Security Testing with Nubuntu TESTY EFT Visuellewerkstatt.De, Photocase.Com

KNOW-HOW nUbuntu Security Tools

Security testing with nUbuntu TESTY EFT visuellewerkstatt.de, photocase.com

Study your network’s defenses with the Ubuntu-based nUbuntu ries rather than from the menu. Open a terminal and cd to /tools, then enter ls to security testing distribution. BY RUSS MCREE list the contents of the /toolsdirectory. Directories for the major tool categories everal Linux distros address the all Ubuntu underneath. Because the main and subdirectories for the various tools needs of the information security attraction with this Linux is the security are found in each category. Some tools, Sprofessional. If you’ve had any tools – no one is going to install nUbuntu such as Amap, Nmap, and Wireshark, exposure to the tools of the trade [1], as an end-user system – I decided to run right from /usr/bin. you’ve probably heard of distributions focus on nUbuntu’s security utilities. In such as BackTrack, Helix, KcPentrix, or this article, I introduce a few of the useful BED v0.5 Knoppix-STD. An Ubuntu-based security and interesting security applications BED, or the Bruteforce Exploit Detector distro is also available. nUbuntu (net- you’ll find in nUbuntu. Of course, com- [2], is a rudimentary but useful fuzzer. work Ubuntu) is best described as mon testing tools such as Nmap, Yersinia, Fuzzing is an excellent way to find flaws Ubuntu for the security aware. Accord- Ettercap, Kismet, Dsniff, and Wireshark in network applications, basically by ing to the nUbuntu website, the goal of are also available, but the nUbuntu project is “… to create a because these tools are distribution that is derived from the already well docu- Ubuntu distribution, add packages re- mented, I’ll focus on lated to security testing, and remove un- utilities that are useful needed packages, such as Gnome, Ope- but less well known. A noffice.org, and Evolution.” In other summary of additional words, nUbuntu goes light on the GUI nUbuntu security tools desktop but comes with a long list of se- is shown in Table 1. curity tools for scanning, enumeration, fuzzing, attacking passwords, sniffing, Getting Started and spoofing. The vast majority of the The current version of nUbuntu is scripts included in based on Ubuntu 6.10 “Edgy Eft.” Like nUbuntu run best from the other Ubuntu derivatives, nUbuntu is their individual directo- Figure 1: Spot the SPIMmer with DNS Enum.

52 ISSUE 84 NOVEMBER 2007 nUbuntu Security Tools KNOW-HOW

breaking them. Thus, if I fuzz a web Listing 1: BED Output server on port 80 and it fails, it could well be vulnerable. Creator Martin 01 BED 0.5 by mjm ( www.codito.de ) & eric ( www.snake-basket.de ) Muench describes BED v0.5 as “… a col- 02 lection of scripts to automatically test 03 + Buffer overflow testing: implementations of different protocols 04 testing: 1 HEAD XAXAX HTTP/1.0 ...... for buffer overflows and/ or format string vulnerabilities, by sending a lot of long 05 testing: 2 HEAD / XAXAX ...... strings to a server in a boring, stupid 06 testing: 3 GET XAXAX HTTP/1.0 ...... way” [3]. He’s a little hard on himself, in 07 testing: 4 GET / XAXAX ...... that the tool does its job well. If you 08 testing: 5 POST XAXAX HTTP/1.0 ...... change to the /tools/fuzzers/bed direc- 09 testing: 6 POST / XAXAX ...... tory, you can then run ./bed.pl for usage feedback. For a quick test, I fired up an 10 testing: 7 GET /XAXAX ...... older Knoppix release in a secondary 11 testing: 8 POST /XAXAX ...... machine and set BED loose against httpd 12 + Formatstring testing: over port 80: 13 testing: 1 HEAD XAXAX HTTP/1.0 ...... 14 testing: 2 HEAD / XAXAX ...... /bed.pl -s HTTP -t U 15 testing: 3 GET XAXAX HTTP/1.0 ...... 192.168.238.53 16 testing: 4 GET / XAXAX ...... The -s option calls your plugin of choice 17 testing: 5 POST XAXAX HTTP/1.0 ...... (such as ftp, http, SMTP, POP, IRC, or 18 testing: 6 POST / XAXAX ...... LPD), and -t indicates the target. 19 testing: 7 GET /XAXAX ...... If http is running on a different port, 20 testing: 8 POST /XAXAX ...... you can add the -p option. You might have to wait a while before BED finishes a complete cycle. Listing 1 is an example com), you’ll receive the root URL regard- Also, if you are possessed of Victorian of BED output. less – effective for social engineering and sensibilities and share an unswitched If httpd crashes, you know you’ve annoying in every way. network with others who are not, you found a soft spot. For more information should probably not use it.” on fuzzing, see “Stack Overflow Exploi- Driftnet Pseudo-legalese aside, Driftnet is a use- tation Explained” [4]. I find Driftnet highly entertaining, and ful tool for monitoring violations of your you may as well, so long as you are ab- acceptable use policy (Figure 2). Just re- DNS Enum solutely clear on its purpose. According member, when monitoring a corporate For testing your name resolution system, to the project homepage [5], Driftnet “… network, it is essential to display a logon nUbuntu includes an efficient little script listens to network traffic and picks out banner indicating to users that they are called DNS Enum that enumerates DNS images from TCP streams it observes.” subject to monitoring and potential disci- information. To use DNS Enum in Chris Lightfoot, the developer, sums it plinary action if violations are noted. nUbuntu, first go to /tools/enum/dnse- up best: “Obviously, Driftnet is an inva- The violations you are likely to note num, then enter: sion of privacy of a fairly blatant sort. with this tool will likely include poten-

perl dnsenum.pl domain_name U Table 1: Other nUbuntu Security Tools dns.txt Tool Description Metasploit An open source platform for developing, testing, and using exploit code. A well-managed domain won’t give up Nmap The de facto standard port scanner. too much information or a zone transfer. Yersinia A network tool designed to take advantage of weaknesses in network protocols. Enumerating a domain like sans. org Ettercap A multipurpose sniffer/ interceptor/ logger for switched LANs. shows only the name servers, failed Kismet An 802.11 Layer 2 wireless network detector, sniffer, and intrusion detection zone transfer attempts, no C class IPs re- system. turned, no responses to reverse lookups, Wireshark A network protocol analyzer, formerly Ethereal. and no responses to the queries listed in GooScan A tool that automates queries against Google, designed to find potential vulnera- dns.txt. However, at the opposite ex- bilities on web pages (violates Google’s Terms of Service). treme, a query of a pseudo-malicious site MD5coll An MD5 collision generator. like messenger-tips. com (don’t go there) RainbowCrack Hash cracker that uses the faster time-memory trade-off technique. results in a response for every query in Amap A tool for performing fast, reliable application protocol detection independent of the TCP/ UDP port. dns.txt (Figure 1). That’s so that when Dsniff Packet sniffer and traffic analysis tools that decode information sent across the you’re spimmed (spammed in IM) with a network, rather than simply capturing and printing raw data. random URL, (i.e., *. messenger-tips.

NOVEMBER 2007 ISSUE 84 53 KNOW-HOW nUbuntu Security Tools

Figure 2: Monitoring images sent over your network with Driftnet. Figure 3: Monitoring changes with PBNJ. tially disturbing images, so be prepared. a name you choose, and select the I like to run Driftnet as follows: screen area you want to capture. [7], the time-honored port scanner. PBNJ As an added bonus, Driftnet can also will parse the data from a scan, store it /usr/bin/driftnet -v -I eth0. capture MPEG audio. Also, you can con- in a database, and use Nmap to perform figure it to run in adjunct mode so that scans. Database options include SQLite This command will also dump rudimen- other programs can gather images from (default), MySQL, Postgres, and CSV. tary network activity to the terminal, like the network. The two primary components of PBNJ a simplified Tcpdump. Images can be are scanpbj and outputpbnj. Scanpbnj saved to the current directory by clicking PBNJ 2.04 will use Nmap to conduct the actual on them in the resulting viewer window. PBNJ [6] is worthy of its own article scan, and Outputpbnj will format the After booting nUbuntu, you can also in- (Figure 3). PBNJ is a “… suite of tools to results. If you like, you can choose to stall the tiny screenshot utility Scrot. Type monitor changes on a network over schedule scans via cron jobs. time. It does this by checking for To test the value of PBNJ, go to /tools/ sudo apt-get install scrot changes on the target machine(s), which scanners/pbnj-2.04 directory and enter: includes the details about the services at a terminal prompt, then issue scrot -s running on them as well as the service ./scanpbnj IP_or_hostname imagename.png>, where imagename is state.” You might be familiar with Nmap For the next example, I scanned an Listing 2: Extracting URLS with List-URLs IPCop firewall with SSH enabled then 01 ############################# 18 standards.htm disabled, indicating how a small tool like PBNJ could serve as a network tripwire, 02 # 19 practices.htm monitoring critical systems for changes # 20 philosophy.htm at regular intervals. To generate a CSV 03 # Extract URLS from 21 publications.htm report, execute: a web page # 22 links.htm 04 # muts@whitehat. U 23 definition.htm ./outputpbnj -q latestinfo co.il # -t csv Report.txt. 24 gnugpl.htm 05 # # 25 http://holisticinfosec. INFO blogspot.com/ 06 ############################# [1] Security distros: http:// www. 26 http://validator.w3.org/check/ 07 securitydistro. com referer [2] BED: http:// www. cobra-basket. de/ bed. 08 http://www.pnwer.org/portal/ 27 http://jigsaw.w3.org/ html psacs css-validator/ [3] nUbuntu: http:// www. nubuntu. org/ 09 http://www.cyberconflict.org/ about. php 28 sec_dash/index.htm 10 http://stopbadware.org/ [4] “Stack Overflow Exploitation Ex- 29 http://labs.idefense.com/ plained”: http:// milw0rm. com/ papers/ 11 http://bleedingsnort.com/ software/malcode.php 140 12 http://www.owasp.org/index.jsp 30 http://www.cisecurity.org/ [5] Driftnet: http:// ex-parrot. com/ ~chris/ 13 index.htm 31 http://issa.org driftnet/ [6] PBNJ: http:// pbnj. sourceforge. net/ 14 contact.htm 32 toolsmith.htm [7] Insecure.org: http:// www. insecure. org 15 toolsmith.htm 33 http://www.owasp.org/ [8] Badstore: http:// www. badstore. net 16 howtos.htm images/0/01/Secure_Web_App_ [9] Foundstone: http:// www. foundstone. Server_McRee_OWASP.pdf 17 simplicity.htm com/ us/ index. asp

54 ISSUE 84 NOVEMBER 2007 nUbuntu Security Tools KNOW-HOW

Figure 4: ISR-Form pulls information from HTML tags.

nUbuntu also comes with a This script offers a quick, couple of little scripts that are easy way to learn a good deal useful for reconnaissance about a site and its relation- against a website you’ve been ships with other sites. asked to include in your en- terprise penetration test. Summary Enhanced security is a func- WWW Enumeration tion of increased awareness, ISR-Form is a simple HTML and security distros like parser that pulls information nUbuntu can help heighten from HTML form tags to ana- your awareness of potential lyze web applications (Figure threats. Security practitio- 4). To use ISR-Form, enter: ners, and the merely curious, will find nUbuntu a useful wget -r www.yoursite.com and educational distribution, but, as with all security-ori- to recursively download a site ented tools, you can get your- you want to analyze. Change self in a good deal of trouble to /tools/enum/isr-form-1.0 should you test against sys- then enter: tems that aren’t yours. This distro, and the appli- ./isr-form.pl -l U cations it includes, are de- /home/nubuntu/ U signed to uncover vulnera- www.yoursite.com U bilities; the tools I describe -o /home/nubuntu/ U can quite easily bring a server www.yoursite.com. U to its knees. Let common form.txt. sense prevail, and you’ll find yourself with hours of useful This command will send all discovery. form tag findings to a report I recommend a local LAN, file that you can use to vali- unique to you, with a small date input methodology in switch and a virtual machine the page code. host where you can mount Another web-related script images of vulnerable systems in nUbuntu is List-URLs, from Badstore.net [8] or which extracts all URLs from Foundstone [9] that you can a page (Listing 2). To run practice on. List-URLs, change to /tools/ nUbuntu is a fairly young enum/list-urls and enter: project that is looking for additional support. If you want ./list-urls.py U contribute, contact Tom Bell http://yoursite.com. at [email protected]. ■

NOVEMBER 2007 ISSUE 84 55