Linux Lockpicks for Whitehat Locksmiths

Thursday Jan 4th 2007 by Paul Rubens

Sure, plenty of the "security tools" your neighborhood script kiddy uses aren't built with your best interest at heart. That doesn't mean they aren't still useful.

Script kiddies, far eastern organized crime gangs, disgruntled employees: you name them and the chances are that at some point in the future your network will come under attack from them. In fact it probably already has.

Network security is a tricky problem for administrators because there's nothing you can do to make your network completely secure forever – security is a continuous process, and the aim must be to make it secure enough to make the risk of penetration acceptable, at an acceptable cost.

One of the difficulties is that in order to decide if your network is secure enough, you need to know how secure it really is. You can adopt security best practices and issue security policies and guidelines until you're blue in the face, but unless users stick to them, what you actually have is a network which is far less secure in practice than it is on paper. The employee that installs his own wireless access point or brings his home laptop in to work and connects it to the network can blow any notion of network security out of the water in an instant.

One of the best ways to see how secure your network really is, is to see how easy it is to break in to it and compromise machines connected to it. To do this you can go to a security consultancy and get a good guy to try and hack in to your network, but it depends on you trusting the white-hat hacker, and it can be expensive. How much is it worth paying? This is a tricky question to answer as it's not clear what the ROI will be.

That's why a DIY approach can be attractive, but you have to know what you are doing and – more to the point – you have to know what malicious hackers are likely to do. And that's where the proliferation of so-called "security" Linux live CDs come in to it. These CDs – obtainable as downloadable .iso files – can be used to convert almost any old laptop into a powerful security assessment tool just by popping in the CD and booting the machine up. And since they're live CDs, you can use them on any machine without interfering with its hard drive. Take the CD out and reboot and you're back to whatever environment was previously running on it.

There are many, many security Linux distros out there, and it would be naïve to assume that they are all really aimed at security professionals wanting to check their networks. The majority are quite clearly aimed at people interested in breaking into networks, perhaps for excitement or to impress their friends, or maybe with more malicious intent. But that can actually work in your favor: a security Linux distro can put into your hands exactly the same toolbox that the bad guys have, so by making use of it you can get a good idea of what the baddies can and can't easily do to your network.

So where do you start? The first thing to do is to choose an .iso to download, and the truth is you should probably try two or three: each one is targeted at a slightly different user, although there is a great deal of overlap in the tools that are included with them. Some of the more popular ones include Backtrack, STD (security tool distribution) and nUbuntu.

Once you've booted into one of these distributions, the next thing to do is to familiarize yourself with some of the apps that are included, and get to work. There are usually plenty of old favorites like Wireshark (the network protocol analyzer formerly known as Ethereal) and, if you've not already come across them before, some that may cause your eyebrows to be raised, including Nmap, Nessus, Metasploit, and Aircrack, and its newer incarnation, Aircrack-ng.

Nmap is a powerful network mapper which can scan even very large corporate networks to see what hosts are connected and what services they are offering, and can also scan for unauthorized servers. It's worth seeing what you – and anyone else using it on your network - could find out by giving it a spin.

Nessus is a portscanner which can also run exploits on open ports, and can even try to crash vulnerable machines. While you may not want to do that – and in fact a switch can disable this option – this can be useful in a test environment before a machine is deployed.

Metasploit is a much more sinister matter altogether. Essentially it's a point and click hacking tool – choose the platform or application you want to attack, choose from a list of exploits, and launch an attacks. With a friendly Web interface it's primarily aimed at script kiddies, but the point to bear in mind is that if anyone can launch these exploits, they probably will, so you might as well see if they are successful before someone else does.

Aircrack/Aircrack-ng is interesting because although everyone knows – or should know – that WEP is totally insecure, it's often assumed that though that's true in theory, in practice it's probably quite time consuming to crack it. By running the Aircrack suite you can see for yourself that in fact it's trivial to discover a WEP "protected" wireless network and get your hands on the WEP key from a single laptop. By using packet injection to simulate ARP requests, you can generate huge volumes of packets from the access point even when legitimate users are relatively idle, thereby capturing enough of the vulnerable initialization vectors attached to each packet to crack the key in as little as 15 minutes. And remember, if you've got an access point running in mixed WEP and WPA mode to accommodate users with older Wi-Fi equipment that doesn't support WPA then that's just as vulnerable as one running only WEP.

The Aircrack toolset can also be used to crack WPA passwords, but since this relies on a combination of deauthorization (deauth) and offline dictionary attacks, it will only work if the password is sufficiently weak. So armed with a suitably large dictionary, you can at least use this to satisfy yourself that if you are using a simple RC4 cipher-based WPA shared key approach (which you probably shouldn't – you should be using WPA-Enterprise, or WPA with Radius authentication) that your passphrase is suitably secure. Ideally that means a random string of 63 characters – which is uncrackable in any sensible period of time.

The list of security – or should that be hacker – tools included on these CDs is almost endless – certainly too long to list here. But the point is they are out there, they are powerful, and they can do your network serious harm. They are also free and freely available, and they are not going away. In these circumstances it does seem like the only sensible response is to try them out for yourself and close any vulnerabilities they expose. It won't guarantee your network's security, but it will make sure that anyone who wants to break in to your network is going to have to work hard a little bit harder if they want to succeed.

Add to | DiggThis

Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved