The Auditor Security Collection

Finding the right utility or tool can shave a significant amount of time and effort from a given task or even let you complete tasks that would otherwise be impossible. Many of us have discovered our favorite tools by word of mouth or while looking for the solution to a particular problem. But as you know, finding a great tool is only half the battle: You must then download and install it, learn to use it in your environment, and figure out how to fit it into your existing security toolkit.

Why not let someone else collect and configure several worthwhile tools into a ready-made, portable toolkit? Many savvy administrators are doing just that. Numerous toolkit developers and organizers are using Linux, which lets them customize the OS around their chosen suite of tools, to make bootable CD-ROM toolkits. One such kit is the free Auditor security collection, a set of security tools and utilities organized into the following categories: Footprinting, Scanning, Analyzing, Spoofing, Bluetooth, Wireless, Bruteforce, and Password cracker. If you haven't yet created a security toolkit, Auditor is a great place to start. Those who already have a kit will find it an able, easy-to-use platform, with a few caveats (be sure to read the sidebar "Before You Begin,").

Downloading the Toolkit
Download the most recent version of the Auditor image from http://www.remote-exploit.org and burn the image to a CD-ROM. Auditor's organizers have based the collection on KNOPPIX, a popular bootable CD-ROM collection of GNU and Linux software that supports automatic hardware detection and popular graphics cards; sound cards; Advanced Configuration and Power Interface (ACPI), SCSI, and USB devices; and other peripherals. (Visit http://www.knopper.net/knoppix/index-en.html for more information about KNOPPIX.)

Next, boot the Auditor CD-ROM on a computer that supports CD-ROM bootable images. The contents of the host system's hard disk are unaffected by Auditor, so when you finish running the program, simply remove the CD-ROM and reboot the computer to return it to its regular OS and configuration.

Auditor will ask you to specify the system's resolution (from 800×600 up to 1600×1200) and keyboard (e.g., American-US). The application will default to the Swiss-German keyboard mapping, so be sure to select the proper keyboard or your key mappings will be incorrect. Auditor's load time is fairly quick: only a minute or two on a 2.4GHz Pentium 4 system. After loading, Auditor logs you in as the root user of a simple yet efficient X Window desktop interface, which Figure 1 shows. From this desktop, you can explore the collection's many tools (listed in Web Table 1, http://www.windowsitpro.com/windowssecurity, InstantDoc ID 44648, along with Auditor's additional applications and utilities) through the available menus or through a command prompt. You can access all the Auditor programs through the Go menu, which is an expanding directory structure similar to the Windows Start menu. From the Go menu, you can select from five top-level directories—Auditor, Applications, Utilities, Configuration, and Documentation—or you can select the Terminal option to open a window from which to invoke command-line tools.

Configuring Auditor
Each reboot of the Auditor CD-ROM creates a clean installation of the entire system. Therefore, you must reconfigure your network settings each time you boot Auditor. Happily, Auditor does a good job of keeping its configuration processes brief.

First, you need to configure the host system's NIC. To do so, expand the top-level Configuration directory and click Configure your network interface. This action launches a simple script that walks you through a basic network configuration. The first dialog box lists the NICs that Auditor detects; the second dialog box asks whether to use DHCP. These dialog boxes aren't as descriptive as some that I've seen in other Linux distributions, so if your system has multiple NICs, I suggest you collect each NIC's MAC address to use as a reference during the configuration process.

If the system has a wireless card, expand the Configuration directory and click Configure your wireless interface. Enter the Extended Service Set Identifier (ESSID)/Network name, the preferred channel, and the Wired Equivalent Privacy (WEP) standard encryption key. Be aware that Auditor doesn't support more sophisticated Wi-Fi technologies such as Wi-Fi Protected Access (WPA) and doesn't support all wireless cards, so be sure to check out the Auditor Web site for compatibility information. Also be aware that many of the scanning tools will function even when you don't associate your card with a wireless network.

After configuring your system's NICs, you can test your configuration by running some of Auditor's networking programs (e.g., a Web browser) or by running a network utility such as Ping. Many Linux network tools use the Libpcap packet-capture library, which lets applications access raw packets in promiscuous mode. Essentially, Auditor has efficient, low-level access to any network traffic that your computer is tapped into. For example, after booting Auditor on my laptop, configuring the built-in Ethernet NIC, and plugging it into the network, I was able to begin sniffing packets in less than 5 minutes. Auditor's basic packet-sniffing programs—Tcpdump and Ngrep—worked out of the gate, with no additional configuration. To test your configuration, try capturing packets from your network by running Tcpdump from a command line:

tcpdump -i eth0

where eth0 represents your configured interface. Tcpdump supports promiscuous mode, so if you plug this interface into a hub or a switch port that has been configured to mirror network traffic, you should be able to see not only traffic to and from your computer but network traffic between all computers on that hub or mirror. Many of Auditor's more sophisticated tools rely on this functionality, so test it by running a basic program such as Tcpdump, and resolve any problems before you try out the other tools.

Many of Auditor's tools log data for subsequent analysis, but the bootable CD-ROM format means that Auditor doesn't have a hard disk on which to store the information. Therefore, Auditor creates a RAM drive on which it stores data. On my laptop, which has 1GB of RAM, Auditor automatically configured a RAM drive of just less than 500MB. This drive will be destroyed when you power down the computer, so it's a good idea to offload the data to the network or a USB Memory Stick if you need to save the data. Auditor also includes several network client tools (supporting FTP and Server Message Block—SMB—shares) that you can use to copy data from the Auditor computer.

Auditor also gives you an option to configure a USB Memory Stick on which you can store Auditor configuration and customization data. If you do so, some of the data will persist between reboots, and you can transfer it to a different system. To configure your Memory Stick, select Prepare a USB memorystick from Auditor's Configuration menu. When prompted, specify the location (e.g., sda1) and complete the installation by rebooting Auditor with the Memory Stick plugged in. After reboot, Auditor will read many of its configuration settings from the Memory Stick and will associate /home/root with the Memory Stick.

Footprinting Tools
Auditor's footprinting tools include a variety of Whois, Traceroute, DNS lookup, and HTTP/HTTP Secure (HTTPS) discovery tools; SNMP scanners; Lightweight Directory Access Protocol (LDAP) and SMB enumerators; and tools designed specifically for OS detection. For example, the Greenwich Whois client lets you enter a domain name, then quickly fetches the applicable domain information. Gnetutil provides a quick method for pinging, executing traceroutes, and resolving DNS records from a single application. The small command-line tool Itrace executes an Internet Control Message Protocol (ICMP) traceroute in less than 1 second, and Tctrace lets you initiate TCP SYN—based traceroutes. The programs Curl and Stunnel let you inspect Web traffic; Tkmib lets you connect to an SNMP-enabled device and walk its SNMP MIB settings, essentially querying the remote device for all its SNMP-exposed information. Auditor also includes Snmpwalk—a command-line MIB-export tool—and Arpfetch, which dumps the mapping of a MAC address to an IP address from a device such as a router. Auditor includes several SMB-auditing tools to help you inspect your Windows-based networks. LinNeighborhood and Xsmbrowser let you enumerate and mount Windows-based shares by using anonymous or authenticated credentials. (You can use these tools to enumerate or browse shares or copy data from your Auditor sessions back to your Windows desktop, as Figure 2 shows.) The command-line tool Smbdumpusers exports lists of users.

Scanning Tools
Auditor includes a number of scanners to help you detect security vulnerabilities, discover open TCP/IP ports, identify Web servers, and enumerate Windows networks. The popular Nmap and Nmapfe provide robust TCP/IP port scanning using a variety of techniques; I recommend these tools especially. Launch a ready-to-run configuration of Nessus to initiate vulnerability scans of remote hosts or networks, as Figure 3 shows. Nessus, which is a client-server application that requires a fair amount of configuration when run on its own, demonstrates Auditor's usefulness; by using Auditor, you can launch Nessus and begin scanning for vulnerable hosts without going through the Nessus configuration process. To quickly enumerate the current Windows systems on your network, check out Nbtscan—a fast scanner that returns the IP address, NetBIOS name, and MAC address of all Windows systems within a specified network range. Whereas a tool such as Ping can return cached (and invalid) DNS results, you can be confident of Nbtscan's reported IP address—to—NetBIOS name mappings because the tool actively queries systems. Auditor includes other scanners as well, ranging from port scanners to scanners that focus on discovering potential vulnerabilities.

Analyzing Tools
The analyzing tools include network, password, and application analyzers. The network analyzers include the popular Ethereal, Etherape, Ettercap, and Iptraf sniffers. These programs can capture packets in promiscuous mode and work best when connected to a mirrored port on a switch or a hub (or in conjunction with an Address Resolution Protocol—ARP—spoofer, as I explain in the next section). Ethereal provides a robust network packet analyzer, complete with sophisticated, customizable packet-capture and -display filters. Etherape also listens for packets on your network but presents the data as a graphical map of the protocol-level conversations between computer systems. The thicker the line, the more traffic a node is generating. Watching your network nodes pulsing in size and color as they communicate with other systems is interesting if not downright addictive. Etherape is great for quickly identifying top talkers on smaller networks. The password analyzer includes Dsniff, which looks for username and password combinations used in Telnet, FTP, SNMP, HTTP, and other application-layer traffic, then records the data to the screen or an output file. Using a program such as Dsniff can help you find unsecured systems or practices without making you wade through mounds of packet captures or configure specialized packet-capture filters. Similarly, the Mailsnarf tool has you set up specific SMTP-based mail filters to alert you about all or specific messages (depending on keyword filters that you set). For example, you could create a filter consisting of the keyword confidential, then place that filter inline with an outbound SMTP mail server to sound an alarm alerting you to potentially damaging outbound email correspondence. Mailsnarf searches entire messages for keywords. So in this example, if a user were to flag a message as Company-Confidential in Microsoft Outlook, Mailsnarf would capture the message. In much the same fashion, Auditor's Urlsnarf can alert you to potentially problematic HTTP traffic.

Spoofing Tools
The Auditor collection includes many spoofing tools designed to spoof ARP, DNS, DHCP, ICMP, UDP/TCP/IP, Cisco routing protocols, and Wake on LAN (WOL) protocols. Spoofing tools let you generate for testing purposes (e.g., for checking a firewall or Intrusion Detection System—IDS—rule) most types of packets used for subverting or exploiting vulnerable systems. Use the graphical IP Sorcery Packet Generator or the command-line tools Nemesis or Hping2 to generate most types of TCP/UDP packets from the command line. You can spoof not only the source and destination IP address and port but also many packet characteristics (e.g., you can create a TCP packet with the SYN flag or FIN flags set, you can create a packet of a certain size). For example, use Hping2 to create a custom packet designed to trip a specialized IDS rule that might otherwise be difficult to test.

You can use Auditor to set up basic penetration-testing labs. For example, set up a DNS server, a client computer, and an "attacker" system that runs Auditor. On the attacker, run Arpspoof to impersonate the DNS server's IP address. Also on the attacker, run Dnsspoof with a HOSTS file that contains bogus name-to—IP address mappings. From the client computer, try pinging a legitimate host on your network. Arpspoof will intercept the ARP broadcast for the real DNS server and replace it with the attacker's MAC address. The client will initiate a connection with the attacker to make its DNS query. Dnsspoof on the attacker will answer the request instead of the real DNS server. Many more scenarios are possible and let you get the experience you need to prepare for (or simply learn about) these types of attacks. Of course, try out such experiments on test systems only, and only with the blessings of your manager.

Bluetooth and Wireless Tools
The Auditor collection also includes a Bluetooth scanner and several wireless scanners and auditing tools. To use these wireless scanning programs, configure a wireless connection using a compatible Wi-Fi card, then run one of the wireless scanners such as Kismet or Wellenreiter to log Wi-Fi packets and perform basic Wi-Fi packet analysis. Kismet presents you with detected Wi-Fi clients and wireless Access Points (APs) and reports the type, Service Set Identifier (SSID), and whether the packet is encrypted, among other settings. Auditor also includes several WEP and Light Extensible Authentication Protocol (LEAP) encryption-cracking tools that can demonstrate the importance of using WPA and Temporal Key Integrity Protocol (TKIP) to secure your wireless network. Other tools include a management-packet spoofer, a tool to change your MAC address, and an AP- emulation utility.

Bruteforce and Password-Cracking Tools
Auditor's "bruteforce" tools comprise a collection of attack tools designed to gain entry by hammering programs with an onslaught of character combinations and password files until they find the correct combination. These programs attempt to penetrate applications that use HTTP, LDAP, SMB, SNMP, Secure Shell (SSH), or Virtual Network Computing (VNC). The password-cracking tools include several open-source password-auditing tools that can be used to penetrate weaker Windows passwords or password-protected .zip files.

Other Programs
Auditor's Applications folder contains links to Mozilla's Firefox and Dillo Web browsers, the Gftp FTP client, the Gimp graphics program, and the Gedit text editor. Nearly all these tools can be launched from the Go menu.

The Utilities directory also contains a number of useful tools. You can use Xpdf to view PDF documents; use Rdesktop to launch remote desktop sessions on Windows computers; or use Xvncviewer to launch remote desktop sessions on other VNC-enabled computers. This directory also contains the Coolman manpage viewer, which is useful for reviewing documentation, and the X Northern Captain file manager.

The Documentation directory contains links to the man files for most of the included tools. The documentation is generally the same as that available with each tool and thus varies in depth depending on the tool. Some tools' documentation includes pages of detailed description; others consists of a simple paragraph showing the command and supported parameter switches.

In a Nutshell
All the tools that you'll find in the Auditor security collection are freely available separately on the Internet, but Auditor brings all these tools together in one easy-to-use package. The tools are ones that you should become familiar with. Several of them can be used against you, and their ready availability makes it especially important to be able to recognize them and even use them in your test environment so that you know how to keep this from happening.