -j MASQUERADE

# setup IP fowarding
echo 1 > /proc/sys/net/ipv4/ip_forward

echo
echo This is WS 0 \(Router\)

elif [ ${WS} -eq 1 ]
then
ifconfig $iface 172.16.$POD.$WS netmask 255.255.255.0 broadcast 172.16.$POD.255 up
echo This is WS 1
else
# WS 1,2,3,4 -> internal interface
# network 172.16.P.1 - 172.16.P.254 for POD P
ifconfig $iface 172.16.$POD.$WS netmask 255.255.255.0 broadcast 172.16.$POD.255 up

# assign default gateway for system with only 1 NIC
route add default gw 172.16.$POD.1

# set whatever you need for this NIC with thisMAC
echo This is WS 2-4
fi

echo "NIC on POD $POD WS $WS matched this MAC - $thisMAC" on interface $iface
echo

fi
done
done
done
================================================

Test your scripts by running the final script:
$ . /scripts/network.bash

May need to set permissions:
$ chmod 755 /scripts/*

If you find anything interesting or missing something from this tutorial feel free to leave a comment.

Tuesday, December 2, 2008

security tools exploration with live bootable ubuntu DVD

For this Assignment I have re-mastered a Linux distribution called Ubuntu which is based off of Debain Linux. The main purpose of the assignment is to implement security tools from different categories and perspectives on a custom live bootable DVD. The tools I choose to include in this DVD are: nmap, zenmap, tripwire, snort, ettercap, wireshark, kismet and john along with default packages which are pre-installed on Ubuntu. Detailing the general purpose, use of the tools, where they are and how to run them in my distributable live Linux DVD will be described.


Nmap is a tool created by Fyodor and hundreds of other contributors whom helped develop the open source security audit tool. This security tool is one of the more popular ones; it provides port scanning of remote hosts among other features to customize the scan of network host or even subnets exploration. Nmap uses raw IP packets in different ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and versions) they are running, what type of packet filters/firewalls are in use, and the list goes on. This tool was successfully installed and tested on my live Linux by opening a terminal window and running command nmap google.ca the output shows that google.ca has ports 80 and 443 open. The path to the tool in the live Linux is /usr/bin/nmap.


Zenmap is a graphical user interface version of nmap which acts as a front-end and results viewer. It aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. The many options and switches that nmap provides are made easier when using zenmap because of the easy-to-use graphical user interface with menus as well as saving host scans and results to be viewd later. For more information visit the online guides. The tool was tested successfully on my live Linux by openening a terminal and typing zenmap which will then pop up a warning that some features should be run as root, clicking “ok” will still open the tool as user. If you would like to open the tool as root or super user then type sudo zenmap in the terminal. The path location of zenmap is /usr/bin/zenmap.


Tripwire is a data integrity tool, used for monitoring and alerting when specific file changes on a system occur. It functions as a host based intrusion detection system. There are many options to configure which files you would like to monitor the configuration files are located in the default locations in /etc/tripwire/ directory includes the twcfg.txt and twpol.txt files. To iniatilize the databse of tripwire I ran tripwire --init. The path for the tripwire command is /usr/sbin/tripwire.

Snort is an open source network intrusion detection and prevention system. It is capable of performing real time packet logging and traffic analysis on a desired network. To test snort I opened a terminal in the live boot, and typed snort in the command prompt, the various options were displayed on screen. To test various options of snort I ran snort -I to set the interface on which snort should listen on. The snort program is located at /usr/sbin/snort.


Ettercap is a suite for man-in-the-middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. To test if ettercap is working on my live Linux; I opened a terminal and typed ettercap - the options display on the screen, next I can use bridged or unified sniffing if I had two targets on the LAN for example ettercap 192.168.1.3 192.168.1.4 first and second IP being target one and two respectively to be able to run the attack on them. The ettercap program is located at /usr/sbin/ettercap.








Wireshark is a GUI packet sniffer, created by Gerald Combs among hundreds of contributers. The program uses pcap to capture packets, there are many filtering options as well as highlighting of different protocols, and logical descriptions within the program display. For example when ARP is received the description shows “who is 192.168.1.2? tell 192.168.1.3” which makes this a great learning tool for ACK and other packets and protocols in general. Wireshark can be run by typing wireshark in the terminal or by clicking the shortcut which is under “Application” > ”Internet” > ”Wireshark”. The wireshark program is located at /usr/bin/wireshark.


Kismet is a packet sniffer that can be put into permissive mode to sniff wireless network traffic and analyze or audit your wireless networks security. Also features intrusion detection, and will work on any wireless card that supports raw monitoring (rfmon). To test it on my live distro I opened the terminal and typed sudo kismet – the options show up on the screen, to further test this program I would need to have a wireless NIC which I currently don’t own, but will be very useful once I get a chance to boot this live DVD in a laptop. The path to kismet is /usr/bin/kismet.


John is the password cracking tool I choose. The full name of the program is john the ripper. Written by Solar Designer, it is one of the most popular password testing/breaking programs; it combines many password crackers inside it, the great thing is it auto-detects password hash types which include; DES, MD5, Blowfish, Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, MySQL and others. To see if the program is functioning I can unshadow a user and the hasked password, then cracked it with john pass.txt command in the terminal where pass.txt is the file with the hash inside it. The location for john in the distribution is /usr/sbin/john.


This was a very interesting challenge from both tool discovery and Linux distribution creation. I have imagined that making a live bootable DVD would be more time consuming then this project ended up taking. With the help of a neat open source program called remastersys which is fairly easy to install on Ubuntu it can then run to create a distributable Linux with the chosen packages, tools and some settings which get transferred on the a new image file which can then be burned to DVD or boot from a virtual machine software within the operating system for testing purposes. This DVD will come very handy in situations where a bootable system is required, with the packages that Ubuntu doesn’t normally come with. I enjoyed making the distribution as well as discovering new tools with many interesting and powerful features.