CodeIdol - Thinking about Knoppix Linux - Knoppix Reloaded

Knoppix-STD is a Knoppix-based distribution with a focus on security. This disc includes many useful security tools from packet sniffers to password crackers to honeypots.

Knoppix-STD is a Knoppix variant dedicated to the daily tasks of an information security professional, as well as a learning platform for those interested in exploring information security in a relatively safe and painless environment.

Knoppix-STD got its start from three Linux distributions. Obviously, Knoppix is one, but the other two were information security distributions. Trinux, by Matthew Franz (http://www.trinux.org), was the first portable distro I had ever worked with. When I was using it, it was a console-only floppy distribution, and various security tools and hardware drivers could be loaded from other floppies. The other distribution was F.I.R.E. (Forensic and Incident Response Environment) by William Salusky (http://fire.dmzs.com). This was the first bootable CD I had ever seen, and although it was mainly limited to Forensic tools, I was fascinated. I'd sometimes boot it just to boot it.

I loved Knoppix for its portability and wealth of day-to-day applications, but I needed Trinux and F.I.R.E. for their respective toolkits. When I read my first HOWTO for customizing Knoppix, I knew exactly what to do. After a couple of months, Knoppix-STD was born.

STD stands for Security Tools Distribution, although I'm well aware of the other meanings of the acronym. Information security tools tend to have questionable names. When you get a bunch of geeks talking about probes, penetration testing, intrusion detection, backdoors, etc., it's no wonder that these tools have such eyebrow-raising names. STD is a nod to those 3 A.M. soda-drinking code crunchers. Keep on typin'!

Knoppix-STD uses FluxBox as its window manager because it's lightweight and powerful enough for STD's needs. The tools available on Knoppix-STD are divided into specific information security disciplines—for instance, encryption, forensics, and vulnerability assessment. These categories are available from FluxBox's application menu. Many of the tools are command-lines and command-line tools are often overlooked, so I also created some specific directories for each category under /usr/bin, like /usr/bin/forensics. Covering every tool in STD would take an entire book, but here's a rundown of the security categories in STD and some of the usual suspects found in each.

8.9.1 Authentication Tools

Authentication has been rightly called the foundation of all security. After all, lacking artificial intelligence, authentication is the only method a computer has of telling different users apart. Aside from the standard Linux PAM, /etc/passwd, and /etc/shadow, Knoppix-STD also includes FreeRADIUS (http://www.freeradius.org), an open source RADIUS server. RADIUS (Remote Authentication Dial-In User Service) is used as a centralized database of users and is supported by many applications and platforms to authenticate users.

8.9.2 Encryption Tools

Encryption is the process of garbling a message so that it can be intercepted without fear of leaking confidential information. The real magic of encryption is the capability of having a special key that ungarbles the message when you need access to the information.

The core encryption library and command-line tool used under Linux for encryption and key generation is openssl. Gnu Privacy Guard, gpg, is included as the open source replacement for PGP and works in a similar fashion. Super-FreeSWAN is compiled into the custom kernel to provide IPSEC VPN support.

STD also includes multiple steganography tools (perhaps better known as stego tools). Stego tools hide data in other data. Gifshuffle hides data in a GIF image, outguess does the same using JPEG images, and mp3encode hides your data in an MP3 file.

There are also tools to detect and break stegoed data; they are aptly named stegbreak and stegdetect.

8.9.3 Forensics

The original plan for STD was to make it strictly a computer-forensic toolkit in a fashion similar to the F.I.R.E. distribution. The benefit of a live bootable CD for gathering digital evidence can't be measured. You have a reliable operating system with which to boot and investigate a breached machine.

The primary hero of open source forensics is the Autopsy/Sleuthkit combo (http://www.sleuthkit.org). Currently maintained by Brian Carrier, Autopsy/Sleuthkit evolved from the original, The Coroners Toolkit [Hack #47] . Whether you simply need to recover a deleted file or you need a full case-management system, Autopsy/Sleuthkit provides it all, wrapped in a well-designed web frontend.

Sleuthkit uses a predefined mount point named /mnt/evidence as its evidence locker under STD. This is where all of its output goes. By mounting anything you want to the mount point, you can carry Sleuthkit output from machine to machine. This mount point might be a local drive or a remote share. I keep mine encrypted on a USB stick.

In addition to the forensic workhorse dd, STD provides dcfldd, which is the U.S. Department of Defense Computer Forensics Labs extension to the standard dd. Among other things, it can automatically produce an MD5 hash as part of a forensic backup. Foremost is included and used to search through a forensic backup for specific file types, such as JPG or DIVX files.

ClamAV is a GPL antivirus program. You can boot a suspect machine with STD, mount the local hard drives, and scan for viruses without having to trust the host OS (see also [Hack #78] ). The command to scan is clamscan. If you have Internet access, you can also update to the most current signature set by running freshclam. Similarly, chkrootkit looks for your standard root kit infection [Hack #46] .

If you are using STD for forensic purposes, you definitely want to boot using the noswap cheat code. Otherwise, STD attempts to use any existing swap files on the system, potentially erasing evidence.

8.9.4 Firewalls

Firewalls are routers that connect two networks together (like your home network to the Internet) and allow only certain types of traffic through. STD has iptables like most distributions. To make it a little more accessible for someone new to firewalls, STD includes firestarter, which is a wizard to walk you through the process of setting up rules. Shorewall is also included as a more advanced firewall package. Hogwash is a packet scrubber that automatically blocks packets that match snort IDS rules (see Section 8.9.6).

While STD is rather secure in its default state, I make no claims that this is a secure distribution. In fact, some of the services included are vulnerable to many exploits. By design, this is due to time restrictions, but this vulnerability provides the new security admin with not only a machine to attack with, but also a machine to use as a target.

If you use STD and are connected to the Internet in any way, you should hit the key combo Alt-F12. This is a shortcut to run the blockall command, a small script that creates a very simple firewall rule for your host. All outbound traffic (yours) is allowed out. All inbound traffic (from that evil hacker out there) is blocked.

8.9.5 Honeypots

Honeypots are used to monitor hacker activity. They give the hacker a target to attack but no valuable data. Honeypots also fishbowl the hacker so that the target can't be used as a hopping point to launch other attacks. In the meantime, the honeypot tracks all activity so that you can learn about new techniques, learn about tools, and get an idea of what kind of threat posture you have.

Honeyd is the main honeypot daemon, but the labrea tarpit is also included. Rather than track the hacker, labrea holds a hacker's connection open as long as possible and slows it down to a crawl with heavy fragmentation. This slows down automated scanning tools and worms like Code Red.

8.9.6 IDS

IDS, short for intrusion detection system, is an alarm system for your network. Like a security guard watching closed-circuit TV for suspicious activity, an IDS system monitors the network for the same thing. When it sees suspicious activity, it lets you know so you can decide whether you need to respond to the intrusion to minimize the damage it might cause.

Snort reigns supreme in this area. It's mature and widely supported by a huge community of users. STD utilizes MySQL to log the snort data and ACID as a web frontend to monitor and manage alerts.

There's a small bug in starting S/A/M (snort/ACID/MySQL) from the Fluxbox menu. In order to get S/A/M to run properly under STD:

Right-click on the desktop to get the FluxBox menu.
Navigate to IDSSnort/ACID/MySQL.
Run Snort-Init. This copies the necessary files from the CD to RAM to make them read/write.
Run Start S/A/M. This launches snort, apache, mysqld, and barnyard, and launches Mozilla Firebird to connect to the ACID interface. Initially, you won't see any snort sensors (Sensors: 0).
Run Stop S/A/M and then Start S/A/M again. This reinitializes barnyard properly.

If you have Internet access, the snort rules files can be updated to the most recent versions using oinkmaster at the command line.

8.9.7 Network Utilities

Many standard network utilities are included. Samba and Netware tools, like smbclient and ncplogin, are available, as well as a GUI frontend for Samba that is similar to Microsoft's Network Neighborhood called LinNeighborhood.

STD also includes cheops for network mapping, monitoring, and management via SNMP. Ntop, short for network top, is also a great utility for monitoring your network. It is a very robust protocol analyzer and shows you things like top protocols used, top bandwidth utilizers, graphs, matrixes, charts—you name it. It comes with a nice web frontend. Launch ntop-start from the FluxBox menu and then use Firebird to connect to http://localhost:3000.

8.9.8 Password Tools

Password-cracking utilities are necessary to access data locked by forgotten passwords, retrieve data left behind by disgruntled ex-employees who changed passwords upon leaving the company, and audit the passwords your users are choosing to verify they are secure.

Drop to a root shell prompt by hitting the key combo Alt-F5.
Set a password for the Knoppix user account. I usually use something simple like "buffy" or "Piglet" so I don't have long to wait. The command is:
```
knoppix@ttyp0[knoppix]$ passwd knoppix
```

Merge the passwd and shadow files together with unshadow:

knoppix@ttyp0[knoppix]$ /etc/john/unshadow /etc/passwd /etc/shadow > crackme.txt

Crack the file with john:

knoppix@ttyp0[knoppix]$ /etc/john/john crackme.txt

Ciscilia is a distributed cracker that can take advantage of STD's built-in openMOSIX clustering. This allows you to distribute the password-cracking load across multiple machines.

Chntpw combined with STD's NTFS read/write patch allows you to reset the Administrator password on a Microsoft system. Simply mount the NTFS partition read/write, point chntpw at the SAM file, and follow the prompts. The chntpw utility is covered in [Hack #75] .

STD also includes a prepopulated dictionary file from CERIAS at Purdue University. It's available at /usr/bin/pwd-tools/allwords2. It's a 27-MB file of ASCII passwords. If that doesn't crack it, brute force is probably your only hope.

8.9.9 Servers

STD has many servers installed for your convenience, as well as to test your penetration skills. Many of these servers are vulnerable to exploits by now so they should not be used in a production environment. However, when you need a down-and-dirty web or mail server, or maybe a TFTP server, these are very useful.

8.9.10 Packet Sniffers

Packet sniffers allow your network card to see every packet on the wire, not just the ones coming from or to your machine. They are often used to troubleshoot connections and inspect traffic, and are great teaching tools for learning TCP/IP. Start up a sniffer program like ethereal and then connect to a web site. Stop your packet capture and see which sorts of packets the HTTP protocol generates.

Ethereal is by far one of the most popular sniffers in the world. It is licensed under the GPL, available for just about every platform out there, and allows more complex analysis with features like the ability to follow a full TCP stream.

Ettercap is the next most popular sniffer. The problem with most sniffers is that they report only what they can see. Most networks utilize switches instead of hubs these days, so sniffers don't see much. Ettercap allows you to sniff connections between hosts even across a switch using techniques like ARP poisoning. Ettercap also allows you to do a multitude of other tasks, like man-in-the-middle attacks on encryption, that bleed into vulnerability assessment.

Driftnet and dsniff are two filtered sniffers. This means they are only looking for very specific data on the network. Dsniff looks for any clear text username and password pairs on the wire. Protocols like HTTP, telnet, rlogin, FTP, POP3, etc. pass your username and password unencrypted over the wire. Dsniff displays every pair it sees in nice neat columns on the screen. Driftnet is looking for any kind of image file passing along the wire. Any JPEG, GIF, PNG file it finds out there is shown on the screen and downloaded to a specific directory. This is excellent for monitoring web-browsing habits.

8.9.11 TCP Tools

The TCP-Tools category is a collection of tools that allow you to access and manipulate the full TCP/IP stack.

Gspoof, excalibur, nested, and hping are all packet assemblers that allow you to custom generate any kind of packet you want and play it out onto the wire. Tcpreplay allows you to replay a capture file, which is grabbed via ethereal or tcpdump, back on the wire.

Arpwatch monitors the IP/MAC pairs on the wire and emails them to the STD root account. This allows you to monitor for ARP poisoning attacks and IP duplicates. Tcpkill tears down any TCP session it's pointed at.

Fragroute is a routing and fragmentation tool. In conjunction with arpspoof, this can be a very powerful tool for customizing your own ARP poisoning attack.

8.9.12 Tunnels

Tunnels allow you to tunnel data through other protocols. For example, you are at work and you want to ssh to your computer at home. Your corporate firewall policy allows only HTTP from the corporate network so you can tunnel SSH through HTTP-looking traffic to bypass the firewall. Httptunnel does exactly this. You set up the server (hts) at home and direct it to your ssh server. At work, you start up the client (htc) and ssh to it. The httptunnel client connects to the server over the HTTP port 80, and it is then redirected to your ssh server.

Netcat and cryptcat are also included as generic TCP tunnels. Netcat is a raw sockets tool and allows you to connect or open listener ports. Cryptcat does the same thing but also encrypts the data in the tunnel. Try the following exercise with two STD machines.

This makes cryptcat "listen" (-l) on port (-p) 443 and execute (-e) /bin/bash if someone connects.

This returns a bash shell prompt from the server. On the wire, this data is encrypted and targets TCP/443. Most security administrators disregard this traffic as HTTPS (if they even catch it at all).

Shadyshell is used to tunnel data over UDP rather than over TCP. UDP port 53 is often used, because it appears to be DNS query traffic and is usually allowed free reign through most firewalls. Icmpshell uses ICMP rather than UDP or TCP

8.9.13 Vulnerability Assessment

Vulnerability assessment allows the you to figure out what is at risk on the network, regardless of whether it is a hole in your security policy or a machine that hasn't been patched or configured correctly. Vulnerability assessment helps to define your security policy and allows you to find what's at risk before an attacker does.

Nessus is a vulnerability-assessment tool that has its own scripting language, tiered management, a nice GUI frontend, and multiple report formats, including HTML. It has beaten many commercial vulnerability-assessment tools in "bake-off"-type contests. Even if you have a commercial tool for this job, nessus is a free second opinion that should be a part of every security administrator's toolkit. You can update Nessus's exploit plug-ins to the most recent set by running nessus-update-plugins if you have Internet access. More information on using nessus to perform a network security audit is available in [Hack #45] .

Nmap, short for network map, is a host-and-port enumeration tool. One of your first jobs as a security administrator is to inventory your network. You should know every live IP address, the OS behind those addresses, every open port on those addresses, and each piece of software behind every open port. Nmap helps you with this task.

Nikto is a CGI-assessment tool that has replaced RFP's whisker. This is application-level assessment.

P0f stands for passive OS fingerprinting. It tells you the OS at a particular IP address just by monitoring the wire and seeing which sorts of packets it spits out.

This category also includes many exploits and exploit code (/usr/bin/vuln-test/src/) for those that want to see what actual exploits look like and how they work. TESO, ADM, RFP, NMRC, THC, Phenolit, and others are all well represented in this category.

8.9.14 Wireless Tools

Wireless scanning has become a full lifestyle for those with wardriving, warwalking, and warchalking. There are so many wireless access points out there with DHCP and no WEP that you should be able to hop on the Internet from just about anywhere. Orinoco, airo, prism2, hostAP, and airjack drivers are all included. The Orinoco drivers are patched by default, so you are able to get into monitor mode with your Orinoco Gold or Silver with no problems (although some newer models may need a firmware downgrade).

Kismet is the wireless scanner of choice by most system administrators. It simply monitors for access points and lets you know if it finds one. [Hack #44] discusses how to use kismet with Knoppix for wardriving. Airsnort and Wellenreiter are available for completeness but accomplish much of the same thing.

Gpsdrive is also included and can be very handy if integrated with a GPS device and a map of your hometown. It integrates with kismet and marks down the latitude and longitude of each AP found.

Fakeap is a Perl script used in conjunction with the hostAP driver to confound wardrivers by constantly sending out fake access point beacons.

8.9.15 Miscellany

I've included many tools that you might not find in your standard security toolkit. This includes many Internet utilities. Mozilla Firebird is the primary web browser, and all the bookmarks are prepopulated with links to the web sites of the tools and concepts previously mentioned. Sylpheed is used as a mail and news client. Xchat and BitchX are available for IRC. The TightVNC client and server are also included. If you don't have DHCP on your network, you can configure your network card from the FluxBox menu. Just click Internet

Connect

netcard config.

Between your 10-hour vulnerability assessment and staring at the ACID alert monitor until all the colors bleed, you'll find that security can get very boring sometimes. To alleviate this boredom, you can listen to your MP3 collection or streaming audio with XMMS. I've also left in some games. Frozen Bubble and Galaga are available for the joystick junkies. Chess and Go are available if you'd rather exercise your mind.

The following table of shortcut key combinations shows how FluxBox is configured:

Key binding	Action
Alt-F1	First workspace
Alt-F2	Second workspace
Alt-F3	Third workspace
Alt-F4	Fourth workspace
Alt-F5	Root shell
Alt-F6	Root file manager
Alt-F7	Mozilla Firebird
Alt-F8	Text editor
Alt-F9	Nmap
Alt-F10	Nessus
Alt-F11	Ethereal
Alt-F12	Block all inbound TCP

Knoppix-STD also allows the use of the toram and tohd cheat codes to free up the CDROM drive after boot [Hack #5].

In closing, I wish to thank all open source security developers out there. Knoppix-STD is simply a patchwork quilt of other people's hard work and energy. White, gray, or black hat, it doesn't matter. Programmers that release source code are not the enemy. It's an odd thing that the art of keeping secrets can't be a secret itself.

Hack 87 Full Protection with Knoppix-STD