Helpful Linux Tools

1
Helpful Linux Tools

• or
• How to manage security risks on a very small
  budget, with few staff using FREE linux tools

2
Helpful FREE Linux tools

• There are many security related tasks that can be
  done with tools that cost you nothing. Today I
  will share some details with you using some
  common tasks as examples.
• All these tools are only a download away!
• (Did I mention theyre free?)

3
Whats out there?

• It is a big bad world out there
• Viruses, worms, trojans
• Hackers
• Strange events on your network
• Insider threats

4
What are you looking for?

• What dont you know about your servers?
• Whats exposed behind your firewall and across
  your DMZ?
• Are any servers running unknown services or
  sending out odd traffic?

5
Tools to improve your security awareness

• NMAP Great small tool for host iding.
• Nessus Wide range of methods to find flaws and
  includes details to solve the problems you may
  find.
• F-PROT FREE anti-virus/worm removal tool.
• Wireshark Formerly known as Ethereal.
• A full network traffic analysis toolkit.
• These tools are all free and are easy to use

6
NMAP Overview

• NMAP is a widely used port-scanning utility (the
  network mapper)
• a command-line utility that uses a variety of
  scanning methods
• allows for fingerprinting hosts
• Use NMAP to find and fix problems before the
  hackers find them!
• NMAP reveals all exposed services
• NMAP is now available for Windows.

7
NMAP Overview

• NMAP will collect very detailed data for your
  interpretation
• nmap -A -T4 -F www.insecure.org
• Starting nmap 3.40PVT16 ( http//www.insecure.org/
  nmap/ ) at 2006-09-06 1949 PDT
• Interesting ports on www.insecure.org
  (205.217.153.53)
• (The 1206 ports scanned but not shown below are
  in state filtered)
• PORT STATE SERVICE VERSION
• 22/tcp open ssh OpenSSH 3.1p1 (protocol
  1.99)
• 25/tcp open smtp Qmail smtpd
• 53/tcp open domain ISC Bind 9.2.1
• 80/tcp open http Apache httpd 2.0.39
  ((Unix) mod_perl/1.99_07-dev Perl/v5.6.1)
• 113/tcp closed auth
• Device type general purpose
• Running Linux 2.4.X2.5.X
• OS details Linux Kernel 2.4.0 - 2.5.20
• Uptime 108.307 days (since Wed May 21 122744
  2006)

8
NMAP for Windows
9
Nessus Security Scanner

• Wouldnt it be great to have an easy-to-use tool
  that could identify nearly every known
  host/server vulnerability?
• Wouldnt it be great if the tool generated
  reports?
• Wouldnt it be even nicer if the tool was
  completely FREE?

10
Nessus Overview

• Nessus
• Remote Vulnerability Scanner
• Remote Data Gathering , Host Identification, Port
  Scanning are the main purposes of using this
  tool.
• Client/Server Setup.
• Server UNIX (Linux) Based
• Clients Windows and UNIX Based.
• Open Source, Highly flexible, Harmless.

11
Nessus Overview Continued

• Nessus Scripting Language (NASL)
• Scripting Language used by Nessus to form attacks
  to detect vulnerabilities.
• Guarantees
• Will not send packets to any other hosts than
  target
• Will execute commands on only local systems.
• Optimized built-in fuctions to perform network
  related tasks.
• e.g. Socket operations, open connection if port
  is open, forge IP/TCP/ICMP etc. Packets
• Rich Knowledge Base KB, which provides ability
  to use results of other scripts to use in custom
  script.

12
Nessus Overview Continued

• Features
• Plug-in Architecture
• Security Tests are modular Plug-ins, easy to add
  or modify tests with changes to NASL scripts.
• Security Vulnerability Database
• Database is updated a daily basis, keeps record
  of latest security holes.
• Client-Server Architecture
• Server Performs attacks
• Client Front-end
• Both can be located at different hosts

13
Nessus Overview Continued

• Can Test unlimited amount of hosts in each scan.
• Depending on server capacity, scan can be
  performed on any range of hosts.
• Smart Service Recognition.
• Doesn't believe in fixed ports for particular
  service.
• Checks all ports for specific vulnerability.
• Non-Destructive Option
• Used to select only the non-destructive scripts
  to run for scanning. Nessus then will rely only
  on banner information for service identification.

14
Whats it look like?

• Nessus Server Client
• 10.10.10.101241
• Authentication used
• Password
• nessus-mkcert will generate X.509 Cert.
• Remote Host Scanned
• 10.12.13.14

15
Whats it look like?

• Plugins
• Scan can be enabled for all possible plugins.
• upload-plugin gives you to add plugin from
  local database.
• Dependencies can be set enabled while scanning.

16
Nessus Reports
17
Fix a broken Windows system

• Corrupted boot files?
• Worm-damaged system?
• Suspect a root-kit or keylogger?
• Damaged Registry?
• Need to reset password you dont know?
• Knoppix boot-cd Linux is your friend!

18
Knoppix Boot CD/DVD
19
Knoppix Boot CD/DVD

• Knoppix is a Boot-CD Linux version thats
  completely portable, works anywhere!
• Constantly updated, easily customized.
• Ability to download specific applications as
  modules for specific tasks.
• Now can freely read/write NTFS 5.x file
  systems for easy virus removal.

20
Knoppix Boot CD/DVD

• Any tools not preloaded are easy to add.
• You can download your tools to a thumb drive and
  always have your custom tools.
• Since it all runs in a RAM disk, the host system
  is not touched.
• Free anti-virus tools like F-PROT can be used to
  find and remove any known malware.

21
Knoppix Boot CD/DVD

• Using Knoppix sidesteps several key issues in the
  repair of virus/worm infected windows systems.
• Many viruses kill av-software on sight if windows
  is running.
• More details can be found here
• www.oreilly.com/catalog/knoppixhks/chapter/hack7
  8.pdf

22
Knoppix Virus/worm removal

• By default F-Prot not included with Knoppix as
  they dont want 3rd party distribution.
  
• F-Prot is easy to install to the RAM disk by
  using a shell-script from a thumb drive as shown
  on the next page.

23
F-Prot installation script

• !/bin/bash Install f-prot - useful in
  combination with persistant home GPL
  Author Fabian Franz
  mkdir -p HOME/software/ cd HOME/software/
  wget ftp//ftp.f-prot.com/pub/linux/fp-linux-ws.t
  ar.gz tar xzf fp-linux-ws.tar.gz mkdir -p
  HOME/man/man8 mkdir -p HOME/bin ln -fs
  (pwd)/f-prot/f-prot.sh HOME/bin/f-prot ln -fs
  (pwd)/f-prot/check-updates.sh HOME/bin/check-upd
  ates.sh ln -fs (pwd)/f-prot/man8/f-prot.8
  HOME/man/man8/ ln -fs (pwd)/f-prot/man8/check-u
  pdates.sh.8 HOME/man/man8/ Setting up
  Manpath PATH for f-prot cp HOME/.bashrc
  HOME/.bashrc.templ cat HOME/.bashrc.templ
  grep -v "export MANPATH\HOME/man" grep -v
  "export PATH\HOME/bin/" HOME/.bashrc echo
  "export MANPATH\HOME/man/\MANPATH"
  HOME/.bashrc echo "export PATH\HOME/bin/\PAT
  H" HOME/.bashrc rm -f HOME/.bashrc.templ
  Fix paths cp f-prot/f-prot.sh
  /tmp/f-prot. sed 's/usr/local/f-prot/'(pwd)'
  /f-prot/g' /tmp/f-prot. f-prot/f-prot.sh
  cp f-prot/check-updates.sh /tmp/f-prot. sed
  's/usr/local/f-prot/'(pwd)'/f-prot/g'
  /tmp/f-prot. f-prot/check-updates.sh rm -f
  /tmp/f-prot. cleanup rm -f
  fp-linux-ws.tar.gz

24
F-Prot inspection script

• F-Prot inspection script with results to
  /virus.txt
• !/bin/bash F-Prot Autoscan GPL
  Author Fabian Franz
  Idea by Robert Long Mount all
  partitions for i in (cat /etc/fstab grep -v
  "" awk ' print 2' egrep "hdsd") do sudo
  mount -o ro i done Run f-prot f-prot 
  (cat /etc/fstab grep -v "" awk ' print
  2' egrep "hdsd") -all -ai -archive -dumb
  -packed -list -report/virus.txt Unmount them
  for i in (cat /etc/fstab grep -v "" awk '
  print 2' egrep "hdsd") do sudo umount i
  done

25
F-Prot inspection report

• Virus scanning report  -  31 May 2006 _at_
  1216F-PROT ANTIVIRUSProgram version
  4.6.1Engine version 3.16.8VIRUS SIGNATURE
  FILESSIGN.DEF created 30 May 2006SIGN2.DEF
  created 30 May 2006MACRO.DEF created 30 May
  2006Search homeAction Report onlyFiles
  "Dumb" scan of all filesSwitches -ARCHIVE
  -PACKED -SERVERError on reading homeResults
  of virus scanningFiles 0MBRs 0Boot
  sectors 0Objects scanned 0Time 000No
  viruses or suspicious files/boot sectors were
  found.

26
Knoppix virus/worm removal

• If the report indicates any infected files they
  can be removed manually or you can command F-Prot
  to delete any malware upon discovery.

27
Wireshark

• When you really want to know what your network is
  doing, you must climb in and look around!
• Ideal for remote observation of insider threats

28
Wireshark

• Wireshark (Formerly known as Ethereal) is an open
  source network protocol analyzer for Unix and
  Windows. It allows you to examine data from a
  live network or from a capture file on disk.
• Decodes over 750 protocols
• Download the program from
• www.wireshark.org/download.html

29
Using Wireshark

• After launching, select your interface

30
Using Wireshark

• Click Start next to your interface to begin
  capturing traffic for analysis

31
Using Wireshark

• Decoded datastreams look like this

32
Using Wireshark

• What Ive shown you today about Wireshark is just
  the tip of the iceberg.
• Wireshark has the ability to filter to or from
  any host or protocol and also can decode files
  created by tcpdump or other Unix traffic capture
  utilities for forensic traffic analysis. Its
  very versatile!

33
Summary

• I hope today Ive called to your attention
  several tools that are very effective and cost
  only the time it takes to become familiar with
  them.
• The tools Ive discussed are under constant
  improvement so be sure to carefully read the
  documentation to be sure youre using the most
  effective commands to complete a task.

34
Thank You

• Thank You for taking the time to look at this
  presentation.
• I hope you find the information helpful!
• Phil Barker Curry County Computer Services
• BarkerP_at_co.curry.or.us
• 541.247.3372
• http//co.curry.or.us/compsvcs/oagitm.ppt