http://www.dmst.aueb.gr/dds/pubs/trade/2006-login-PenTesting/html/GS06.html This is an HTML rendering of a working paper draft that led to a publication. The publication should always be cited in preference to this draft using the following reference:
|
Using Linux Live CDs for
Penetration Testing
Markos Gogoulos
and Diomidis Spinellis
What would you think if in minutes you could have a full Linux system with
almost all the necessary tools for penetration testing and security auditing, without
having to install it on a dedicated machine? Whether you are a security professional
or a system administrator a bootable Linux live CD can be your best friend.
Penetration testing is a focused
attempt to look for security holes, which : these can
be design weaknesses, or technical flaws and vulnerabilities,
in critical resources for a network. The test is focused focuses on
the a network's
network’s
infrastructure, servers and workstationssystems
that comprise the target network. Penetration testers try to break
into a customer's network, attempting to
locate and document all security flaws, so that they will be fixed. Usually
penetration testers are supplied with specific instructions as to which systems
and networks to test. If you are to
undertake such an effort, make sure you Most probably obtain written
permission from
a person authorized to give it, before even preparing for the testmay
be necessary before the test begins. Also notify all
system administrators what will be affected, because Since the
testers have the permission for the test, the test may
create a heavy traffic load to the network and generate
intrusion detection system alerts generated by
IDS will not take the administrators by surprise. Penetration
testing is quite similar to hhcracking
-— that's that’s why
it is also called ethical hhcracking—-
but differs in that it is arranged and approved by the customer network’s owner and
aims to locate all security flaws,. Contrast this to in contrast
hto hcracking,
where the
goal is typically to find a single series of
single flaws may
be that are sufficient
for system intrusion. While in hhcracking
creativity has a major impact on the results and an instinctualinstinctive,
probably self-developed procedure is being followed, professional penetration
testing involves the use of a methodology which that will
be followed to assure that results are accurate and complete.
A
penetration testing methodology provides a framework that is followed,
so to ensure that
the results will be accurate and complete. As far as we know, the only publicly
available methodology for penetration testing is the Open Source Security
Testing Methodology Manual (OSSTMM). As quoted to OSSTMM's OSSTMM’s site,
”
“The
OSSTMM is a peer-reviewed methodology for performing security tests and
metrics. The OSSTMM test cases are divided into five channels (sections) which
collectively test: information and data controls, personnel security awareness
levels, fraud and social engineering control levels, computer and
telecommunications networks, wireless devices, mobile devices, physical
security access controls, security processes, and physical locations such as
buildings, perimeters, and military bases. The OSSTMM focuses on the technical
details of exactly which items need to be tested, what to do before, during,
and after a security test, and how to measure the results. New tests for
international best practices, laws, regulations, and ethical concerns are
regularly added and updated.”
“
OSSTMM is publicly available for downloading. If followed, OSSTMM
ensures that
a thorough penetration testing has been undertaken. OSSTMM also comes
with Report Requirements Templates to assist the creation of final reports and
a legal penetration testing checklist, containing features to consider, such as
privacy and protection of information, and authorization for the test
etc. Note that OSSTMM does not give instructions on how to
accomplish the penetration testing or what tools to use for thisit,; there
are numerous sites on the internet and books for this task along with
institutions and companies that will happily charge you to attend their
seminars and get (a portion of) this
knowledge.
Security related tools exist in
both OSS and commercial platforms. Most of the commercial tools are generally
more professional looking, however keep in mind that these are
difficult or impossible to modify to fit your needs, and that their cost is
often modifications
cannot be made, since the source code is unavailable and cost is high .significant. Moreover, there are no
commercial tools for several tasks. Also,
commercial , or these tools are often created
after OSS tools have been available for asome time,
and
therefore such tools lag in the technologies
they use. Typical examples of this
state of afairsaffairs are currently Wep
analysis and cracking tools are an example
to this. Many OSS security related tools are maintained by a large
team of people, and hundreds of developers contribute to the project. Generally
OSS tool updates are more frequent and signatures for vulnerability assessment
tools for the newlythe discoverednewly discovered vulnerabilities are added
soon after they are publicly available. In this area the reflexes of the OSS society's
reflexes are community appear
to be far quicker to all security related aspects, so most of , and therefore the
best tools for penetration testing are not commercial.
Linux live CDs are Linux systems based on a certain distribution,
that operate from the distribuiondistribution CD ROM withoutROM without the need to set up to the system
and without the use of the local hard drive. They perform automated hardware
configuration with great success, so that . As a result, in a few minutes from
booting, you’ll have in front
of you a full graphical lLinux
environment is operating, with all the
peripherals identified in most cases as well as and a
number of preinstalled programs ready to be used. One category of Linux
live CDs s
category is the distributions for targets security.
Most of those CDs are based on Knoppix or Slax distributions.,
which automatically perform efficient identification of the peripherals . (Knoppix is a distribution based on
Debian, whereas Slax is based on Slackware.)
Live CD distributions for security belong to one or
more of the can be split into the following categories
: Penetration
Testing, Forensics, and Secure Desktop. The Forensics category consists
of distributions with forensics focuses on tools
i.e. for the non-invasive
study and retrieval of data from various types of file systems, whereas
in the Secure Desktop distributions focus on numerous programs
and servers are included for providing secure
protocol implementations, cryptography
e.t.c. Penetration testing live CDs include the most famous programs
as well as the less known, for the enumeration,
network scanning and analysis, vulnerability assessment, as well as tools
for and exploitation of several security vulnerabilities.
A
successful system for penetration
testing requires a lot of work to setup, possibly
months of hardworking ,. as
it involves in order for the programs to be gathereding the programs,
installed installing them,
and maintained maintaining them
up-to-date. A live CD for penetration testing – , such as
the ones that we study on forth – will examine
here, is a system base ready to usesaves you this
effort. What is missing of course is the knowledge required
for the operation of penetration testing tools, which in many cases is minimal,
although in other cases good knowledge is required for a certain protocol or a
programming task, as well as the methodology to support it.
We expect from Typically a
penetration testing CD to consist of the most effective and commonly usedwill contain
·
attack and penetration testing tools,
·
enumeration tools,
·
tools for scanning and network port analysis,
·
vulnerability scanners seeking for targeting known
problems,
·
smb CIFS (SMB) scanners,
·
sniffers and network analyzers,
·
tools for the exploitation of common vulnerabilitiesy
exploitation, for instance Metasploit Framework and Exploit Tree,
·
http HTTP proxy
tools,
·
fuzzer tools,
·
tools for router scanning and exploitation,
·
tools for spoofing and session hijacking, and
·
tools for password cracking and brute-force attacks.
Since we already covered the basics, it is high
time to Let’s go through the presentation
some
of the available live CDs for penetration testing. You can locate the
live CDs in the security category of the frozentech list
[2]
.[2] All
distributions comprise a minimal basic set
of penetration testing tools (nmap, nessus, nikto, Metasploit Framework) plus
some basic additional tools
to make the system more functional, such as editors, web browsers, and image
viewers, nx clients e.t.c. . You can
see a summary of the features of some prominent distributions in Table 1.
Our personal favorite is the Auditor
security collection:[3]
it includes
Almost all
the previous all the tools we listed, and perhaps
more are included in the
Auditor security collection [3];
a far more complete and handy live CD for penetration testing from the examined
list of live CDs. It should be
noted that it was created by top security
experts. What we liked most about Auditor was is the
programs' organization of the programs
into separate categories, its as well as the orientation
for toward a
professional administrators, and its cutting
edge functionality. The Auditor consists of more programs, compared to
other distributions, most of which are classified in distinct categories. In
the wireless sector, the Auditor truly shines truly,
since it consists of coming with the
most complete tool collection for wireless network penetration testing. Some of
those programs, with top the known such as the
wireless LAN wlan scanner kKismet, are
notoriously known for their time-consuming and hard-demanding
difficult
installation; with Auditor this funcitonalityfunctionality comes
out-of-the-box. Furthermore, Tthe
Auditor also uniquely incorporates
tools for Bluetooth penetration testing, a feature that
is not met in any other distribution and most of the libraries that we require
for the installation of additional programs beyond the ones preinstalled a fact
significantly important in the scenario that we install in a computer.
Although some
tools are missing from Auditor, with a little additional work an installed
system can be transformed into a state-of-the-art base for penetration testing.
For example, tools we found missing from Auditor are those for database
auditing, for Novell Netware auditing, and SMB and Kerberos sniffing. Some of
these tools exist for Linux, while others can
operate through Wine. Furthermore, it would be desirable if the system
had by default read/write capabilities for NTFS file-systems. In addition, one
could add the Achilles and Spike web interception proxies; these apart from
their other capabilities automatically test web applications for buffer
overflows and SQL injection.
Among
From
the other distributions that we examined worked,
we found Whax [4]
and KCPentrix [5]
quite interesting. Both
distributions include features that Auditor lacks. These distributions represent worthy efforts that
with additional work can reach the quality levels of Auditor. Some
of the positive working aspects
of these distributions can be considered the following: For example, Whax
contains snort accompanied with acid and other front-ends,
of the most famous open source IDS. In the enumeration sector, as well as
tools for the vulnerability enumeration through the so-called tools for google
hacking techniques. that don’t exist in
Auditor are included. In the vulnerability scanners category, there
Whax
has modules for the are modules from
scanner Retina and Foundstone tools that operateing normally
through Wine, since (these are wWindows
tools).
Furthermore, there are Whax includes tools
for database auditing, for instance Absinthe for blind sql
SQL
injection and other tools for oracle auditing Oracle and Cisco systems.
Beyond the Metasploit Framework, an
advanced open-source platform for developing, testing, and using exploit code (EXPLAIN), the
Whax includes Exploit Tree, a properly supported exploit source code base
with exploit source codes that
have been distributed officially with
an update capability. In addition it Whax contains
several exploit collections for client side attacks
–
i.e.: vulnerabilities for the Internet
Explorer, as well as exploit archives from the securityfocus.com,
packetstormsecurity.com, and milworm.com sites. In the cisco
auditing field numerous tools have been gathered. Both The
Whax and KCPentrix is are founded
on Slax , just as KCPentrix,
among which there are many similarities and therefore share many features, with in
the structure, although Whax consists offering
slightly of more material.
The Phlak [6]
live CD consists of only a few tools, which are not
organized in a menu. What however impressed us in Phlak is is its acompanying
security-oriented documentation, the fact that it
contains numerous documents on
security, well-organizedwell organized in different categories.
We believe that it found this
very useful and we should also emphasize think that
other distributions could benefit from such
documentation, a thing that we think as not wastefuladopting this
approach. For example, the OSSTMM that is we mentioned
above could be included on a security related live CD.
The Auditor
Security Collection, as previously
mentioned is considered the ideal
selection. Nevertheless, some tools are
missing from the Auditor
and with a little additional work,
an installed system can be transformed to a state-of-the-art base for
penetration testing. What is missing
from the Auditor and
should be added are among others tools for database
auditing, tools for Novell
Netware auditing, smb and
Kerberos sniffing tools.
Some of these tools exist for Linux, while others can operate through Wine. The L0phtcrack,
which is the best tool for Windows password auditing and recovery, could not be
integrated in a GNU distribution, since it is a commercial product. Furthermore,
it would be desirable if the system had read/write capabilities in
ntfs file-systems by default.
Achilles and Spike – web
interception proxies – that
apart from the other capabilities automatically test web applications for
buffer overflows and sql injection
can be added,
even if Paros exists, that belongs to the same program category.
Table 1.
Distribution Comparison Table
|
GUI |
System apps |
Installation program |
Vulnerability Scanners |
Exploit Tools |
Version in 2005 |
Documents/ Penetration Testing material |
Wireless pen |
Bluetooth pen |
Auditor |
Y |
Y |
Y |
Y |
Y |
Y |
N |
Y |
Y |
Whax |
Y |
Y |
Y |
Y |
Y |
Y |
N |
Y |
N |
KCPentrix |
Y |
Y |
N |
Y |
Y |
Y |
N |
Y |
N |
Phlak |
Y |
Y |
Y |
Y |
Y |
Y |
Y |
Y |
N |
Knoppix-std |
Y |
Y |
Y |
Y |
N |
N |
N |
Y |
N |
Often the penetration testing
process is presented as a mixture of science and art. It is also true
that Furthermore, a complete penetration testing
is something more than the plain simple execution
of some various vulnerability
scanners to targettingtargeting some
systems: the penetration tester aims to trace all
the possible violation pathways, following a well defined
methodology.
Even if the penetration testing results will depend on the
knowledge and skills of the penetration tester from some point
on, there are some tasks that are most usually followed. Usually the
penetration tester you will initially enumerate initially the
systems or the networks that are due to be tested, in order to trace
obtain
basic information about them, for example ip IP address ranges,
gateways, and
administrator
names e.t.c. Subsequently, with
through
port scanning, you will locate open ports will
be located and services that are running on them.
Any network service is a potential door to the system
entry. Services that currently run may be vulnerable to a known
vulnerability, something that a vulnerability scanner will show, but can also
be traced manually if if
the penetration tester you gets a
connection to the an open port
that is open for the service, reads
the banner and afterwards checks
if the service version is vulnerable to some flaw.
Most services will reveal their version from a banner with little
effort, but even those tailored not to reveal such information can be tricked
some times. It is important to locate that all
existing shares
in Windows systems or nfs NFS exports
in Unix that possibly exist are found. With
brute force
tools, you
can try to crack passwords can be cracked that
give access to shares or to the system, through sshSSH, ftpFTP, web accessprotocols,
webmin or an other service. The use of a By using a sniffer
will reveal you can see the
unencrypted protocols (a common and controversial pasttime in older Usenix
conferences) as well as passwords or other sensitive data that is
distributed in passes through the network. For example, a few years ago,
one
of us used a sniffer to demonstrate to the public that sensitive data used in a particular
setup of a popular e-government application was being
transmitted in plain-text form. You can also use
Ettercap and Dsniff to perform advanced type more
sophisticated attacks, utilizing all somewhat esoteric the
known techniques, i.e. such as arp
ARP
spoofing for sniffing through switches
sniffing. Several other tools that are incorporated in Auditor could
be utilized allow you to test network security and to trace
locate
bad risky adjustmentssetups,
for instance through spoofing,
traffic injection, dhcp DHCP flooding
tools.
When you locate vulnerabilities are located,
testers will you will have to
try to exploit them before documenting possible solutions
are documented, to assure insure that you
don’t report and there are no false positives and
or
false negatives. For
example, an application may be lying about its version, or may have been configured with
a workaround to avoid a particular vulnerability. That's why This is where tools
like the Metasploit
Framework are so preciouscome in.
These tools are the most direct way to allow you to avoid
false positives and directly check the for security
gaps. In addition, with such tools
you can demonstrate the actual problems, because since most of
the sometimes even if the system
administrators know of certain problems in their network, won’t face but fail to
address them, in mistaken belief that their network
is not at risk.
In light of the fact that the
web applications – — which are most probably supported by a
database – — comprise the
most house in many networks valuable assets
for many networks, it is important
to you’ll need to test them separately for how they behave
on unexpected input, sql SQL injection
and other attacks. This job You could be
performed in assistance
with thisperform this job using
tools, such as Nikto, Spike, Achilles, or Paros
or other tools.
It is very
easy to understand that Obviously, these tools are extremely powerful
and the wrong use by on the hands of non-authorized
people could they cause
many problems and chaos on a network. Someone could claim that tools
distribution
such as Auditor make it possible easier for
script kiddies and other wrongdoers malicious
attackers to accomplish their attacks. That thought
doesn’t stand since However,
nowadays everyone anyone with
a browser can easily find information about the programs Auditor contains
, for instance by performing a google search ; try, for
example, googling for with the term “dhcp flooder”. Script
kiddies It might would require
some more effort
for a script kiddie to install them,
eventually though, the tools will wok for him / herthem.
With The easiness that a live CD has
to offer (i..e. the like Auditor for penetration
testing) is extremely important, for
example you as a system administrator could run nNessus
periodically in his your systems
to check if there is are any
security related problems or , also you can professional
penetration testers could use it as a base system for a more
complete penetration test. Auditor just as
other Most of the live CDs we examined
allow you includes installed libraries that will be needed
for the addition installation of
tools not included in the distribution, and some of the tools
support the capability for automated downloading
of updates. Both features , something that
will
helps us your keep the
your
penetration testing system up-to-date. When the time for downloading the updates
becomes excessive, just burn a CD with an updated distribution. Since Finally, keep in
mind that those these distributions
are maintained from by unpaid teams
of people and gnu developers that are not paid to do itvolunteers,
in the context of supporting those efforts and to continue for better ones, let
us not ; don’t forget that these projects are
in the need of depend on contributions from our community for maintenance
and improvements.
Links
1)Open1) Open Source Security
Testing Methodology Manual (OSSTMM), http://www.osstmm.org
2)
Frozentech list with live CD's
for security
,security,
http://www.frozentech.com/content/livecd.php?pick=All&showonly=Security&sort=&sm=1
3)
Auditor security collection, http://www.remote-exploit.org/index.php/Auditor_mainhttp://www.remote-exploit.org
4)Whax , http://www.iWhax.net
5)KCPentrix,
http://www.knowledgecave.com/KCPentrix/
6)Phlak, http://www.phlak.org
Markos Gogoulos
is a research assistant in the ELTRUN Software Engineering and Security Group at the
Athens University of Economics and Business and a free
software movement enthusiast.
Diomidis Spinellis is an associate professor in the Department of Management Science and Technology at the Athens University of Economics and Business, and author of the books Code {Reading, Quality}: The Open Source Perspective (Addison-Wesley, 200[36]).