A Bootable Network Security Toolkit

No doubt, you already have a network security toolkit, and that toolkit probably changes as your network environment changes. One item that you might want to consider adding to your toolkit is the Network Security Toolkit (NST), which is a project developed and maintained by Ron Henderson and Paul Blankenbaker. The NST is available as a bootable CD-ROM or an International Organization for Standardization (ISO) downloadable im-age. It contains a variety of popular security tools, some of which you might already use and some of which you might not yet know about.

When you reboot a system with the NST CD-ROM loaded, a trimmed-down version of Redhat Linux 9 opens. After the OS is running, you can access the tools on the CD-ROM through the local console, through a serial connection, via the network from another system, or through a Web browser.

The tools included with NST are for the most part taken from a list of security tools that a group of security professionals voted as most popular. If you're familiar with Insecure.Org's Nmap Security Scanner, then you might have heard of Fyodor, the tool's creator. In June 2003, Fyodor surveyed Nmap users to determine their favorite security tools. Based on the feedback, Fyodor published "The Top 75 Security Tools," which you can find at http://www.insecure.org/tools.html. NST includes most of these tools.

Toolkit Contents
NST contains five native Windows applications that you can download via the NST Web UI and run on the Windows desktop. They are the Nessus scanner client, PuTTY (a Secure Shell—SSH—client), PuTTY Secure Copy (PSCP—a secure file-copying program), PuTTY Secure FTP (PSFtp—a secure FTP client), and TightVNC (a remote-desktop-control client).

In addition to those Windows-based tools, NST has dozens of Linux-based tools and tools that you can operate from a Web browser. I can't list every tool, but Table 1 shows some of the most popular ones. For a complete list of NST tools, see the NST 1.0.6 manifest at http://www.networksecuritytoolkit.org/nst/log/manifest-1.0.6.html. Note that by the time you read this article, NST 1.20 might be available, offering more tools and more functionality, such as the ability to install NST to a hard disk, Java runtime support, Basic Analysis and Security Engine (BASE) for Snort, and more.

Getting Started
To begin using NST, you'll first need to download a copy of the toolkit. The NST Web site (http://www.network securitytoolkit.org) contains a link to the Sourceforge download site, as well as links to technical information about NST, instructions for using the toolkit, an FAQ, and other useful information.

NST is available as an ISO file and as source code. Unless you know how to build the source code into executable files, you should download the ISO file. You can use any CD-ROM burning software to create a bootable CD-ROM from the ISO file. If you don't have CD-ROM burning software, you can use a shareware package such as Apollo Technology's Apollo. The trial version will let you burn CD-ROMs, data disks, music CDs, and video CDs. Another good CD-ROM-burning package is Ahead Software's Nero, which is also available as a fully functional trial version.

Boot the system with the NST CD-ROM you just created. NST ran fast and with no problems on my 350MHz Pentium II test system with 128MB of RAM and an Intel EtherExpress 10 NIC.

Each time you boot the system, you'll see a prompt to change the root password. After you change the root password, the system displays a logon prompt. Log on with the username root and the password you defined during the boot sequence. If you didn't change the root password (maybe you simply pressed Enter at the prompt), then use the default password nst123.

After you log on, you need to define an IP address for your network card unless you don't plan to connect the system to a network. If you have a DHCP server on your network, it should assign an address automatically. If you don't use DHCP, then you can either use the Ifconfig and Route commands to configure the IP address and gateway address manually or use NST's built-in scripts.

To configure your Ethernet parameters manually, use the following commands to deactivate the network interface, define the IP address as 192.168.0.100 with a 24-bit netmask of 255.255.255.0, and reactivate the interface:

ifconfig eth0 downifconfig eth0 192.168.0.100 netmask 255.255.255.0ifconfig eth0 up

You'll need to define a gateway address if you intend to route traffic to and from the system. To add a default gateway, you need to change the routing table. To do so, enter

route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.x.x.

where 192.168.x.x is the gateway address.

To use the built-in scripts to define an IP address and gateway address, open a command prompt and enter

cdnet

to change the current directory to a script directory. Next, enter

jed nst-eth0.192net

This command starts the jed text editor and opens the file nst-eth0.192net, in which you can define your IP address, netmask, and gateway. Save the file to disk and exit the editor. Next, enter the command

auto_config_net192

which will configure your network card with the parameters you entered in the nst-eth0.192net file and open the Ethernet interface. Your system should now be active on the network.

Now you're ready to use the toolkit. You can use one of several ways—console, serial connection, or network—to access NST's security tools. You can use NST at the local console to access all the tools. You can use PuTTY to log on via another system on the network, or you can use X Windows to connect to NST using another system that supports X Windows sessions (e.g., Linux or Apple Computer Macintosh systems). Some tools, such as Ethereal, require an X Windows environment.

You can also run X Windows on the local NST system, if you prefer a windowing desktop. To open X Windows on the local NST system, enter

setup_x

at a command prompt, then enter

startx

With X Windows running, you can open the Mozilla Firefox Web browser (which is included with NST) on the local system and connect to the NST Web UI. To start Firefox, go to a command prompt and enter

/usr/local/run_firefox

To connect to the NST Web UI, point your browser to https://192.168.x.x/nstwui, where 192.168.x.x is the IP address of the system on which NST is running. You can also use https:// 127.0.0.1, if you're accessing the address from the local NST system. Use the same username and password you used to log on to NST (i.e., root and the root password).

The NST Web UI, which Figure 1 shows, provides the easiest way to access most of the commonly used tools from another system on the network. The Web UI presents links to Snort, Analysis Console for Intrusion Databases (ACID), Nessus, Nmap, Kismet, BandwidthD, Ettercap, Firestarter, and other tools, some of which are listed in Figure 1. The Web UI also provides a useful interface for some of those tools. For example, Nessus security scanner provides Web-based output, as does BandwidthD. The Web UI also includes tools that monitor and control the server. For example, you can use the Web UI to check the Web logs, run commands, view processes, view devices, reboot the server, or power down the server.

I was able to launch the Snort intrusion-detection tool on Ethernet interface 1 by using only two mouse clicks. Of course, you might want to download the latest Snort signatures or change the Ethernet interface, which will take more than two mouse clicks. With Snort running, I used the Web UI to locate and launch ACID so that I could access the Snort logs. The NST documentation contains more information about using ACID.

Changing and Automating the NST Boot Sequence
You might need to modify the resources available when NST boots. For example, you might need USB, PC Card, or serial connectivity support. Or you might discover that your CD-ROM drive doesn't support SCSI emulation, and you need to use native CD-ROM IDE instead.

You can choose from a variety of boot options when NST begins to load. The boot sequence will pause for a few seconds and present a screen on which you can select from a list of kernel boot configurations and boot options, as Figure 2 shows. If you don't press a key within 5 seconds, NST will boot with the default configuration settings. If NST fails to boot on your system, reboot and watch for the boot options menu because an alternative boot configuration might work for you.

You might also want to automate some of the NST procedures that you use routinely. For example, if you often assign a particular IP address, mount certain Windows-based shares, or start X Windows and launch Firefox, you can create custom scripts to automate those processes. You can't save the scripts to CD-ROM without modifying the CD-ROM ISO file, so you'll need to store your scripts on external media. NST supports the use of 3.5" disks, USB drives, hard disks, and even Web servers to host shell scripts, additional programs, and other items.

NST includes a script called lnstcustom that can help you automate certain tasks, such as accessing external media. The section of the NST documentation called "Automating Your Setup with lnstcustom" explains how to mount various file systems and store automation scripts on them. Then you can use Instcustom to launch the scripts.

Modifying the NST ISO Image
If you want to modify NST and you're familiar with Linux, you can modify the toolkit and rebuild an ISO image file on a Linux system. The documentation walks you through the process of rebuilding the package and creating a new ISO image file. If you don't want to rebuild the package, you can use a tool such as WinISO Computing's WinISO (http://www.winiso.com) to extract all the files from the ISO image, modify the ISO contents, then recreate an ISO image file. Make sure that you don't add so much material to the ISO file that it no longer fits on one CD-ROM.

I used WinISO to modifiy NST, and the $30 tool was easy to use and performed well. I simply launched WinISO, opened the image file, and clicked Add to add other programs to the ISO image. Next, I clicked File, Save As to save the ISO image under another filename. I then used CD-ROM burning software to create a bootable NST CD-ROM.

Tooling Up
NST is a great toolkit to have at your disposal. It's portable, runs on a wide variety of hardware platforms, contains many useful tools, and provides access to many network resources. NST also includes CD-ROM-burning tools that you can use to recover data from machines that won't boot (as long as the drives aren't completely dead). If you have little Linux experience, NST provides a good way to become familiar with the OS and its associated security tools. Download a copy and check it out.