In the previous article, we talked about how you can create a multi-boot DVD that carries all the live distros you need for network management. We mentioned that the DVD that comes with this issue is a multi-boot DVD containing four live Linux distros-Auditor, Whoppix, L.A.S and PHLAK for security and one clustering distro called ChaOS-for security penetration testing and clustering.
In this article, we'll tell you more about these five distros, along with some real live cases of how and where to use them.
Putting the distros to use There are some real weak areas on your network, which you should do a constant checkup of. These include the Web and mail servers, the WiFi network, the strength of passwords and lot more. We will briefly take up each of these scenarios one by one and will try to see what all options are available to access this issue using the tools available in our Live CDs.
LAN (Local Area Network)
The issue: The first and the weakest area is probably the Local Area Network or what we call the LAN. We generally take this medium for granted and forget that all data from all machines will pass over your LAN. So it's only a matter of minutes before somebody can capture all the data, which includes usernames,
passwords, chat conversations, e-mail and much more.
|
This type of attack, wherein somebody is capturing data flowing between any two points on the network is known as a Man-in-the-Middle attack. And even a script kiddie can do it. You just need to know what techniques and tools to use.
The solution: There are lot of tools to do man-in-the-middle attacks, most of which are freely downloadable from the Internet. The most common and easily available tools are dsniff and
ettercap. Both are highly dangerous and have a huge list of capabilities. All live CDs we carry this time except ChaOS have both of them. But the good thing about these tools is that you can also use them to strengthen your network's security. One is by
attacking your network to see which data traveling over the network is in plain text and capturable. The other way is to use these tools to search for other sniffers
running on your network. Ettercap has two different plug-ins, one for searching ettercap only and the other for searching any suspicious ARP behavior on the network. To start an ettercap search, just press the 'p' key and select the first plug-in and then quit the plug-in window. It will continue searching for ettercap traces from all machines and show you the list at the top of the interface.
|
To search for other sniffers or any suspicious ARP activity, again open the plug-in window by pressing the 'p' key and select the 15th plug-in called arpcop. This will open a new window and show if any IP is trying to spoof or
not. We tested it with both ettercap and dsniff and it found them both very easily. You can also isolate the hacker (spoofing machine) from the network by using ettercap using another plug-in called leech.
How strong are your passwords?
The issue: This is another weak area on any network. Most users take passwords for granted and use their obvious things such as a near one's name or birth date as their password. Worse still, some don't even change the default password assigned to them. Therefore, system administrators must establish a practice of ensuring that users change passwords regularly, and that they're not easy to guess. Even more
important are server passwords and you must ensure that they are strong enough and protected.
The solution: Talking about cracking passwords, two methods are commonly used-the Brute Force Attack and the
Dictionary attack. In case of Brute Force
attack, an attacker tries all the key combinations possible to crack the password. This kind of attack can crack even strong passwords. But this takes a lot of time that can be span a month or more. But when we are talking of accessing the password strength, the best option is a dictionary
attack. In this kind of attack, some
common dictionary words and combination of words are used and you obviously need a good list of words and of course a tool that can use those words and run the attack. One such tool used in most of the penetration testing distros is Hydra. It has a huge list of services on which it can run attacks such as Web servers, LDAP and
Active Directory servers, mail servers, etc. but the dictionary file is also very
important to run the attacks properly. Among all four distros, we prefer the
Auditor and whoppix for the Dictionary file. Both have around 12 MB sized gzipped text files. But Auditor has something
extra-dictionary files in 28 different
languages.
|
Running Hydra is very easy. You just have to type in xhydra at any terminal and a neat looking graphical interface will open up. Here enter the IP address or hostname of the machine on which you want to run the attacks at the Target field and select the Type of attack you want to run from the 'protocol' drop down menu-POP3, LDAP, CISCO, etc. Now click on the Passwords tab and select the 'Username List'.
Here enter the path of the password file. Now go to the Password List and enter the same path. The path for the password file for Auditor is '/opt/auditor/full/share/ wordlist'. But don't forget to unzip the zipped wordlist files before you give the path. Now go to the 'start' tab and select the Start button and wait. The test could take from a few minutes to years based upon the password strength. And if Hydra can't get the password, your password is quite safe.
Trouble with WiFi
The issue: This is considered to be the most insecure medium, but if you can
believe, you can make your WiFi network as strong and protected as any other
network. For that, let's first look at the various WiFi security mechanisms and how secure they really are. The first of the lot, which was also the initial security mechanism used, is WEP (Wired Equivalent
Privcay).
|
This is the easiest to crack of the lot. For details on this, read 'https://www.pcquest.com/content/topstories/wireless/103081102.asp'.
The other most common security mechanism is WPA. For configuring WPA, you have two options-either use a LDAP server to authenticate the WiFi clients or if you do not
have LDAP server, then you can use passkey based WPA authentication.
But in this case, it's very much possible for a hacker to run some tools to do a Brute Force attack on this passkey. So get hold of the right tool before the hacker does and run it to test whether it can decode your passkey.
The solution: If you are using Wireless and relying on WEP, you should once in a while do a strength testing of your WEP key. For this, you have an easy-to-use tool called airsnort, which is available in all four live linux distros. To run it, first put your wireless LAN card into 'monitor mode', which will then listen to all traffic on the WiFi network, and remain invisible to others. We used a Cisco Aironet card, which can be set to monitor mode in the following manner.
# echo 'Mode: r' > /proc/driver/airsnort/ethx/Config
# echo 'Mode: y' > /proc/driver/airsnort/ethx/Config
Here, replace ethx with the adapter name corresponding to your wireless card. Now start your WiFi device using:
# ifconfig wifi0 up
Finally, fire up Airsnort. Set the device name (wifi0) in the Network Device field and hit the Start button to capture packets.
|
The time needed to crack depends on the encryption length of WEP keys used, which can vary from 64 to 256 bits. Longer encryption keys are more difficult to crack. Airsnort can crack a 64-bit encryption key after capturing at least 1200 weak IV packets. Busy hotspots with lots of traffic are more vulnerable and would take lesser time to crack. To protect your network, check how many days it took to crack the WeP key using Airsnort, and then keep changing your WEP keys after this average number of days.
The DoS worms
The issue: Another problem which a network comes across quite often is a network worm which does a DoS (Denial of
Service) attack and chokes your servers. Tracing these worms and cleaning them out from the network is not impossible but the problem is that it takes quite some time and for that duration your servers become
unaccessible.
Here comes a need for something that can partially clean up the network so that the servers can still be available. Meanwhile you can clean the network by implementing some HoneyPots, which can generate fake IP-addresses and redistribute the DoS attack. Say, in a given Class C subnet you have three servers
running and somehow a virus starts doing a Ping of Death attack on that subnet.
In this kind of scenario, HoneyPots such as Labrea can save you from all the trouble if you install it on a machine on the same subnet. Then whenever the virus starts Pinging the subnet
it will see 254 nodes instead of three nodes on the network and 98% of the traffic will be diverted to the fake IPs running on the Labrea machine.
|
The solution: The easiest way to fight these worms is to deploy a HoneyPot and IDS combo. You might be thinking that it would be very difficult to do, but it is as easy as running the
following command from any of your live CD.
#labrea —O —z —v
This command will generate as many fake IPs as possible on your network. So if you have a Class C network and have 25 Live nodes, Labrea will generate 224 fake IPs on your network. As a
result, the DoS attack will get redistributed to the fake nodes. Additionally Labrea also figures out which machine (IP) is causing the attack. And that is enough for you to know which machine to clean up in order to save your network from such Denial of
Service attacks. This tool can also be used to fake the NMap or port scan results.
Anindya Roy