http://www.dmst.aueb.gr/dds/pubs/trade/2006-login-PenTesting/html/GS06.html
This is an HTML rendering of a working paper draft that led to a publication. The publication should always be cited in preference to this draft using the following reference:
  • Markos Gogoulos and Diomidis Spinellis. Using Linux live CDs for penetration testing. ;login:, 31(3):40–45, June 2006. Green Open Access

Citation(s): 1 (selected).

This document is also available in PDF format.

The document's metadata is available in BibTeX format.

Find the publication on Google Scholar

This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder.

Diomidis Spinellis Publications

Using Linux Live CDs for Penetration Testing

 

Markos Gogoulos and Diomidis Spinellis

 

Introduction

 

 What would you think if in minutes you could have a full Linux system with almost all the necessary tools for penetration testing and security auditing, without having to install it on a dedicated machine? Whether you are a security professional or a system administrator a bootable Linux live CD can be your best friend.

 

What is  Penetrationis Penetration Testing       

 

 Penetration testing is a focused attempt to look for security holes, which : these can be design weaknesses, or technical flaws and vulnerabilities, in critical resources for a network. The test is focused focuses on the a network's network’s infrastructure, servers and workstationssystems that comprise the target network. Penetration testers try to break into a customer's network, attempting to locate and document all security flaws, so that they will be fixed. Usually penetration testers are supplied with specific instructions as to which systems and networks to test.  If you are to undertake such an effort, make sure you Most probably obtain written permission from a person authorized to give it, before even preparing for the testmay be necessary before the test begins. Also notify all system administrators what will be affected, because Since the testers have the permission for the test, the test may create a heavy traffic load to the network and generate intrusion detection system alerts generated by IDS will not take the administrators by surprise. Penetration testing is quite similar to hhcracking -that's that’s why it is also called ethical hhcracking- but differs in that it is arranged and approved by the customer networks owner and aims to locate all security flaws,.  Contrast this to in contrast hto hcracking, where the goal is typically to find a single series of single flaws may be  that are sufficient for system intrusion. While in hhcracking creativity has a major impact on the results and an instinctualinstinctive, probably self-developed procedure is being followed, professional penetration testing involves the use of a methodology which that will be followed to assure that results are accurate and complete.

 

The Need for a Methodology

 

 A penetration testing methodology provides a framework that is followed, so  to ensure that the results will be accurate and complete. As far as we know, the only publicly available methodology for penetration testing is the Open Source Security Testing Methodology Manual (OSSTMM). As quoted to OSSTMM's OSSTMM’s site,

 

The OSSTMM is a peer-reviewed methodology for performing security tests and metrics. The OSSTMM test cases are divided into five channels (sections) which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations such as buildings, perimeters, and military bases. The OSSTMM focuses on the technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. New tests for international best practices, laws, regulations, and ethical concerns are regularly added and updated.

 

 OSSTMM is publicly available for downloading. If followed, OSSTMM ensures that a thorough penetration testing has been undertaken. OSSTMM also comes with Report Requirements Templates to assist the creation of final reports and a legal penetration testing checklist, containing features to consider, such as privacy and protection of information, and authorization for the test etc. Note that OSSTMM does not give instructions on how to accomplish the penetration testing or what tools to use for thisit,; there are numerous sites on the internet and books for this task along with institutions and companies that will happily charge you to attend their seminars and get (a portion of)  this knowledge.

 

 

 

Open Source or Proprietary tools?

 

 Security related tools exist in both OSS and commercial platforms. Most of the commercial tools are generally more professional looking, however keep in mind that these are difficult or impossible to modify to fit your needs, and that their cost is often  modifications cannot be made, since the source code is unavailable and cost is high .significant. Moreover, there are no commercial tools for several tasks.  Also, commercial , or these tools are often created after OSS tools have been available for asome time, and therefore such tools lag in the technologies they use.  Typical examples of this state of afairsaffairs are currently Wep analysis and cracking tools are an example to this. Many OSS security related tools are maintained by a large team of people, and hundreds of developers contribute to the project. Generally OSS tool updates are more frequent and signatures for vulnerability assessment tools for the  newlythe   discoverednewly discovered vulnerabilities are added soon after they are publicly available. In this area the reflexes of the OSS society's reflexes are community appear to be far quicker to all security related aspects, so most of , and therefore the best tools for penetration testing are not commercial.

 

What is a Linux Live CD

 

  Linux live CDs are Linux systems based on a certain distribution, that operate from the distribuiondistribution CD ROM  withoutROM without the need to set up to the system and without the use of the local hard drive. They perform automated hardware configuration with great success, so that .  As a result, in a few minutes from booting, youll have in front of you a full graphical lLinux environment is operating, with all the peripherals identified in most cases as well as and a number of preinstalled programs ready to be used. One category of Linux live CDs s category is the distributions for targets security. Most of those CDs are based on Knoppix or Slax distributions., which automatically perform efficient identification of the peripherals .  (Knoppix is a distribution based on Debian, whereas Slax is based on Slackware.)

 

Alternatives

 

  Live CD distributions for security belong to one or more of the can be split into the following categories :  Penetration Testing, Forensics, and Secure Desktop. The Forensics category consists of distributions with forensics focuses on tools i.e. for the non-invasive study and retrieval of data from various types of file systems, whereas in the Secure Desktop distributions focus on numerous programs and servers are included for providing secure protocol implementations, cryptography e.t.c. Penetration testing live CDs include the most famous programs as well as the less known, for the enumeration, network scanning and analysis, vulnerability assessment, as well as tools for and exploitation of several security vulnerabilities.

 A successful system for penetration testing requires a lot of work to setup, possibly months of hardworking ,. as it involves in order for the programs to be gathereding the programs, installed installing them, and maintained maintaining them up-to-date. A live CD for penetration testing, such as the ones that we study on forth – will examine here, is a system base ready to usesaves you this effort. What is missing of course is the knowledge required for the operation of penetration testing tools, which in many cases is minimal, although in other cases good knowledge is required for a certain protocol or a programming task, as well as the methodology to support it.

 

 

  We expect from Typically a penetration testing CD to consist of the most effective and commonly usedwill contain

·        attack and penetration testing tools,

·        enumeration tools,

·        tools for scanning and network port analysis,

·        vulnerability scanners seeking for targeting known problems,

·        smb CIFS (SMB) scanners,

·        sniffers and network analyzers,

·        tools for the exploitation of common vulnerabilitiesy exploitation, for instance Metasploit Framework and Exploit Tree,

·        http HTTP proxy tools,

·        fuzzer tools,

·        tools for router scanning and exploitation,

·        tools for spoofing and session hijacking, and

·        tools for password cracking and brute-force attacks.   

 

Since we already covered the basics, it is high time to Let’s go through the presentation some of the available live CDs for penetration testing. You can locate the live CDs in the security category of the frozentech list [2] .[2] All distributions comprise a minimal basic set of penetration testing tools (nmap, nessus, nikto, Metasploit Framework) plus some basic additional tools to make the system more functional, such as editors, web browsers, and image viewers, nx clients e.t.c.  .  You can see a summary of the features of some prominent distributions in Table 1.

 

Our personal favorite is the Auditor security collection:[3] it includes  Almost all the previous all the tools we listed, and perhaps more are included in the Auditor security collection [3]; a far more complete and handy live CD for penetration testing from the examined list of live CDs. It should be noted that it was created by top security experts. What we liked most about Auditor was is the programs' organization of the programs into separate categories, its as well as the orientation for toward a professional administrators, and its cutting edge functionality. The Auditor consists of more programs, compared to other distributions, most of which are classified in distinct categories. In the wireless sector, the Auditor truly shines truly, since it consists of coming with the most complete tool collection for wireless network penetration testing. Some of those programs, with top the known such as the wireless LAN wlan scanner kKismet, are notoriously known  for their time-consuming and hard-demanding difficult installation; with Auditor this funcitonalityfunctionality comes out-of-the-box. Furthermore, Tthe Auditor also uniquely incorporates tools for Bluetooth penetration testing, a feature that is not met in any other distribution and most of the libraries that we require for the installation of additional programs beyond the ones preinstalled a fact significantly important in the scenario that we install in a computer.

 

Although some tools are missing from Auditor, with a little additional work an installed system can be transformed into a state-of-the-art base for penetration testing. For example, tools we found missing from Auditor are those for database auditing, for Novell Netware auditing, and SMB and Kerberos sniffing. Some of these tools exist for Linux, while others can  operate through Wine. Furthermore, it would be desirable if the system had by default read/write capabilities for NTFS file-systems. In addition, one could add the Achilles and Spike web interception proxies; these apart from their other capabilities automatically test web applications for buffer overflows and SQL injection.

 

   Among From the other distributions that we examined worked, we found Whax [4] and KCPentrix [5] quite interesting. Both distributions include features that Auditor lacks.  These distributions represent worthy efforts that with additional work can reach the quality levels of Auditor. Some of the positive working aspects of these distributions can be considered the following: For example, Whax contains snort accompanied with acid and other front-ends, of the most famous open source IDS. In the enumeration sector, as well as tools for the vulnerability enumeration through the so-called  tools for google hacking techniques.  that dont exist in Auditor are included. In the vulnerability scanners category, there Whax has modules for the are modules from scanner Retina and Foundstone tools that operateing normally through Wine, since  (these are wWindows tools). Furthermore, there are Whax includes tools for database auditing, for instance Absinthe for blind sql SQL injection and other tools for oracle auditing Oracle and Cisco systems. Beyond the Metasploit Framework, an advanced open-source platform for developing, testing, and using exploit code (EXPLAIN), the Whax includes Exploit Tree, a properly supported exploit source code base with exploit source codes that have been distributed officially with an update capability. In addition it Whax contains several exploit collections for client side attacks i.e.:  vulnerabilities for the Internet Explorer, as well as exploit archives from the securityfocus.com, packetstormsecurity.com, and milworm.com sites. In the cisco auditing field numerous tools have been gathered. Both The Whax and KCPentrix is are founded on Slax , just as KCPentrix, among which there are many similarities  and therefore share many features, with in the structure, although Whax consists offering slightly of more material.

 

 The Phlak [6] live CD consists of only a few tools, which are not organized in a menu. What however impressed us in Phlak is is its acompanying security-oriented documentation, the fact that it contains numerous documents on  security, well-organizedwell organized in different categories. We believe that it found this very useful and we should also emphasize think that other distributions could benefit from such documentation, a thing that we think as not wastefuladopting this approach. For example, the OSSTMM that is we mentioned above could be included on a security related live CD.

 

 The Auditor Security Collection, as previously mentioned is considered the ideal selection. Nevertheless, some tools are missing from the Auditor and with a little additional work, an installed system can be transformed to a state-of-the-art base for penetration testing. What is missing from the Auditor and should be added are among others tools for database auditing, tools for Novell Netware auditing, smb and Kerberos sniffing tools. Some of these tools exist for Linux, while others can  operate through Wine. The L0phtcrack, which is the best tool for Windows password auditing and recovery, could not be integrated in a GNU distribution, since it is a commercial product. Furthermore, it would be desirable if the system had read/write capabilities in ntfs file-systems by default. Achilles and Spike web interception proxies – that apart from the other capabilities automatically test web applications for buffer overflows and sql injection can be added, even if Paros exists, that belongs to the same program category.

 

Table 1.  Distribution Comparison Table

 

 

 

GUI

System apps

Installation program

Vulnerability Scanners

Exploit Tools

Version in 2005

Documents/ Penetration Testing material

Wireless pen

Bluetooth pen

Auditor

Y

Y

Y

Y

Y

Y

N

Y

Y

Whax

Y

Y

Y

Y

Y

Y

N

Y

N

KCPentrix

Y

Y

N

Y

Y

Y

N

Y

N

Phlak

Y

Y

Y

Y

Y

Y

Y

Y

N

Knoppix-std

Y

Y

Y

Y

N

N

N

Y

N

 

Penetration Testing

 

 Often the penetration testing process is presented as a mixture of science and art. It is also true that Furthermore, a complete penetration testing is something more than the plain simple execution of some various vulnerability scanners to targettingtargeting some systems: the penetration tester aims to trace all the possible violation pathways, following a well defined methodology.

 Even if the penetration testing results will depend on the knowledge and skills of the penetration tester from some point on, there are some tasks that are most usually followed. Usually the penetration tester you will initially enumerate initially the systems or the networks that are due to be tested, in order to trace obtain basic information about them, for example ip IP address ranges, gateways, and administrator names e.t.c. Subsequently, with through port scanning, you will locate open ports will be located and services that are running on them. Any network service is a potential door to the system entry. Services that currently run may be vulnerable to a known vulnerability, something that a vulnerability scanner will show, but can also be traced manually if if the penetration tester you gets a connection to the an open port that is open for the service, reads the banner and afterwards checks if the service version is vulnerable to some flaw.

 Most services will reveal their version from a banner with little effort, but even those tailored not to reveal such information can be tricked some times. It is important to locate that all existing shares in Windows systems or nfs NFS exports in Unix that possibly exist are found. With brute force tools, you can try to crack passwords can be cracked that give access to shares or to the system, through sshSSH, ftpFTP, web accessprotocols, webmin or an other service. The use of a By using a sniffer will reveal you can see the unencrypted protocols (a common and controversial pasttime in older Usenix conferences) as well as passwords or other sensitive data that is distributed in passes through the network.  For example, a few years ago, one of us used a sniffer to demonstrate to the public that sensitive data used in a particular setup of a popular e-government application was being transmitted in plain-text form.  You can also use Ettercap and Dsniff to perform advanced type more sophisticated attacks, utilizing all somewhat esoteric the known techniques, i.e. such as arp ARP spoofing for sniffing through switches sniffing. Several other tools that are incorporated in Auditor could be utilized allow you to test network security and to trace locate bad risky adjustmentssetups, for instance  through spoofing, traffic injection, dhcp DHCP flooding tools.

When you locate vulnerabilities are located, testers will you will have to try to exploit them before documenting possible solutions are documented, to assure insure that you don’t report and there are no false positives and or false negatives.  For example, an application may be lying about its version, or may have been configured with a workaround to avoid a particular vulnerability.  That's why This is where tools like the Metasploit Framework are so preciouscome in. These tools are the most direct way to allow you to avoid false positives and directly check the for security gaps.  In addition, with such tools you can demonstrate the actual problems, because since most of the sometimes even if the system administrators know of certain problems in their network, wont face but fail to address them, in mistaken belief that their network is not at risk.

 In light of the fact that the web applications which are most probably supported by a database comprise the most house in many networks valuable assets for many networks, it is important to you’ll need to test them separately for how they behave on unexpected input, sql SQL injection and other attacks. This job You could be performed in assistance with thisperform this job using tools, such as Nikto, Spike, Achilles, or Paros or other tools.

 

Discussion

 

 It is very easy to understand that Obviously, these tools are extremely powerful and the wrong use by on the hands of non-authorized people could they cause many problems and chaos on a network. Someone could claim that tools distribution such as Auditor make it possible easier for script kiddies and other wrongdoers malicious attackers to accomplish their attacks. That thought doesnt stand since However, nowadays everyone anyone with a browser can easily find information about the programs Auditor contains , for instance by performing a google search ; try, for example, googling for with the term dhcp flooder.  Script kiddies It might would require some more effort for a script kiddie to install them, eventually though, the tools will wok for him / herthem.

 

Conclusions

 

 With The easiness that a live CD has to offer (i..e. the like Auditor for penetration testing) is extremely important,  for example you as a system administrator could run nNessus periodically in his your systems to check if there is are any security related problems or , also  you can professional penetration testers could use it as a base system for a more complete penetration test. Auditor just as other Most of the live CDs we examined allow you includes installed libraries that will be needed for the addition installation of tools not included in the distribution, and some of the tools support the capability for automated downloading of updates.  Both features , something that will helps us your keep the your penetration testing system up-to-date.   When the time for downloading the updates becomes excessive, just burn a CD with an updated distribution.  Since Finally, keep in mind that those these distributions are maintained from by unpaid teams of people and gnu developers that are not paid to do itvolunteers, in the context of supporting those efforts and to continue for better ones, let us not ; don’t forget that these projects are in the need of depend on contributions from our community for maintenance and improvements.

 

 

Links

1)Open1) Open Source Security Testing Methodology Manual (OSSTMM), http://www.osstmm.org

2) Frozentech list with live CD's for security ,security, http://www.frozentech.com/content/livecd.php?pick=All&showonly=Security&sort=&sm=1

3) Auditor security collection, http://www.remote-exploit.org/index.php/Auditor_mainhttp://www.remote-exploit.org

4)Whax , http://www.iWhax.net

5)KCPentrix, http://www.knowledgecave.com/KCPentrix/

6)Phlak, http://www.phlak.org

 

 

 

Markos Gogoulos is a research assistant in the ELTRUN Software Engineering and Security Group at the Athens University of Economics and Business and a free software movement enthusiast.

 

Diomidis Spinellis is an associate professor in the Department of Management Science and Technology at the Athens University of Economics and Business, and author of the books Code {Reading, Quality}: The Open Source Perspective (Addison-Wesley, 200[36]).