by July 1, 2005 0 comments

In the previous article, we talked about how you can create a multi-boot DVD that carries all the live distros you need for network management. We mentioned that the DVD that comes with this issue is a multi-boot DVD containing four live Linux distros-Auditor, Whoppix, L.A.S and PHLAK for security and one clustering distro called ChaOS-for security penetration testing and clustering. 

In this article, we’ll tell you more about these five distros, along with some real live cases of how and where to use them.
Putting the distros to use There are some real weak areas on your network, which you should do a constant checkup of. These include the Web and mail servers, the WiFi network, the strength of passwords and lot more. We will briefly take up each of these scenarios one by one and will try to see what all options are available to access this issue using the tools available in our Live CDs.

LAN (Local Area Network)
The issue: The first and the weakest area is probably the Local Area Network or what we call the LAN. We generally take this medium for granted and forget that all data from all machines will pass over your LAN. So it’s only a matter of minutes before somebody can capture all the data, which includes usernames, 
passwords, chat conversations, e-mail and much more. 


Applies to: Network and security administrators

USP: Highlights of the five live Linux
distros, and using them to secure your network, passwords, WiFi and much more

Primary Link:

Google keywords:
ChaOS, PHLAK, Whoppix, Auditor, L.A.S
On PCQXtreme
PCQXtreme Multi-boot DVD 

This type of attack, wherein somebody is capturing data flowing between any two points on the network is known as a Man-in-the-Middle attack. And even a script kiddie can do it. You just need to know what techniques and tools to use. 

The solution: There are lot of tools to do man-in-the-middle attacks, most of which are freely downloadable from the Internet. The most common and easily available tools are dsniff and
ettercap. Both are highly dangerous and have a huge list of capabilities. All live CDs we carry this time except ChaOS have both of them. But the good thing about these tools is that you can also use them to strengthen your network’s security. One is by
attacking your network to see which data traveling over the network is in plain text and capturable. The other way is to use these tools to search for other sniffers
running on your network. Ettercap has two different plug-ins, one for searching ettercap only and the other for searching any suspicious ARP behavior on the network. To start an ettercap search, just press the ‘p’ key and select the first plug-in and then quit the plug-in window. It will continue searching for ettercap traces from all machines and show you the list at the top of the interface.


This one has more than 300 security applications, which have been classified under nicely named menus. It 
includes each and every tool available under the sun for security auditing and penetration testing, such as Honeypots, Forensic Tools, Sniffers, Wireless Snifers, Bruteforcers, etc. If you are not very familiar with the command line of Linux, this one is the best option to start with.

To search for other sniffers or any suspicious ARP activity, again open the plug-in window by pressing the ‘p’ key and select the 15th plug-in called arpcop. This will open a new window and show if any IP is trying to spoof or
not. We tested it with both ettercap and dsniff and it found them both very easily. You can also isolate the hacker (spoofing machine) from the network by using ettercap using another plug-in called leech.

How strong are your passwords? 
The issue:
This is another weak area on any network. Most users take passwords for granted and use their obvious things such as a near one’s name or birth date as their password. Worse still, some don’t even change the default password assigned to them. Therefore, system administrators must establish a practice of ensuring that users change passwords regularly, and that they’re not easy to guess. Even more
important are server passwords and you must ensure that they are strong enough and protected. 

The solution: Talking about cracking passwords, two methods are commonly used-the Brute Force Attack and the
Dictionary attack. In case of Brute Force 
attack, an attacker tries all the key combinations possible to crack the password. This kind of attack can crack even strong passwords. But this takes a lot of time that can be span a month or more. But when we are talking of accessing the password strength, the best option is a dictionary
attack. In this kind of attack, some 
common dictionary words and combination of words are used and you obviously need a good list of words and of course a tool that can use those words and run the attack. One such tool used in most of the penetration testing distros is Hydra. It has a huge list of services on which it can run attacks such as Web servers, LDAP and
Active Directory servers, mail servers, etc. but the dictionary file is also very
important to run the attacks properly. Among all four distros, we prefer the 
Auditor and whoppix for the Dictionary file. Both have around 12 MB sized gzipped text files. But Auditor has something
extra-dictionary files in 28 different 


This isn’t a
penetration testing distro, but is nevertheless very useful when you are doing some brute force attacks to check password or encryption strengths. This distro is a stripped OpenMosix Live Linux OS which can convert your existing network into a SSI (Single System Image) cluster. So imagine youself as running a brute force attack to check the strength of a password, which would normally take 30 days to crack. Instead of spending 30 days, run ChaOS on multiple machines and the same attack can get over much faster, depending upon the number of machines you use in parallel with each other.

Running Hydra is very easy. You just have to type in xhydra at any terminal and a neat looking graphical interface will open up. Here enter the IP address or hostname of the machine on which you want to run the attacks at the Target field and select the Type of attack you want to run from the ‘protocol’ drop down menu-POP3, LDAP, CISCO, etc. Now click on the Passwords tab and select the ‘Username List’. 

Here enter the path of the password file. Now go to the Password List and enter the same path. The path for the password file for Auditor is ‘/opt/auditor/full/share/ wordlist’. But don’t forget to unzip the zipped wordlist files before you give the path. Now go to the ‘start’ tab and select the Start button and wait. The test could take from a few minutes to years based upon the password strength. And if Hydra can’t get the password, your password is quite safe.

Trouble with WiFi
The issue: This is considered to be the most insecure medium, but if you can 
believe, you can make your WiFi network as strong and protected as any other 
network. For that, let’s first look at the various WiFi security mechanisms and how secure they really are. The first of the lot, which was also the initial security mechanism used, is WEP (Wired Equivalent

L.A.S (Local Area Security)

This is the most lightweight of the lot, which we guess is because it lacks many security tools. But if you plan to run it on a slow machine with low RAM and you want to use some very common tools such as Nessus, NTop, or ettercap, this is the best bet.

This is the easiest to crack of the lot. For details on this, read ‘‘.
The other most common security mechanism is WPA. For configuring WPA, you have two options-either use a LDAP server to authenticate the WiFi clients or if you do not 
have LDAP server, then you can use passkey based WPA authentication. 

But in this case, it’s very much possible for a hacker to run some tools to do a Brute Force attack on this passkey. So get hold of the right tool before the hacker does and run it to test whether it can decode your passkey. 

The solution: If you are using Wireless and relying on WEP, you should once in a while do a strength testing of your WEP key. For this, you have an easy-to-use tool called airsnort, which is available in all four live linux distros. To run it, first put your wireless LAN card into ‘monitor mode’, which will then listen to all traffic on the WiFi network, and remain invisible to others. We used a Cisco Aironet card, which can be set to monitor mode in the following manner.

# echo ‘Mode: r’ > /proc/driver/airsnort/ethx/Config
# echo ‘Mode: y’ > /proc/driver/airsnort/ethx/Config

Here, replace ethx with the adapter name corresponding to your wireless card. Now start your WiFi device using:

# ifconfig wifi0 up 

Finally, fire up Airsnort. Set the device name (wifi0) in the Network Device field and hit the Start button to capture packets. 


This stands for Professional Hacker’s Linux Assault Kit. This distro has all the necessary tools for penetration testing, Computer Forensics, and network auditing. However, it requires a real Linux geek to operate. The best thing about the distro is its good collection of
security related documents.

The time needed to crack depends on the encryption length of WEP keys used, which can vary from 64 to 256 bits. Longer encryption keys are more difficult to crack. Airsnort can crack a 64-bit encryption key after capturing at least 1200 weak IV packets. Busy hotspots with lots of traffic are more vulnerable and would take lesser time to crack. To protect your network, check how many days it took to crack the WeP key using Airsnort, and then keep changing your WEP keys after this average number of days. 

The DoS worms
The issue:
Another problem which a network comes across quite often is a network worm which does a DoS (Denial of 
Service) attack and chokes your servers. Tracing these worms and cleaning them out from the network is not impossible but the problem is that it takes quite some time and for that duration your servers become

Here comes a need for something that can partially clean up the network so that the servers can still be available. Meanwhile you can clean the network by implementing some HoneyPots, which can generate fake IP-addresses and redistribute the DoS attack. Say, in a given Class C subnet you have three servers 
running and somehow a virus starts doing a Ping of Death attack on that subnet. 

In this kind of scenario, HoneyPots such as Labrea can save you from all the trouble if you install it on a machine on the same subnet. Then whenever the virus starts Pinging the subnet
it will see 254 nodes instead of three nodes on the network and 98% of the traffic will be diverted to the fake IPs running on the Labrea machine.


Whoppix (WhiteHat Knoppix) includes several exploit archives such as Securityfocus, Packetstorm, SecurityForest and Milw0rm, as well as a wide variety of updated security tools. The new custom kernel also allows for better WiFi support for tools such as Aireplay. Another good thing about the distro is the Flash demos for using different exploits such as Nessus, Hydra, etc which comes with it. If you don’t have the distro with you, you can also check the Flash demos from

The solution: The easiest way to fight these worms is to deploy a HoneyPot and IDS combo. You might be thinking that it would be very difficult to do, but it is as easy as running the
following command from any of your live CD.

#labrea —O —z —v

This command will generate as many fake IPs as possible on your network. So if you have a Class C network and have 25 Live nodes, Labrea will generate 224 fake IPs on your network. As a
result, the DoS attack will get redistributed to the fake nodes. Additionally Labrea also figures out which machine (IP) is causing the attack. And that is enough for you to know which machine to clean up in order to save your network from such Denial of
Service attacks. This tool can also be used to fake the NMap or port scan results.

Anindya Roy

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.