Using the Network Security Toolkit
Ronald Henderson rhenderson@unifiedholdings.com
Paul Blankenbaker [email protected] Using the Network Security Toolkit by Ronald Henderson by Paul Blankenbaker
Copyright © 2003, 2004 Respective Authors
This document provides guidelines for the typical usage of the Network Security Toolkit for common problems. Table of Contents 1. Getting Started ...... 1 Check the System Requirements...... 1 Downloading And Burning The ISO Image...... 3 On A Linux System ...... 3 On A Windows System...... 5 Examine the Boot Options ...... 5 Booting ...... 5 Booting Without a DHCP Server...... 6 The NST_CDROM_IDE Option (ide) ...... 6 Using A Serial Console At Boot...... 6 Choose a Access Method...... 9 Console Access...... 9 Serial Port Access...... 10 Access Via ssh/putty...... 10 Use the Web User Interface ...... 10 Bring Up a X Desktop on the Local System...... 10 Run a X Desktop Remotely (VNC)...... 12 Changing the Password (nstpasswd)...... 14 Text Editors (vim, jed)...... 15 Determine or Set the IP Address...... 16 Automating Your Setup with lnstcustom...... 17 Preparing a Thumb Drive for lnstcustom...... 18 Using lnstcustom With a Web Server...... 19 2. The Web User Interface (WUI) ...... 23 Initial Connection...... 23 Snort In Two Clicks ...... 26 Examining Snort Results ...... 28 Probing With Nessus ...... 39 Traffic Monitoring With bandwidthd72...... 49 3. NST Scripts ...... 59 Network Time Protocol (NTP) ...... 59 RAM Disk Creation...... 60 MySQL...... 62 Snort (NST v1.0.4) ...... 65 Snort (NST v1.0.5 and Above)...... 75 Setup Snort Example: Standalone Configuration ...... 78 Setup Snort Example: Backend MySQL Snort Database With Remote IDS Snort Probes ...... 87 Nessus...... 101 ettercap...... 101 IFGraph...... 101 Kismet ...... 101 BandwidthD...... 106 Nikto...... 106 NTop...... 106 setup_sendmail...... 112 Checking sendmail Status...... 114 Becoming a SMTP Server ...... 118 Enabling Smart Host ...... 119 4. File Systems ...... 125 Finding Mounted File Systems...... 125 Finding Unmounted Disks ...... 125 Using File Systems ...... 126 Making Use of Swap Space ...... 126 Mounting Local Hard Disks...... 127 Mounting USB Thumb Drives ...... 128
iii Making SMB (Windows Shares)...... 128 Mounting NFS Drives...... 130 Loopback Tricks...... 131 Mounting A File As A Filesystem ...... 131 Mounting a ISO Image...... 133 Mounting a Initial RAM Disk ...... 133 Mounting A Encrypted Filesystem (**Note: Fedora Core 2 and Above Only) ...... 134 5. System Recovery ...... 137 Windows XP Recovery ...... 137 Using a DVD+RW Drive ...... 138 6. Using NST In The Wild...... 143 Overview ...... 143 Basic Simple: 1 ...... 143 Basic Simple: 2 ...... 143 Mobile Wireless Monitoring ...... 143 Small Business Configuration ...... 144 Enterprise Configuration ...... 144 7. Using VPNs With NST ...... 147 Overview ...... 147 The VPN PPP Tunneled Over SSH Script: vpn-pppssh...... 147 VPN: PPP Tunneled Over SSH...... 152 VPN: Tunnelling Multiple PPP Links Over SSH ...... 153 VPN: PPP Tunneled Over SSH Overhead Discussion ...... 154 VPN: PPP Tunneled Over SSH Effective Throughput Rate Discussion...... 158 Effective Throughput Rate: NST Probe - NST Probe Same Fast Ethernet LAN Segment ...... 159 Effective Throughput Rate: NST Probe - NST Probe On Different Fast Ethernet LAN Segments (2 VLANs) ...... 162 Effective Throughput Rate: NST Probe - NST Probe On Different Fast Ethernet LAN Segments (2 VLANs) Using a PPP Tunneled Over SSH VPN ...... 163 VPN: FreeS/WAN IPSEC...... 168 8. Virtual Computing...... 171 Secure Virtual Computing ...... 171 Secure Virtual Computing With Microsoft Remote Desktop (RDP)...... 171 9. LDAP...... 173 LDAP search example ...... 173 10. Serial Traffic Monitoring ...... 175 Cable Construction...... 175 Monitoring Session - Using Basic Linux Utility Programs ...... 175 Monitoring Session - Using NST Utility Program: "monitor_serial"...... 178 11. Global Positioning System (GPS) ...... 181 GPSD ...... 181 12. Networking ...... 185 Ethernet/Fast Ethernet/Gigabit Ethernet Network Cabling ...... 185
iv Chapter 1. Getting Started
This section is for those which downloaded version 1.0.6 (its still useful for 1.0.5) of the bootable ISO image file from http://sourceforge.net/projects/nst and success- fully burned it to a CDROM. If you received your ISO from some other location or created a custom ISO from the source code it is likely that there will be discrepancies.
Check the System Requirements The Network Security Toolkit is designed provide a large assortment of tools that run entirely in RAM. A primary goal of the project was to provide a bootable ISO that anyone could try booting without fear of having the contents of their hard drive modified. Because of this basic design decision, the Network Security Toolkit requires a fair amount of RAM. Here are the minimum system requirements.
Table 1-1. Minimum Requirements
Component Minimum Recommended Notes CPU Celeron i686 It will NOT run on a Intel 386, Intel 486, or Intel Pentium class CPU. It is known to work on the Intel Celeron (466MHz) and above, Intel Pentium II (266MHz) and above, AMD Anthlon, AMD Duron, and AMD Anthlon XP. RAM 128MB 256MB The minimum amount of 128MB is only enough for basic applications. If you want to run X, snort2, or any serious set of applications, you will want at least 256MB of RAM. If you have Linux swap partitions available and don’t mind having the Network Security Toolkit make use of them, you can use the laddswap command.
1 Chapter 1. Getting Started
Component Minimum Recommended Notes Motherboard - - The Network Security Toolkit should work on any motherboard which is support by Red Hat Linux 92. However, some newer motherboards have components which we don’t have the drivers for. You typically get a kernel panic at boot time in this situation. Ethernet 0 2 Technically, you could use the Network Security Toolkit without a Ethernet card installed. However, it wouldn’t be of much use for networking. Two (or more) Ethernet ports are strongly recommended allowing one to be used for general access to the Network Security Toolkit and the others to act as a probes to monitor network traffic (stealth mode). The drivers included on the ISO may or may not support the Ethernet devices in your system (some of the newer motherboards have Ethernet devices which don’t work).
2 Chapter 1. Getting Started
Component Minimum Recommended Notes CDROM 24X 52X It would probably work on a 4X CDROM, but the access time would be painfully slow. Older CDROM drives seem to require the NST_CDROM_IDE option at boot time.
Downloading And Burning The ISO Image The downloading and burning of the Network Security Toolkit ISO involves the fol- lowing:
• Downloading the gzipped ISO image from the Files section found on the project page at SourceForge. Look for nst-1.0.5.iso.gz in the list of files available for download. You should be able to start downloading the ISO for the 1.0.5 re- lease by pointing your browser at http://prdownloads.sourceforge.net/nst/nst- 1.0.5.iso.gz?download. • You may want to compare the MD5 of the nst-1.0.5.iso.gz which you down- loaded against the value in the manifest3. If you have a valid copy of the Network Security Toolkit ISO image, your MD5 checksum should match the value at the web site. • You will need to uncompress the ISO image. • You may want to download and run the nstisopasswd-1.0.5.bash script to set the default password in your ISO image prior to burning. I suspect that many of you will skip this step, and later realize that you really wish you hadn’t (hope you are using CDRW media).
Note: This feature became available in the 1.0.5 release.
• You will then need to burn the uncompressed ISO image to a CDR or CDRW disk using your favorite CD burning software.
On A Linux System Assuming that you have the wget, md5sum and cdrecord commands installed and configured on your system and that you’ve download the ISO image to the file nst-1.0.5.iso.gz, you should be able to create your bootable CD using the following set of commands:
[root@quesadilla root]# md5sum nst-1.0.5.iso.gz 1540d0a08c90735aae375718e35b6514 nst-1.0.5.iso.gz (1) [root@quesadilla root]# gunzip nst-1.0.5.iso.gz [root@quesadilla root]# wget -nH \ http://www.networksecuritytoolkit.org/nst/log/nstisopasswd-1.0.5.bash (2)
3 Chapter 1. Getting Started
--13:38:19-- http://www.networksecuritytoolkit.org/nst/log/nstisopasswd-1.0.5.bash => ‘nstisopasswd-$1.0.5.bash’ Connecting to 192.168.100.92:3128... connected. Proxy request sent, awaiting response... 200 OK Length: 1,565 [text/plain]
100%[======>] 1,565 1.49M/s ETA 00:00
13:38:19 (1.49 MB/s) - ‘nstisopasswd-1.0.5.bash’ saved [1565/1565]
[root@quesadilla root]# chmod +x nstisopasswd-1.0.5.bash [pkb@localhost pkb]$ ./nstisopasswd-1.0.5.bash NEWPASS nst-1.0.5.iso (3)
... Either confirmation that new password was set, or error message ...
[root@quesadilla root]# cdrecord -v -eject blank=fast nst-1.0.5.iso (4) Cdrecord 2.0 (i686-pc-linux-gnu) Copyright (C) 1995-2002 J?rg Schilling TOC Type: 1 = CD-ROM scsidev: ’0,0,0’ scsibus: 0 target: 0 lun: 0 Linux sg driver version: 3.1.24 Using libscg version ’schily-0.7’ atapi: 1 Device type : Removable CD-ROM Version : 0 Response Format: 2 Capabilities : Vendor_info : ’LITE-ON ’ Identifikation : ’LTR-52327S ’ Revision : ’QS04’ Device seems to be: Generic mmc CD-RW. Using generic SCSI-3/mmc CD-R driver (mmc_cdr). Driver flags : MMC-3 SWABAUDIO BURNFREE FORCESPEED Supported modes: TAO PACKET SAO SAO/R96P SAO/R96R RAW/R16 RAW/R96P RAW/R96R Drive buf size : 1422080 = 1388 KB FIFO size : 4194304 = 4096 KB Track 01: data 470 MB Total size: 540 MB (53:30.69) = 240802 sectors Lout start: 540 MB (53:32/52) = 240802 sectors Current Secsize: 2048 ATIP info from disk: Indicated writing power: 1 Reference speed: 0 Is not unrestricted Is erasable Disk sub type: Ultra High speed Rewritable media (2) ATIP start of lead in: -11076 (97:34/24) ATIP start of lead out: 336075 (74:43/00) 1T speed low: 16 1T speed high: 16 2T speed low: 8 2T speed high: 24 power mult factor: 4 5 recommended erase/write power: 1 A1 values: 66 4A 99 A2 values: 38 80 00 A3 values: 04 C4 A0 Disk type: Phase change Manuf. index: 11 Manufacturer: Mitsubishi Chemical Corporation Blocks total: 336075 Blocks current: 336075 Blocks remaining: 95273 Forcespeed is OFF. Starting to write CD/DVD at speed 16 in real TAO mode for single session. Last chance to quit, starting real write 0 seconds. Operation starts. Waiting for reader process to fill input buffer ... input buffer ready. Performing OPC... Blanking PMA, TOC, pregap Blanking time: 11.514s 4 Chapter 1. Getting Started
BURN-Free is OFF. Performing OPC... Starting new track at sector: 0 Track 01: 470 of 470 MB written (fifo 100%) [buf 99%] 17.0x. Track 01: Total bytes read/written: 493158400/493158400 (240800 sectors). Writing time: 205.250s Average write speed 15.6x. Min drive buffer fill was 98% Fixating... Fixating time: 22.157s cdrecord: fifo had 7768 puts and 7768 gets. cdrecord: fifo was 0 times empty and 6614 times full, min fill was 89%. [root@quesadilla root]# Figure 1-1. Burning CDRW From ISO On Linux
(1) If the MD5 value reported doesn’t match 1540d0a08c90735aae375718e35b6514, it probably means that the ISO image you downloaded did not come through clean. (2) The wget utility will not set the executable flag on the script file. We do this ourselves so that we may invoke it. (3) The nstisopasswd-1.0.5.bash script will only modify the contents of the ISO after verifying that the ISO image is compatible with the script. You will see an error message if you downloaded the incorrect version or your ISO image is corrupt.
Note: This feature became available in the 1.0.5 release.
(4) Omit the blank=fast if you are using CDR media or a fresh (already blank) CDRW.
On A Windows System You will need to use you web browser (Internet Explorer) to download the nst-1.0.5.iso.gz ISO image from the Files area of the Network Security Toolkit project at SourceForge. If you are feeling lucky, you might be able to begin the download by clicking here4. After downloading the ISO you will need to uncompress it using either the free gzip5 utility or popular WinZip6 utility. You will then use a CD burning package like Roxio or Nero to burn the ISO image to a CDR or CDRW.
Examine the Boot Options The first time you boot from a Network Security Toolkit CDROM you should press the SPACE BAR to prevent it from automatically booting. You only have a few seconds (5 secs) to do this before it boots up using the default setting. Use the F1, F2, F3, F4 and F5 keys to move between the console screens. You will find a wealth of information as to how you can adjust the boot options for different situations.
5 Chapter 1. Getting Started
Booting When the Network Security Toolkit ISO image was created for public distribution, we had to guess at what settings would be the most common. We tried to provide a ISO who’s default options would work for the majority of situations. If you determine that our default choices don’t work for your particular situation, you will need to specify your own boot options.
Booting Without a DHCP Server If the network you are booting the Network Security Toolkit on does not have a DHCP server, the default boot options won’t work. You will see errors in this sit- uation as the Network Security Toolkit won’t be able to retrieve a IP address from a DHCP server. In this situation, you should specify base, mbase, serial, utils, pcmcia, or usb at boot time. For example:
boot: mbase
The NST_CDROM_IDE Option (ide) Probably the most common problem encountered by people trying to use the Net- work Security Toolkit, is due to having a CDROM drive that is not compatible with the ide-scsi driver. Unfortunately, it is not always apparent when this situation occurs. You may see failure messages. You might even get to a login prompt, but not be able to enter a password. You might see complaints about file sizes. There are a bunch of things that can go wrong when this situation is encountered. If you are having troubles booting with the default settings, try entering the following at the boot prompt:
boot: ide
The above will avoid loading the ide-scsi drivers and allow many of the older CDROM drives to work with the Network Security Toolkit. By specifying this option, you will be unable to burn CDs (cdrecord requires the ide-scsi drivers). You can also include the NST_CDROM_IDE with any of the alias boot options to avoid the loading of the ide-scsi drivers. For example, if you have a old laptop which didn’t work when the ide-scsi drivers were loaded, you could specify the following at boot time:
boot: laptop NST_CDROM_IDE
Using A Serial Console At Boot If the system you are using does not have a keyboard, video card, and/or monitor (i.e. typically this is found with server systems and is referred to as a "headless configuration"), its still possible to adjust the default boot Kernel and NST settings. If you connect a null modem cable from the first serial port (COM:1 or ttyS0) on NST to a dumb terminal or second computer, one can control the NST boot time environment. You will need to use the following serial settings:
6 Chapter 1. Getting Started
Table 1-2. Serial Port Settings
Baud 19200 Stop Bits None Data Bits 8 Stop Bits 1 Flow Control None (minicom enables flow control by default - you need to edit the configuration to disable). Emulation ANSI (at least for minicom) or VT220 .
For example, I use the minicom program for serial communications on my Linux box. I’ve set up a minicom configuration named server that I use when I want to moni- tor/adjust the Network Security Toolkit boot process for a headless or dual monitor (i.e. both serial and console) NST system. After connecting a null modem cable be- tween the two computers, I started up minicom on my laptop and then powered up a headless NST server with the CDROM loaded. The following captions depict the NST serial boot, configuration, option, help, and specification screens (note: these screens have been captured using development versions of the Network Security Toolkit - your screens may be slightly different):
[pkb@salsa html]$ minicom server
Welcome to minicom 2.00.0
OPTIONS: History Buffer, F-key Macros, Search History Buffer, I18n Compiled on Jan 25 2003, 00:15:18.
Press CTRL-A Z for help on special keys
Linux Network Security Toolkit (NST) http://www.networksecuritytoolkit.org/ ======(Linux Kernel: 2.4.20-30.9)======Welcome to the Linux Network Security Toolkit (NST). This bootable ISO CD is based on RedHat 9.0 Linux. The toolkit is designed to provide easy access to best-of-breed Open Source Network Security Applications and should run on most x86 platforms.
Default NST boot 5.0s: laptop ======
[<^F-1> Main] [<^F-2> Configs] [<^F-3> Options] [<^F-4> Help] [<^F-5> Specs]
HIT SPACE BAR TO DISABLE AUTO-BOOT! NST(v1.0.5): Tue Apr 20 14:18:03 UTC 2004 boot: Figure 1-2. NST Serial Boot Screen <^F-1>
You still need to press the SPACE BAR to disable the auto boot (if you want to cus- tomize your boot options). Also, you’ll need to use Control-F-1, Control-F-2, etc in- stead of the function keys to toggle between the help screens. The following captions show the available NST serial boot screens: 7 Chapter 1. Getting Started
NST Kernel Boot Configurations ======The following NST boot configurations are provided for your convenience when booting an NST session: Example to boot NST with: (CDROM IDE + USB Support + DHCP-Client + SSHD): Type: ide
[<^F-1> Main] [<^F-2> Configs] [<^F-3> Options] [<^F-4> Help] [<^F-5> Specs]
boot:
Figure 1-3. NST Kernel Boot Configurations <^F-2>
NST Kernel Boot Options ======The following NST boot configurations options are supported for automatic startup post Kernel boot:
[ NST_UTILS] - Load full NST utility programs [NST_DHCP_SSHD] - NST_UTILS + syslogd/klogd + dhclient eth0 + sshd [ NST_USB] - NST_UTILS + syslogd/klogd + USB support [ NST_PCMCIA] - NST_UTILS + syslogd/klogd + PCMCIA support [ NST_SERIAL] - Enable a login session on: /dev/ttyS0 (COM:1) [NST_CDROM_IDE] - Use native CDROM IDE commands instead of SCSI Emulation [ NST_HTTPD] - Start Apache Web services: httpd [ NST_WD_WAIT] - Wait time in seconds for before sending a HUP signal to the "init" process post boot (Default: 4 seconds) ======
[<^F-1> Main] [<^F-2> Configs] [<^F-3> Options] [<^F-4> Help] [<^F-5> Specs]
boot:
Figure 1-4. NST Kernel Boot Options <^F-3>
NST Kernel Boot Help ======- To disable the automatic boot of the NST Linux Kernel type any key within 5 seconds (Ex: hit the space bar) after the initial splash screen appears.
- To initiate a NST boot session with a preconfigured NST boot just type the NST configuration label and hit the
- To initiate a NST boot session with a preconfigured NST boot and specific NST options just type the NST configuration label followed by any options and then hit the
Example: base NST_PCMCIA NST_USB
- To enable the Kernel Serial Console append the following Kernel options: Example: laptop console=tty0 console=ttyS0,19200n8
- To boot NST in single user mode - use Kernel parameter: "single" Example: base single
[<^F-1> Main] [<^F-2> Configs] [<^F-3> Options] [<^F-4> Help] [<^F-5> Specs]
boot:
Figure 1-5. NST Kernel Boot Help <^F-4>
NST Kernel Boot Specifications ======- At least 128 MBytes of RAM is recommended to run NST.
- NST kernel and initial RAM disk (initrd) boot command line parameters: vmlnznst initrd=initrdr9.gz root=/dev/ram0 ramdisk_size=65536
- If your BIOS/CDROM doesn’t support CDROM SCSI emulation, use the option: NST_CDROM_IDE which supports native CDROM IDE commands. The default boot will use CDROM SCSI emulation allowing "cdrecord" usage.
- For a headless NST system, Isolinux serial output on COM:1 is enabled. Serial params: 19200 baud, no parity, 8 data bits, Terminal Emulation: vt220
- To enable Serial Console during the NST Kernel boot, append the following parameters to the boot command line: console=tty0 console=ttyS0,19200n8.
- By default, a login in session on /dev/ttyS0 (COM:1) is enabled. Serial params: 19200 baud, no parity, 8 data bits, Terminal Emulation: vt220 ======
[<^F-1> Main] [<^F-2> Configs] [<^F-3> Options] [<^F-4> Help] [<^F-5> Specs]
boot:
Figure 1-6. NST Kernel Boot Specifications <^F-5>
As a side note, booting via a serial console is an excellent way to capture error mes- sages if you have a system that has trouble booting from the Network Security Toolkit CDROM (especially if you have a kernel panic situation).
Choose a Access Method There are many different ways to interact with the Network Security Toolkit once you’ve booted. Regardless of the access method you choose, you will need to login. The default login ID is root and the default password is nst@2003. This combination is used regardless of whether you are logging in at the console, through a ssh connection, through a tightvnc7 connection, or via the Web User Interface. It is recommended that you use the nstpasswd script as soon as you login to change the password (this is described in Changing the Password (nstpasswd)).
9 Chapter 1. Getting Started
Console Access If your Network Security Toolkit system has a screen and keyboard, you will have immediate access to a command line interface. Simply login and start using.
Serial Port Access If you boot with the serial console enabled (this is not enabled by default), you can use the first serial port (think /dev/ttyS0 or COM1:) as your access point. You will need to use the same settings as described in Using A Serial Console At Boot (you can enable hardware flow control at this point).
Access Via ssh/putty Assuming the Network Security Toolkit was booted with a network card and the network card drivers loaded properly, you will have access to the Network Security Toolkit system via ssh (or putty - for Windows users). Assuming the Network Secu- rity Toolkit has a IP address of 192.168.0.17, you should be able to connect in the following manner (NOTE: Just hit the enter key at the passphrase prompt, and then enter your password at the password prompt):
[pkb@salsa docs]$ ssh [email protected] Enter passphrase for key ’/home/pkb/.ssh/id_rsa’: [email protected]’s password: nst@2003 # NOT ECHOED Last login: Thu Apr 22 18:20:37 2004 from 192.168.0.133
======Linux Network Security Toolkit for RedHat 9.0 ======
"nstusage" - Use this aliases to read the NST usage and notes doc...
[root@probe root]# Figure 1-7. Using ssh
Please note, ssh access is only available if the sshd is running on the Network Secu- rity Toolkit. This should always be the case if you used the default boot settings.
Use the Web User Interface Unless you disable it, a SSL web based interface is also enabled at boot time. You can use any https (NOTE THE s!) capable web browser to access the Network Security Toolkit. The web based interface provides convenient access to a subset of the tools available - please see The Web User Interface (WUI) for additional information.
Bring Up a X Desktop on the Local System If you have at least 256MB of RAM installed, you may want to bring up a X desktop. The following lists the commands necessary to generate a X configuration for your system and then start up X:
[root@probe root]# setup_x Starting xfs: [ OK ] Could not find existing X configuration Writing temporary config file to /tmp/@913.0xf86config Trying to start X server Waiting for X server to start...log located in /var/log/XFree86.setup.log 10 Chapter 1. Getting Started
1...2...3...4...5....X server started successfully. Writing configuration to /etc/X11/XF86Config Removing old /etc/X11/X Creating /etc/X11/X symlink X Setup Finished.
You may want to review: /etc/X11/XF86Config
Use the following command to start up X:
startx [root@probe root]# startx
XFree86 Version 4.3.0 (Red Hat Linux 9 release: 4.3.0-2.90.55) Release Date: 15 August 2003 X Protocol Version 11, Revision 0, Release 6.6 Build Operating System: Linux 2.4.21-2.ELsmp i686 [ELF] Build Date: 12 February 2004 Build Host: porky.devel.redhat.com
Before reporting any problems, please make sure you are using the most recent XFree86 packages available from Red Hat by checking for updates at http://rhn.redhat.com/errata or by using the Red Hat Network up2date tool. If you still encounter problems, please file bug reports in the XFree86.org bugzilla at http://bugs.xfree86.org and/or Red Hat bugzilla at http://bugzilla.redhat.com
Module Loader present OS Kernel: Linux version 2.4.20-30.9 ([email protected]) (gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5)) #1 Wed Feb 4 20:44:26 EST 2004 Markers: (--) probed, (**) from config file, (==) default setting, (++) from command line, (!!) notice, (II) informational, (WW) warning, (EE) error, (NI) not implemented, (??) unknown. (==) Log file: "/var/log/XFree86.0.log", Time: Sat Apr 24 15:00:45 2004 (==) Using config file: "/etc/X11/XF86Config"
It should be noted that the setup_x will detect your hardware and display a graphical selection panel allowing you to specify your X desktop resolution and color depth. It will then exit after writing the appropriate information to /etc/X11/XF86Config. You will then be able to bring up X with the startx command. The following screen shot shows ethereal8, etherape9 and ipsc10 running on a Net- work Security Toolkit probe running X:
11 Chapter 1. Getting Started
Figure 1-8. X Screenshot (Linux Desktop)
The vtwm11 window manager is used when running a X desktop. You can launch X based applications by right clicking on the desktop to pull up a menu, or by typing the name of the program you want to run in a xterm window. The vtwm12 provides virtual desktop space. So, you will only see a portion of the available desktop displayed on your screen. You should see a small black rectangle within a larger blue rectangle at the bottom right corner of your screen. If you drag the small black rectangle around, you can change what portion of the desktop is visible at any point in time.
Run a X Desktop Remotely (VNC) If you are familiar with tightvnc13 (it allows for virtual desktops), and you have a tightvnc14 client for another system on the network, you can use a virtual desktop to run the software on the Network Security Toolkit probe. The tightvnc15 client software is freely available for a wide range of Operating Systems - the Windows version is included on the Network Security Toolkit ISO - you can it from the Web Interface). You can start the tightvnc16 server on the Network Security Toolkit probe using the following script (you may want to examine the script if you don’t like the screen size and color depth we set):
[root@probe root]# setup_vnc *** Need to start up a font server on this host... Starting xfs: [ OK ] *** Starting a vnc server on display: 6 /usr/local/bin/vncserver :6 -geometry 1280x1024 -depth 24
New ’X’ desktop is probe:6
Starting applications specified in /root/.vnc/xstartup Log file is /root/.vnc/probe:6.log
*** Xvnc process started: root 860 1 0 14:40 ttyp0 00:00:00 Xvnc :6 -desktop X -httpd /usr/share/vnc/classes -auth /root/.Xauthority -geometry 1280x1024 -depth 24 -rfbwait 12 Chapter 1. Getting Started
120000 -rfbauth /root/.vnc/passwd -rfbport 5906 -pn [root@probe root]#
Assuming the Network Security Toolkit probe has a IP address of 192.168.0.131, it is now possible to bring up a virtual desktop from a different system (you could even use a Windows system if neccessary). Here is an example of what I would type from my Linux laptop to connect to this virtual desktop:
[root@probe root]# vncviewer 192.168.0.131:6 VNC authentication succeeded Desktop name "root’s X desktop (probe:6)" Connected to VNC server, using protocol version 3.3 VNC server default format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0 Using default colormap which is TrueColor. Pixel format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0 Using shared memory PutImage
A new window pops up on my laptop providing a full X desktop running on the Network Security Toolkit probe. You interact with this desktop in the same way as if you were physically at the Network Security Toolkit probe. One could manage many Network Security Toolkit probes from a single command system using this technique. The following shows a window on my laptop with the desktop of a remote Network Security Toolkit system. The following screen shows several X based applications running on the Network Security Toolkit probe (ettercap17, firefox18 and gaim).
Figure 1-9. VNC Screenshot (Linux Desktop)
For the most part, X based applications run at near native speed when using tightvnc19 on a local network (its pretty amazing). However, over a WAN link 13 Chapter 1. Getting Started
(i.e. a relative slower network connection), X based applications that do a lot of animation (like etherape20) won’t appear to run as smoothly over tightvnc21. The screenshot shown in Figure 1-10 is a Windows XP Professional desktop with the Windows’s version of the vncviewer displaying the NST Probe user root’s X desktop on virtual display: 6.
Figure 1-10. VNC Screenshot (Windows XP Professional Desktop)
Warning You should avoid runing tightvnc22 sessions across a public network. The information transmitted across the tightvnc23 is not encrypted. If you need to run a tightvnc24 session across a public network, you should read up on SSH tunneling to create a secure communications channel between the two systems first. Tunneling tightvnc25 traffic over a SSH link is diagrammed in Figure 8-1.
Changing the Password (nstpasswd) If you boot the Network Security Toolkit with the default options in a networked environment and it has the default password it won’t be very secure. This is the default situation if you use the standard ISO image as everyone else in the world. So, immediately after logging in, your first order of business should be to set a new password for your Network Security Toolkit. To do this, you will want to use the nstpasswd command. This utility sets many different passwords in a single shot. For
14 Chapter 1. Getting Started
example, I can change the password to letmein with the following command (the new password is not echoed):
[root@probe root]# nstpasswd New NST Password: Retype new password: Successfully updated password for ’root’ in /etc/shadow Successfully updated password for ’root’ in /etc/httpd/conf/htuser.nst Successfully updated ’authorized_keys’ file for ’root’ and ’vpn’ users Successfully updated password for ’root’ in /root/.vnc/passwd Successfully updated password for ’root’ in /etc/samba/smbpasswd Wed Apr 21 14:21:20 2004 Initializing gdbm databases Wed Apr 21 14:21:20 2004 Now running as requested user ’ntop’ (100:101) Wed Apr 21 14:21:20 2004 Admin user password has been set Successfully updated password for ’admin’ in /var/ntop/ntop_pw.db [root@probe root]# Figure 1-11. Changing All of the NST Passwords
As the output above shows, many different passwords on the Network Security Toolkit probe have been changed to my new setting letmein. From this point on (until reboot), the new password will be required to gain access via a console, a serial port, a ssh connection, VNC connections, the Web User Interface (WUI), etc. If you find the Network Security Toolkit software to be useful, you’ll wish there was a way to save the password. Unfortunately, we don’t provide this in the default ISO image (we don’t know how to do it yet). However, expert users are encouraged to build their own Network Security Toolkit ISO image from the source code (we do make it easy to set your own unique password if you build from the source).
Text Editors (vim, jed) You will most likely come across situations where you need access to a text editor. You will find both vim (for the vi users), and jed (for the emacs users) available.
[root@probe root]# vim ~/.bashrc # $Id: first_steps.xml,v 1.16.2.1 2004/07/16 13:33:24 rwhalb Exp $
# NST User: root bash shell settings.... # ------
# source global definitions... # ------if [ -f /etc/bashrc ]; then . /etc/bashrc fi
# set options... # ------set -o ignoreeof set -o emacs
# set up LANG env variable... # ------export LANG=en_US export LANGUAGE=en_US export LC_ALL=en_US
:q!
15 Chapter 1. Getting Started
[root@probe root]# Figure 1-12. Using vim to Edit .bashrc
[root@probe root]# jed /etc/httpd/conf/httpd.conf F10 key ==> File Edit Search Buffers Windows System Help # $Id: first_steps.xml,v 1.16.2.1 2004/07/16 13:33:24 rwhalb Exp $ # # Apache configuration file tweaked for a NST boot system. # # Mimics much of the original RedHat 9.0 initial config.
# # Don’t give away too much information about all the subcomponents # we are running. Comment out this line if you don’t mind remote sites # finding out what major optional modules you are running ServerTokens OS
# ServerRoot: The top of the directory tree under which the server’s # configuration, error, and log files are kept. # # Do NOT add a slash at the end of the directory path.
ServerRoot "/etc/httpd"
# ------+(Jed 0.99.15) Emacs: httpd.conf (SH) 1/1037 6:10pm------loading /usr/share/jed/lib/modeinfo.slc [root@probe root]# Figure 1-13. Using jed to Edit httpd.conf
Determine or Set the IP Address If you used the default boot options, the Network Security Toolkit system will request a IP address from a DHCP server. The following demonstrates how one can use the ifconfig command to determine the IP address assigned:
[root@probe root]# ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:50:2C:01:33:04 inet addr:192.168.0.138 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:135 errors:0 dropped:0 overruns:0 frame:0 TX packets:73 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:23997 (23.4 Kb) TX bytes:11746 (11.4 Kb) Interrupt:11 Base address:0xe400
[root@probe root]#
Looking at the above output, you can see that the Network Security Toolkit system was assigned the IP address of 192.168.0.138 by the DHCP server. If your network does not have a DHCP server, a IP address won’t be assigned auto- matically, and you’ll need to do it manually.
Note: If your network does not have a DHCP server running, it is recommended that you boot the Network Security Toolkit by specifying usb at the initial boot screen.
16 Chapter 1. Getting Started
The following shows how one can use the cdnet and auto_config_net192 commands to simplify the process of manually setting a IP address of 192.168.0.211 on a 192.168.0.0/24 network:
[root@probe root]# cdnet [root@probe network-scripts]# jed nst-eth0.192net F10 key ==> File Edit Search Buffers Windows System Help DEVICE=eth0 BOOTPROTO=static IPADDR=192.168.0.211 NETMASK=255.255.255.0 NETWORK=192.168.0.0 BROADCAST=192.168.0.255 GATEWAY=192.168.0.1 ONBOOT=yes
------+(Jed 0.99.15) Emacs: nst-eth0.192net (Text) 4/9 3:47pm------Wrote 8 lines to /etc/sysconfig/network-scripts/nst-eth0.192net [root@probe network-scripts]# auto_config_net192
*********************************************************************** *** Net driver detect/module install (phase:2 auto_modprobe_net)... *** ***********************************************************************
*** Installing driver module: "via-rhine" for network device: "VIA Technologies|VT6102 [Rhine-II]" ************************************************************************** *** Configure a 192.168.1.x net on int: eth0 (phase:3 setup_net192)... *** **************************************************************************
Configured devices: lo eth0 Currently active devices:
Shutting down loopback interface: [ OK ] *** Starting network with eth0 as 192.168.0.211 on network: 192.168.0.0 Setting network parameters: [ OK ] Bringing up loopback interface: [ OK ] Bringing up interface eth0: [ OK ] [root@probe network-scripts]# Figure 1-14. Setting A IP Address By Hand
If you find this process to be tedious, you should invest in a thumb drive and read the Automating Your Setup with lnstcustom section.
Automating Your Setup with lnstcustom This section is intended for those who are familiar with Linux based systems. If you are just learning Linux, it is recommended that you skip this section for now and come back to it later when you feel a bit more comfortable at the command line. After using the Network Security Toolkit for awhile, you’ll find yourself wishing their was a means to simplify the initialization process. If you have a thumb drive, flash drive, floppy disk, a hard disk, or even a web server, you are in luck - the lnst- custom command can simplify your setup. 17 Chapter 1. Getting Started
It should be noted, that this automation is not completely hands free. You will need to invoke lnstcustom each time you boot, but you won’t have to type much else. You need to be familiar with writing bash (or sh) scripts prior to doing much au- tomating. However, the Network Security Toolkit makes an excellent environment to hone those scripting skills.
Preparing a Thumb Drive for lnstcustom This section is going to walk you through the creation of a simple setup.sh script that can be used by lnstcustom to automate the following:
• Changing the default password. • Starting X. After following these steps, you should be able to boot the Network Security Toolkit, log in, plug in your thumb drive, and type the following command:
[root@probe root]# lnstcustom test
After typing the above, you should see that the password is being changed, and after what seems a long time, the X desktop should come up (you will be be presented with the X configuration utility the first time invoked, but it will remember your settings for future invocations). For this example, I’m going to borrow my wife’s Creative Muvo Nomad MP3 player which also acts as a standard thumb drive (do me a favor and don’t mention this to my wife). After plugging the MP3 player into a USB port, the following commands are entered:
[root@probe root]# mount -t vfat /dev/sda1 /mnt/memstick (1) [root@probe root]# mkdir /mnt/nst/test (2) [root@probe root]# jed /mnt/nst/test/setup.sh (3)
(1) This mount command will work for many thumb drives, however, you may need to change the /dev/sda1 or vfat parameters for your thumb drive (Hint: try "fdisk -l" for clues about the location and file system used on your thumb drive). (2) This command creates a directory for our "test" customization. This means we will need to specify test as the first argument to the lnstcustom command when we want to load this custom configuration (it also means that its easy to make many different customizations on the same thumb drive - just give each its own unique directory name). (3) This line is used to edit the setup.sh script. The commands we put in setup.sh will be run each time we run the command "lnstcustom test sda1 vfat". The jed editor was used in this example (I’m partial to the emacs key bindings - but vim is also available). Here are the commands we will type into the setup.sh script.
#!/bin/bash
printf "letmein\nletmein\n" | nstpasswd (1) (1)
if [ -f "$NSTHOME/XF86Config" ]; then (2) (2) cp "$NSTHOME/XF86Config" "/etc/X11" /etc/rc.d/init.d/xfs start startx else (3) (3) setup_x if [ -f "/etc/X11/XF86Config" ]; then 18 Chapter 1. Getting Started
cp "/etc/X11/XF86Config" "$NSTHOME/" startx fi fi
(1) This line makes use of the printf command to print the word letmein twice (on two separate lines). This is fed into the nstpasswd command to automate the changing of the password. Now, I would never recommend setting a real password to this value or in this fashion (its in plain text on your thumb drive). However, it is still better (more secure) than having the default password that comes on the Network Security Toolkit ISO. (2) This section checks to see if a configuration file for X is already available on the thumb drive. If it is, it copies it to the proper location, starts the X font server, and then starts X. (3) This section is run if a configuration file is needed for X in this case, we invoke the setup_x command to configure our system, save the configuration created (so we won’t have to next time), and then start X.
Caution The above assumes that you will be using the X configuration on the same system (or another system with identical hardware). NEVER use a X configuration created for one system on a different system (you may damage something). If you plan on using the same thumb drive on different systems, you should create a different directory for each system, or change the setup.sh script such that it ALWAYS invokes setup_x before invoking startx.
After saving the file (Control-X Control-S) and leaving the editor (Ctonrol-X Control- C), we will find ourselves back at the command prompt ready to try out the cus- tomization.
[root@probe root]# umount /mnt/memstick (1) [root@probe root]# lnstcustom test sda1 vfat (2)
... Lots of output as passwords are changed and X starts ...
(1) Before trying out our custom setup script we will umount the thumb drive (as it wouldn’t have been mounted if we just started the system). (2) We invoke the lnstcustom command specifying the name of the directory that our setup.sh script can be found under and the device (sda1) and file system type (vfat) to use to mount it with. It should be noted that the default values are sda1 and vfat so, in this situation we could have omitted them and simply specified: lnstcustom test. This should be enough information to get you started in creating your own cus- tomization scripts. You can do a lot if you use your imagination and just keep adding to your setup.sh script.
Using lnstcustom With a Web Server Whether you are using lnstcustom with a thumb drive, hard drive, floppy or some other type of hard disk, the basic concept and preparation is the same. However, if you want to use the lnstcustom with a web server, there are some differences:
19 Chapter 1. Getting Started
• The entire customization directory must be archived into a single tar.gz file. • You won’t be able to easily write any changes back (in the previous example, the thumb drive was able to "learn" by simply copying a configuration file if the user adjusted it). Assuming you still have your thumb drive mounted from the previous session, the following is all that is required to create and install the custom configuration on a fictional web server 192.168.0.17:
[root@probe root]# tar czf /tmp/test.tgz -C /mnt/nst test [root@probe root]# tar tzf /tmp/test.tgz test/ test/XF86Config test/setup.sh [root@probe root]# scp /tmp/test.tgz [email protected]:/var/www/html Warning: Permanently added ’192.168.0.17’ (RSA) to the list of known hosts. [email protected]’s password: test.tgz 100% |*****************************| 1633 00:00 [root@probe root]#
Now that we’ve created and installed our custom setup on a web server, lets try it out. Let’s reboot the Network Security Toolkit probe, remove the thumbdrive, log back in, and then invoke lnstcustom in the following manner:
[root@probe root]# lnstcustom test http://192.168.0.17/test.tgz
... Lots of output - X finally comes back up ...
That’s about all there is to it. We now have our custom setup.sh script available on the network.
Caution You should be careful when using this method for loading Network Se- curity Toolkit customization scripts. NEVER load someone else’s cus- tomization script as you are handing them the keys to your system. You should also avoid placing any plain text passwords or security sensitive data in customization scripts placed on the network (as it will probably be possible for someone to find your files and view them).
Notes 1. http://sourceforge.net/projects/nst 2. http://prdownloads.sourceforge.net/nst/nst-1.0.5.iso.gz?download 3. http://www.networksecuritytoolkit.org/nst/log/manifest-1.0.5.html 4. http://prdownloads.sourceforge.net/nst/nst-1.0.5.iso.gz?download 5. http://www.gzip.org/ 6. http://www.winzip.com/ 7. http://www.tightvnc.com/ 8. http://www.ethereal.com/ 9. http://etherape.sourceforge.net 10. http://dag.wieers.com/packages/ipsc/ 11. http://www.visi.com/~hawkeyd/vtwm.html 12. http://www.visi.com/~hawkeyd/vtwm.html 20 Chapter 1. Getting Started
13. http://www.tightvnc.com/ 14. http://www.tightvnc.com/ 15. http://www.tightvnc.com/ 16. http://www.tightvnc.com/ 17. http://ettercap.sourceforge.net/ 18. http://www.mozilla.org/products/firefox/ 19. http://www.tightvnc.com/ 20. http://etherape.sourceforge.net 21. http://www.tightvnc.com/ 22. http://www.tightvnc.com/ 23. http://www.tightvnc.com/ 24. http://www.tightvnc.com/ 25. http://www.tightvnc.com/
21 Chapter 1. Getting Started
22 Chapter 2. The Web User Interface (WUI)
As Paul grows older, he’s come to the sad realization that his feeble mind can’t pos- sibly keep track of all the powerful tools that are bundled on the Network Security Toolkit CDROM. To avoid relying on memory alone, a collection of HTML pages and CGI scripts have been created to aid in the use of the Network Security Toolkit. This offers Paul a remote chance of making future use of some of the powerful scripts which Ron has created. Assuming that you’ve started up the Network Security Toolkit using the default boot options and that it was assigned the address of 192.168.0.9, you should be able to access the Web User Interface (WUI) by pointing your browser at https://192.168.0.9/nstwui. NOTE the usage of https in the preceding URL as insecure access is not permitted.
Initial Connection The first time you connect to the Web User Interface (WUI), you will likely need to respond to one or more dialog boxes. When using firefox1, I typically see the following set of events:
• A initial warning dialog indicating that the Network Security Toolkit certificate could not be verified. This is expected as a test certificate is generated at the time the CD is created. The warning message presented by the firefox2 browser re- sembles:
• After pressing the OK button, the browser typically warns me that the security cer- tificate presented by the Network Security Toolkit probe does not agree with the actual IP address which the Network Security Toolkit probe has. This is to be ex- pected as we never know what IP address the Network Security Toolkit probe may be assigned after it boots. The dialog box which the firefox3 browser presents in this condition resembles:
23 Chapter 2. The Web User Interface (WUI)
• After pressing this OK button, the browser may want to tell me that I’ve entered a secure web site. I don’t typically see this message as I typically configure my browser to disable this type of alert. However, if you don’t have your browser configured in this manner, you may be presented with a dialog box resembling:
• Starting with release 1.0.5 of the Network Security Toolkit, authorization will be required before allowing access to the web server (if you have a older version of the Network Security Toolkit toolkit authorization won’t be required until you attempt to access the WUI interface). As a result of this, I will need to authenticate myself by specifying the appropriate user name and password as shown below:
• At this point, I’m typically getting tired of pressing OK buttons. Fortunately, I’ve made it to the actual home page of the Network Security Toolkit. For working with the Web User Interface (WUI), I then select the NST WUI link from the page shown below:
24 Chapter 2. The Web User Interface (WUI)
• I’m now able to perform many different actions by clicking my way through the links found NST Web User Interface shown below:
25 Chapter 2. The Web User Interface (WUI)
Once you’ve reached the NST Web User Interface, feel free to "click" around and explore. You can find out a lot of information about the system as well as perform a variety network security tests.
Snort In Two Clicks The snort4 package at http://www.snort.org/ is a powerful intrusion detection package and is included in the Network Security Toolkit distribution. Through a combination of scripts and HTML pages, you can get snort6 up and running on your network in two mouse clicks once you’ve reached the WUI.
• In order to bring up snort7, you will first need to click on the Snort link which appears in the Networking table of the WUI. Look at the row labeled Intrusion Dectection as shown in the following:
26 Chapter 2. The Web User Interface (WUI)
• To run snort8, you then press the big gray button that says Start Snort as shown in the screen shot below:
• That’s all there is to it. After two mouse clicks, snort9 should be starting up on interface eth0. If things go well, you should be presented with a screen indicat- 27 Chapter 2. The Web User Interface (WUI)
ing that snort10 has been started in the background. As the process of starting up snort11 also requires starting up and initializing the SQL server, it may take a couple of minutes before its fully ready (especially if you are running it on a old laptop like me). If you are impatient, you can click the Check Status button like a monkey gone mad, until it indicates that snort12 is ready and running. The initial screen shown (prior to pressing the Check Status button) resembles:
It should be noted, that we’ve only looked at starting snort13 with a minimum num- ber of mouse clicks. A skilled reader will take the time to read the instructions shown on the initial setup page. There you will discover that:
• You can change what interface snort14 uses. A skilled snort15 user (Ron in my world) prefers to run snort16 on a dedicated interface. • You can choose to download the most recent set of rules from the Internet instead of using the local copy available on the CD. • You can run more than one instance of snort17 if your machine has multiple inter- faces. • You can specify your own options to snort18 before it starts.
Examining Snort Results Being able to start snort19 with just a few mouse clicks isn’t all that impressive if you don’t realize what its doing. Fortunately, the Network Security Toolkit comes bundled with the snort-utils-acid20 package from http://www.andrew.cmu.edu/~rdanyliw/snort/.
28 Chapter 2. The Web User Interface (WUI)
The snort-utils-acid22 package makes it easy to examine the alerts reported by snort23. The following will take you through the basics and get you started:
• From the main panel of the Network Security Toolkit WUI, we will again select the Snort link under the Networking section. Look at the row labeled Intrusion Dectection as shown in the following:
Note: Here’s a hint for you. If you know that the snort24 database is already setup and running on your Network Security Toolkit probe, you can go directly to the snort-utils-acid25 interface by clicking on the ACID link. However, if you click on the ACID link prior to setting up snort26 it won’t work.
• Since we’ve already started snort27, there will be several new options available to us. To access the snort-utils-acid28 interface, we need to click on the big button labeled ACID Interface For Snort as shown below:
29 Chapter 2. The Web User Interface (WUI)
• Since this is the first time we’ve attempted to use the snort-utils-acid29 inter- face, the database will need to be setup. To do this, we need to select the Setup page link, from the warning page which will appear, to complete the setup pro- cess. The page which indicates this, will look similar to:
• We now need to click on the button labeled Create ACID AG in the web page which next appears.
30 Chapter 2. The Web User Interface (WUI)
• If things go well (I’ve yet to see this fail), we should see that all of the necessary tables for the snort-utils-acid30 interface have now been created. We then take the link to the Main Page, which appears towards the bottom of the screen shot shown below:
• Once back at the main page, we will see a report of snort31 alerts which have been triggered since we started snort32. If you are on a fairly secure local network, you should see a minimal number of alerts.
31 Chapter 2. The Web User Interface (WUI)
• If you have snort33 setup on the Network Security Toolkit to monitor your Internet connection, you will start seeing more and more alerts show up as people come by "knocking at your doors". If you are impatient, you should be able to make use of the ShieldsUP! server at http://grc.com/ to trigger some additional alerts. My firewall does not expose any ports to the Internet, so I don’t get a ton of unwanted traffic. However, the following shows what snort35 detected over a 13 hour period while I was working on this document:
32 Chapter 2. The Web User Interface (WUI)
• The above indicated that there were a total of 45 alerts triggered. I then used the Most frequent 5 Alerts link to see which were the most common. The follow- ing screen indicates that most of the activity was related to scanning for my exis- tance (however it also appeared that there were some attempts to spread a WORM as well):
33 Chapter 2. The Web User Interface (WUI)
• Since I’m not as knowledgeable in the area of network security as Ron, I have to admit that I don’t know what half of the problems reported by snort36 really indicate. So, when I see that there were 35 alerts related to a PING CyberKit 2.2 Windows (as shown in the previous screen shot), I don’t know if I should worry about it or not. Fortunately, the snort-utils-acid37 interface provides links to additional information. So, by clicking on the arachNIDS link, a new window is displayed showing that this alert is related to someone out on the Internet which is probably using a Windows utility program to scan for computers on the Internet.
34 Chapter 2. The Web User Interface (WUI)
• After closing out the window showing help information about the alert, I then select the Home link to return to the main page. I’m a bit curious to see if most of the attacks have originated from the same source IP address. I realize that IP addresses can be spoofed, however, I imagine its a bit difficult to spoof an IP address at the scanning stage of an attack. To get this information, I select the source link under the Most frequent 15 addresses: bullet item. This appears towards the bottom right in the window shown below:
• The following screen shot indicates that the scans of my system were not all orig- inating from the same system. Interestingly enough, it appears that a lot of them
35 Chapter 2. The Web User Interface (WUI)
were coming from the rr.com domain:
• I then select the Home link to return to the main page. I decide to check out some of the graphing capabilities of snort-utils-acid38, so I select the Graph Alert Data.
36 Chapter 2. The Web User Interface (WUI)
• The number of options available to the graphing of snort39 alerts can be a bit in- timidating. This is what I initially see when I enter the Graph Alert Data page:
37 Chapter 2. The Web User Interface (WUI)
• Fortunately, the graphing of data is very forgiving. So, for my first attempt, I set the Chart Type to Time (day) vs. Number of Alerts, the Chart Period to 7 (a week) and fill in the Chart Begin and Chart End times. Once I’m happy with my choices, I press the button labeled Graph Alerts shown on the screen shot below:
• The snort-utils-acid40 interface rewards my efforts by presenting me with a bar chart showing the number of alerts per day. This is shown in the screen shot below:
• The bar chart was interesting. I’m still curious about the source IP addresses of the systems which have been scanning my firewall. I adjust the graphing options to 38 Chapter 2. The Web User Interface (WUI)
display this. Notice how the Minimum Threshold Value was set to 3 to limit the chart to only source IP addresses that scanned my system at least three times:
• The pie chart presented shows me that there were seven source IP addresses that scanned my system at least three times. I really like how the key shows the actual IP address associated with each pie section:
This concludes the "mini tour" of the snort-utils-acid41 interface. We’ve only touched upon the tip of what can be done, but it should be enough to wet your appetite.
39 Chapter 2. The Web User Interface (WUI)
Probing With Nessus The nessus42 package at http://www.nessus.org/ is nmap44 on steroids. It can detect the systems on your network and the ports that are open on those systems. Not only that, it then probes those ports looking for known weaknesses and produces a nice set of HTML reports. These graphic reports are invaluable when determining what systems require security patches. One should be a bit careful before blindly unleashing nessus45 on a network. While nessus46 is more than happy to probe all of the systems in your network, I’ve found that some of my systems do not handle the probing very well. My Linux and Win- dows systems all seem to survive. My LinkSys router also seemed to come through. However, my wife’s IP phone and a old D-Link router needed to be reset after be- ing probed by nessus47. Also, my networked printer seems to survive the nessus48 probe, but puts out 10 or so pages of garbage each time its probed. So, in general, I’d recommend that you carefully limit the systems which you probe on the network. Or, at a minimum, that you turn off your networked printers.
• In order to bring up nessus49 using the Web User Interface, you will first need to click on the Nessus link which appears in the Networking table of the WUI. Look at the row labeled Scan as shown in the following:
Figure 2-1. Selecting nessus
• Before running a nessus50 scan on the network, you’ll need to start the nessus51 daemon. The WUI provides two options for starting the daemon. If you select the Start Nessus with Local Plugins, then the scans will include the information avail- able at the time the Network Security Toolkit was built. If you press the Start Nes- sus with Latest Plugins, the latest set of scanning rules will be downloaded from the nessus52 web site prior to starting the nessus53 daemon (don’t use this option if your Network Security Toolkit probe does not have access to the Internet). Make a decision as to whether you want the Network Security Toolkit to download the latest nessus54 rules or not and then press one of the two buttons shown below:
40 Chapter 2. The Web User Interface (WUI)
Figure 2-2. Starting nessus daemon
• Unfortunately, it takes a bit of time to start the nessus55 daemon. As a result, the Network Security Toolkit probe will inform you that it is still in the progress of bringing up the nessus56 daemon. You will need to be patient and periodically hit your web browser’s refresh button, or click on the here link shown below until the Network Security Toolkit probe indicates that its ready to run a nessus57 scan:
Figure 2-3. Waiting for nessus daemon to start 41 Chapter 2. The Web User Interface (WUI)
• Eventually, you’ll find that after pressing the refresh button enough times, the nessus58 daemon will eventually be found to be running. At this point, you’ll be presented with a very simple interface to the nessus59 daemon. By default, it should already have the IP address of your system filled in. If you only wanted to scan your system, you could simply press the Start Scan button at this point in time.
Figure 2-4. nessus ready to scan
• Instead of scanning just my laptop. In this example, I’ve decided to tell nessus60 to scan the systems ranging from 192.168.0.5 to 192.168.0.12. The following shows how I specified this range of IP addresses and the Start Scan button that needs to be pressed to begin the scan.
42 Chapter 2. The Web User Interface (WUI)
Figure 2-5. nessus ready to scan
• After pressing the Start Scan button, the Network Security Toolkit probe comes back indicating what system(s) are being scanned and that it will take a long time. Once again, I will need to be patient and wait for nessus61 to complete its work. While waiting, I can click on the refresh link to check on the progress.
Figure 2-6. nessus Scan Starting
43 Chapter 2. The Web User Interface (WUI)
• My last press of the refresh button tells me that nessus62 is still in the progress of running its scan. These scans are very thorough and can take a LONG time (think lunch). From the snippet shown below, I see that its running tests 107-110 on 192.168.0.12, tests 313-316 on 192.168.0.5, and tests 321-322 on system 192.168.0.11. I also see that there are 1727 tests total that will be run against all of the systems.
Figure 2-7. nessus Scan Progress
• Finally, a press of the refresh button has yielded something other than a message telling me that the scan is still in progress. I finally have the results of my nessus63 scan available! With great excitement, I click on the Top link.
44 Chapter 2. The Web User Interface (WUI)
Figure 2-8. nessus Scan Complete
• The Nessus Report tells me that nessus64 found 14 security holes!
45 Chapter 2. The Web User Interface (WUI)
Figure 2-9. Nessus Report
• I wasn’t too pleased to hear that nessus65 detected 14 security holes on my net- work. I scrolled to the bottom of the page to find that system 192.168.0.12 had was responsible for 10 of the security holes. I then click on the link for system 192.168.0.12 to see what security issues were found:
46 Chapter 2. The Web User Interface (WUI)
Figure 2-10. Nessus Results, by host
• After clicking on the link provided by nessus66, I immediately know why there were so many security holes found by nessus67. System, 192.168.0.12 is my Lex- mark 412N laser printer. I forgot to turn it off prior to running the scan! If you’ll remember back to the start of this section, I clearly stated that it was a bad idea to let nessus68 scan your networked printers. Sure enough, I forgot to turn mine off and wasted another 15 sheets of paper. After smacking myself on the forehead, I decided to see why nessus69 thought it found a security hole at port 80.
47 Chapter 2. The Web User Interface (WUI)
Figure 2-11. Nessus Finds Hole On Printer Port 80
• It appears that nessus70 was able to aquire the source code for some of the CGI scripts used by my Lexmark printer. Currently, I don’t worry too much about the security of this network printer (I rely on a firewall and knowing the users which have access to it). However, if I were to be paranoid, I might consider searching for patches, or attaching the printer to a networked Linux box instead of putting it directly on the LAN.
48 Chapter 2. The Web User Interface (WUI)
Figure 2-12. Nessus Reports CGI Source Code Found
This concludes a sample session of using nessus71 from a running Network Security Toolkit probe. It should be enough to get you started at exploring the weaknesses in your local network. Hopefully, you will be wise and learn from my mistakes (avoid scanning your printers).
Traffic Monitoring With bandwidthd72 The bandwidthd73 package at http://bandwidthd.sourceforge.net/ monitors the amount of traffic being received/transmitted by specific machines and or subnets. Once a particular machine or subnet has generated enough traffic, bandwidthd75 then provides a graph of traffic associated with the machine or subnet.
• In order to bring up bandwidthd76 using the Web User Interface, you will first need to click on the bandwidthd link which appears in the Networking table of the WUI. Look at the row labeled Monitors as shown in the following:
49 Chapter 2. The Web User Interface (WUI)
Figure 2-13. Selecting bandwidthd
• Before starting the bandwidthd77 daemon, one has the option of specifying which network interface should be monitored as well as any particular subnets which are to be specifically monitored. In the setup used in this example, I have my home network connected to the Inter- net through a firewall/router via NAT. The eth1 interface on my Network Security Toolkit probe is tapped into the traffic which travels between my router and the ca- ble modem. Because of this arrangement, bandwidthd78 will show all of the traffic from my home network under the single IP address associated with the Internet side of my router. Since my entire network will appear as a single IP address, I don’t have a reason at this point in time in specifying any subnet addresses. I will need to change the interface from eth0 to eth1 before starting bandwidthd79.
50 Chapter 2. The Web User Interface (WUI)
Figure 2-14. Setting the bandwidthd Interface
• Now that I’ve set the interface to eth1, I’m ready to press the Start bandwidthd button to start the bandwidthd80 daemon:
Figure 2-15. Starting bandwidthd daemon
• The bandwidthd81 daemon starts up pretty quickly (it only takes a few seconds). So, I typically give the Network Security Toolkit probe a few seconds to get going and then press the Check Status button.
51 Chapter 2. The Web User Interface (WUI)
Figure 2-16. Checking bandwidthd daemon
• If things go well (which they should unless you specify unsupported options), one should see the screen indicating that bandwidthd82 is running. One can jump to the bandwidthd83 interface by clicking on the Use bandwidthd interface button.
52 Chapter 2. The Web User Interface (WUI)
Figure 2-17. Accessing the bandwidthd Interface
• When you first bring up the bandwidthd84 interface, you are likely to see a nearly blank page indicating that “bandwidthd85 is collecting data...” as shown below.
Figure 2-18. bandwidthd Collecting Data 53 Chapter 2. The Web User Interface (WUI)
• Eventually, enough time will have pass and bandwidthd86 will display network traffic information. When a machine or subnet generates enough traffice (think 1MB), bandwidthd87 will provide a link to a graphic chart of the traffic associated with the machine or subnet. In the page below, I will click on the 65.29.66.13 link to see what type of traffic was occurring:
Figure 2-19. bandwidthd Traffic Table
Actually, before clicking on the link, I’m going to investigate the 69.44.123.39 IP address shown in the table. In catches my eye as there was a fair amount of traffic. I will start my investigation by opening up a ssh connection to my Network Security Toolkit probe and make use of the whois, host and wget tools:
[root@probe root]# whois 69.44.123.39 Williams Communications, Incorporated WCG-BLK-4 (NET-69-44-0-0-1) 69.44.0.0 - 69.45.255.255 Akamai Technologies WLCO-TWC02103579-AKAMAI-TECH-BROADVIEW (NET-69-44-123-32-1) 69.44.123.32 - 69.44.123.63
# ARIN WHOIS database, last updated 2004-05-29 19:15 # Enter ? for additional hints on searching ARIN’s WHOIS database. [root@probe root]# host 69.44.123.39 39.123.44.69.in-addr.arpa domain name pointer 69-44-123-39.wcg.net. [root@probe root]# wget -O - http://wcg.net/ --17:07:32-- http://wcg.net/ => ‘-’ Connecting to 192.168.0.2:3128... connected. Proxy request sent, awaiting response... 200 OK Length: 127 [text/html]
0% [ ] 0 --.--K/s ETA --:--
100%[======>] 127 124.02K/s ETA 00:00
17:07:32 (124.02 KB/s) - ‘-’ saved [127/127]
54 Chapter 2. The Web User Interface (WUI)
[root@probe root]# wget -O - http://www.wiltel.com/