Open Source Security Tools : Open Source Security Tools Linux World / Network Toronto
Tutorial Part I
Agenda : Agenda Open Source and Security
Firewalls
Port Scanners
Network Sniffers
Vulnerability Assessment
Intrusion Detection Systems
Logging Analysis
Unix-like Windows Tools
Crypto Tools
Wireless Tools
Open Source Security Opportunities
Presenter : Presenter Tony Howlett
President of Network Security Services, Inc.
CISSP, GSNA
Author of “Open Source Security Tools”
17 years of experience building and managing networks
Pre-speech Caveats : Pre-speech Caveats Contains updates to material in book; a preview of 2nd edition
OS Requirements; Linux or BSD, Reference OS is Mandrake 10.1
Choice of Security apps are my favorites, yes there are others, these are MY favorites
Please hold questions till of seminar
Security Tool Warnings : Security Tool Warnings DO NOT run these tools on any machines that don’t belong to you without WRITTEN permission
Be very careful when running them on production machines at work
Failure to abide by this could result in getting fired, legal action or losing your ISP connection.
Windoze Warning : Windoze Warning While most of it is Unix/Linux centric, I do present some Windoze tools
The number of open source Windows tools is still low but the number is increasing and some of them are quite good
It’s a Windows world out there, and we all have to live in it
Most are at the end, so hardcore Windows haters can leave then
Open Source and Security : Open Source and Security Just about every category of security application is available in open source
Many commercial security vendors use open source software as a base or engine
Many of the programs compare very favorably to expensive commercial programs
Example: Snort has been rated right up with commercial choices by critics and trade mags
Open Source and Security : Open Source and Security More Secure or Less Secure?
The worlds most proprietary operating system is also the most exploited
Linux and Windows about even with number of exploits available
Best practices in fields like cryptography are to have open peer review
Bottom line; code being closed or open source doesn’t make programmers write secure code
Open Source Opportunities : Open Source Opportunities Cost Reduction within your company (be the budget hero)
Expansion/ addition to your existing tools
Education – a great way to learn
Development of new open source tools (www.sourceforge.net , www.freshmeat.net)
Career / Resume Enhancement
Run a Security consultancy with it (I do!)
Securing Operating Systems : Securing Operating Systems
The operating system is the base upon which you build all your other tools; if its insecure, you are building on a foundation of sand
When building a security tool system, try to always start with a new OS installation
Then lock down and harden the system
Bastille Linux�A OS Hardening Tool : Bastille Linux A OS Hardening Tool
Not an OS, but a set of scripts that automates the hardening process
Asks questions and performs actions based on the response
Can run from the command line or via a config file to run on multiple systems
Bastille Linux�A OS Hardening Tool : Bastille Linux A OS Hardening Tool
Requirements:
Perl 5.5 or greater
Perl TK Module 8.0 or greater
Perl Curses Module 1.06 or greater
Packages available for Debian, Redhat and Mandrake
Also available for Mac OS-X, HP/UX and Solaris
Download from www.bastille-linux.org
Open Source Firewalls : Open Source Firewalls The Ole Standby: IPTables
Included with every Linux distribution with Kernel 2.4 and higher
Can run from command line or via scripts
Several public IPTables scripts available
Many commercial firewalls are merely Linux boxes running IP tables in fancy cases
Example: Watchguard Firebox
Do you have it? Type “iptables –L” at the command line to find out
OS Firewall Alternatives : OS Firewall Alternatives Ipchains
Turtle Firewall
Smoothwall
IPChains : IPChains Available in Linux distributions with Kernel 2.2-2.3
Similar to IPTables with a little less functionality
Before Kernel 2.3, IPFW is firewall program
Turtle Firewall : Turtle Firewall Web-based interface to IPTables
Makes IPTables much easier to navigate
Seeing mistakes in rules is easier
Uses the Webmin Linux Administration Interface.
Turtle Firewall : Turtle Firewall
Turtle Firewall : Turtle Firewall
Requirements:
Kernel 2.4 or higher
Iptables
Webmin Interface (www.webmin.org)
Perl with Expat Library
Get Turtle Firewall at www.turtlefirewall.com
Free for download, ~$100 for a supported version
SmoothWall Express : SmoothWall Express
A turn-key firewall
Supports NAT, DHCP, SSH Admin, VPNs and a lot more
Requires a dedicated system to run on; wipes the harddrive and installs its own OS (Linux of course!)
Express version is free, commercial version available with more features
Get it at www.smoothwall.org
SmoothWall Express : SmoothWall Express
Port Scanners : Port Scanners
Port scanners determine the state of the TCP/UDP network ports on a system
Very useful from a network security standpoint
Nmap is the most fully featured scanner out there, bar none.
Uses for Port Scanners : Uses for Port Scanners
Determine number of answering machines on the network (Ping Sweep)
OS Identification (TCP Fingerprinting)
Identify unnecessary or rogue services running on machines
Nmap : Nmap
Powerful light weight port scanner
Runs on Unix or Windows
Command Line or GUI
Easy to run but also deep in functionality
Nmap Requirements : Nmap Requirements
Nmap Requirements:
LibPcap libraries (www.tcpdump.org)
Download Nmap from www.insecure.org (a great security information site too!)
Nmap Demo : Nmap Demo
Vulnerability Scanners : Vulnerability Scanners
These programs take port scanning a bit farther and try to run exploits against open ports
These scripts replicate the actions of hackers or other malware such as viruses or worms
Can be very useful to show how good your defenses are
Can be run in “safe mode” which means holes aren't exploited if found.
This results in a higher false positive rate, however
Nessus-NOT! : Nessus-NOT!
Was one of the better open source security programs available
Uses Nmap and other popular programs as modules
Utilizes a “plug-in” architecture for each security test so latest exploits can easily be added
Now closed source by authors commercial company
Alternatives to Nessus : Alternatives to Nessus
Several of the major contributors “forked” the open source version of nessus to form new Open Source VAS projects
OpenVAS
http://www.openvas.org
ATF
http://www.computec.ch/projekte/atk/
Porz-Wahn
http://developer.berlios.de/projects/porz-wahn/
Benefits of OpenVAS and other Nessus Forks : Benefits of OpenVAS and other Nessus Forks
Client-Server architecture. Supports multiple platforms for clients (Linux, Windows, Web-based, Java)
Has a built in scripting language (NASL) for writing custom security tests
Well documented and supported from legacy
Best of all, absolutely FREE!
OpenVAS Requirements : OpenVAS Requirements
LibPcap Libraries (www.tcpdump.org)
Gimp Took Kit (GTK) ftp.gimp.org/pub/gtk/v1.2
Nmap (if you want to use it as your port scanner)
OpenSSL (if you want to connect securely www.openssl.org)
OpenVAS Demo : OpenVAS Demo
Netscan Command Console (NCC) : Netscan Command Console (NCC) A web based interface and database backend for managing multiple .nsr-based vulnerability scans
Allows for scheduling of future scans, recurrence and storing of results in a database
Web based analysis tool for results
Multi-user, multi group (good for consultants)
Version 2.0 coming out in June (sneak preview today!)
Co-written by yours truly
Netscan Command Console (NCC) : Netscan Command Console (NCC) Written using Perl and PHP
Based on the LAMP platform (Linux, Apache, MySQL and PHP (Perl too!)
Backwards compatible with OS Nessus Requirements:
MySQL: Version 3.2352 or higher
PHP: Version 4.32 or higher
Perl: Version 5.8 or higher
OpenVAS/Nessus: Version 2.07 or higher
Apache: Version 2.0.47 or higher
Get it at www.netsecuritysvcs.com/ncc
NCC Demo : NCC Demo
Network Sniffers : Network Sniffers These programs grab data packets off the network for examination/analysis
Highly useful for any number of tasks including but not limited to security
Commercial sniffers can run into the tens of thousands of dollars
Ethereal : Ethereal A free open source Ethernet sniffer with many features
Graphic Interface
Also, works with other programs (both as a slave program and to produce files for use/analysis in 3rd party programs)
Ethereal : Ethereal Requirement
LibPcap Libraries
Network card capable of working in promiscuous mode
Download at www.ethereal.org
Ethereal Demo : Ethereal Demo
Intrusion Detection Systems : Intrusion Detection Systems Programs that look for anomalous behavior on a system and alert operators
Some systems provide for additional analysis / reporting capability
This is CRUTIAL to the usability of the system
A vital backup to your firewall and perimeter defenses.
A strong defense against internal attacks which firewalls can’t detect or stop
IDS Vs. IPS : IDS Vs. IPS What is the the difference between IPS (Intrusion Prevention System) and IDS?
Answer: Marketing mostly!
Some combine a firewall with IDS to take action on alerts such as blocking ports, etc.
WARNING: these features can cause a your network to be DOS’d inadvertently
Host IDS Vs. Network based : Host IDS Vs. Network based A host based IDS (Tripwire) looks for changes/anomalous activity on a single host such as file modifications, etc.
A network based IDS (NIDS) looks for suspicious behavior on a network wire.
Network-based will pick up activities on all boxes that enter from the network but may miss activity that doesn’t match signatures or comes from a different source. For Example, brute force attempts on a login or floppy-based trojans
Host-based can pick up things NIDS can’t (changes to files by a legal user, etc) but must be loaded on every box.
Some systems may warrant both.
Network Intrusion �Detection Systems : Network Intrusion Detection Systems NIDS systems are complicated sniffers that check all data packets on the network against a database of signatures
Some IDS systems also do anomalous activity detection and Intrusion Prevention (taking action on the results)
Slide43 : A powerful, lightweight open source NIDS
Large default rule set (several thousand)
Highly customizable and configurable
Offers a scripting language to write custom rules to match your network
Works on Linux/BSD/Windows
Slide44 : Software requirements
LibPcap Libraries
Linux Kernel 2.4 or greater
Hardware requirements
Network card capable of working in promiscuous mode
Intel 500 Ghx processor or greater (Its works on less)
128MB of ram
Command line interface only
Download at www.snort.org
Get the Pig : Get the Pig Download tar file from www.snort.org
Most current version 2.4.4
Decide if you want to register as a user
Sourcefire (owner of Snort) subscribers get real-time feeds (cost: approx $1700/year)
Registered users (no cost) get 5 day delayed Verified rules feed
Non-registered users get static rule set with installation
GPL feed available for those that don’t want to use the Verified rule set.
Useful Snort Add-on Tools : Useful Snort Add-on Tools Webmin Snort Module
BASE/ACID
Webmin Snort Module : Webmin Snort Module Module for popular Webmin administration program
Benefits: easy rule set and conf file management
Downside: have to run Webmin and web server on Snort box
Download at www.webmin.com
Webmin Snort Demo : Webmin Snort Demo
Basic Analysis and Security Engine (BASE) : Basic Analysis and Security Engine (BASE) Formerly Analysis Console for Intrusion Detection (ACID)
Web front end and database interface for Snort
This program allows you to really tap into the power of Snort
Imports alerts into a database and allows viewing through a web-based interface
This allows analysis of your Snort data and helps with tuning your Snort sensors
BASE Requirements : BASE Requirements MySQL, PostGreSQL or Oracle database
PHP-enabled web server
One or more snort sensors to gather data from
Important: You must build your Snort boxes with the “--with-mysql” or appropriate parameter and edit the snort.conf files correctly.
Download BASE from: http://secureideas.sourceforge.net/
BASE Demo : BASE Demo
Crypto Security : Crypto Security
GPG (GNU PGP) Unix
Cain and Abel (Windows)
OS version of Windows PGP no longer available (volunteers anyone?)
GnuPG : GnuPG
The GNU Privacy Guard (get it?)
The GNU implementation of the OpenPGP standard
Versions available for Unix/Windows/Mac OS
Command line interface only
Get it www.gnupg.org
Cain and Abel : Cain and Abel
Password and Credential recovery tool for Windows (read between the lines)
Not revolutionary but evolutionary; contains many tools in one simple, easy to use package.
One very scary tool…
Cain and Abel : Cain and Abel
Integrates the following features in an easy to use GUI
Network sniffer (wireless too!)
Password cracking for just about every OS and platform
ARP cache poisoning tool (to circumvent switches)
Remote control agent
And More!
Support for Rainbow Tables, the latest innovation in password cracking
Download it at http://www.oxid.it/cain.html
Cain and Abel�Platforms Cracked : Cain and Abel Platforms Cracked
Windows NT Hashes
Windows Protected Storage
Windows Credential Manager
Windows LSA Secrets
Windows Remote Desktop
MS Access
MS SQL Server
Base 64
Cisco Type 7
Cisco VPN
VNC
RSA SecurID
Oracle
Cain and Abel Demo : Cain and Abel Demo
Sorry no Cain and Abel demo… I don’t want to embarrass anyone or go to jail
At a recent hacker convention, I saw this tool used to reveal the password of attendees including some federal agents and a professor of a major university
Moral of this story.. Don’t use wireless networks at conventions.. Especially hacker conventions!
Wireless Security : Wireless Security Kismet Wireless (Unix/Linux/BSD)
Palm version available
Netstumbler (Windows)
Stumbverter (Windows)
One of the few areas where Windows Tools meet or surpass Unix tools in quality
Kismet Wireless : Kismet Wireless Curses based wireless exploration program
Can interface with wireless cracking programs like WEPcrack
Requirements:
Wireless network card that supports rfmon
GPSD (GPD monitoring daemon)
Expat libraries
Download it at:
http://www.kismetwireless.net/
NetStumber : NetStumber Not purely Open Source, but Freeware License
Available at www.netstumbler.com along with lots of other good wireless resources
Gives lots of useful information (signal strengths, type of equipment, AP settings, GPS data)
Requirements:
Windows W2K or later
Prism2, Hermes or Atmel chip-based Wifi card
Optional external antenna for better results
Optional GPS receiver for map data
Stumbverter : Stumbverter Open Source add-on to Netstumbler; also works with Kismet files
Converts your Netstumbler files captured with GPS data into MS Map Point
Makes a nice graphical representation of the APs in your area
Good for finding areas of signal interference, channel choices
Surveying for rogue access points
Requirements:
Netstumbler
GPS sensor with PC interface
Licensed version of MS Map Point 2004 or later
Get it at http://www.sonar-security.com/sv.html
Netstumbler/Stumbverter�Demo : Netstumbler/Stumbverter Demo
Email Security : Email Security
Anti spam (SpamAssassin)
Anti virus (ClamAV)
Blackhole Lists (RBL, )
AntiSpam Tools : AntiSpam Tools
SpamAssassin
Perl based Spam filter
Works with Sendmail/Postfix
Filters spam based on signature matching, location, attributes (futures date, internal addresses) or Bayesian logic.
Part of many commercial anti-spam Solutions
Get it at http://spamassassin.apache.org/
ClamAV : ClamAV Open Source Anti-virus Toolkit project
Works at the mail server rather than on desktops
Upsides:
Takes processing job off of the desktops
Free!
Downsides
Mainly for Email Attachment scanning;
Doesn’t catch Viruses on CDs or downloaded via other means (web)
Best used as a additional protection not sole
Download at: http://www.clamav.net/
Blackhole Lists : Blackhole Lists
Not software per say, but collaborative lists of known spamming addresses
Most mail servers will work automatically with these lists
Some charge for subscriptions, some are free
SpamHaus sbl.spamhaus.org
MAPS Spam Relay List relays.mail-abuse.org
Arbitrary Black Hole List spammers.v6net.org
Forensic Security : Forensic Security UNIX DD Command
The Sleuth Kit
Autopsy Forensic Browser
The Forensic Toolkit (Windows)
Unix DD Command : Unix DD Command Useful for making exact copies of evidence after an attack
Available on almost all Unix Systems
Be careful with this command, you can also destroy data
Make sure you follow proper forensic data collection techniques or you may make evidence unusable in court
SleuthKit/Autopsy Forensic Browser : SleuthKit/Autopsy Forensic Browser A Unix/Linux/BSD data collection and analysis program
Allows for multiple case file
Allows for viewing of different file types
Browser interface (AFS)
Get it at: http://www.sleuthkit.org/
SleuthKit/AFB Demo : SleuthKit/AFB Demo
The Forensic ToolKit : The Forensic ToolKit A collection of free tools made available by AtStake
Not open source but freeware (be careful of license restrictions on commercial use)
Useful for Windows systems analysis without modifying file access traits (time, etc) plus info not available through built in OS tools
Afind shows files by access time
Hfind shows windows hidden files
Sfind shows hidden data streams on
Filestat Shows all attributes of files
Hunt Uses null session to generate info on a Windows host
Download at: http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/forensics.htm
Forensic ToolKit Demo : Forensic ToolKit Demo
Windows Tools for UNIX/Linux like features : Windows Tools for UNIX/Linux like features Windows is notorious lacking in built-in command line / network diagnostic tools
Example: whois, SSH, etc
There are open source tools to add these and more to your Windows system:
PuTTY (SSH Client for Windows)
Sam Spade (whois,graphical traceroute, finger, IPBlock, Spam Blackhole list, etc)
Everest
PuTTY : PuTTY Window SSH/Telnet/Secure Telnet client
Great for saving terminal session logs too
Get it at http://www.chiark.greenend.org.uk/~sgtatham/putty/
PuTTY Demo : PuTTY Demo
Sam Spade : Sam Spade Just like the fictional detective, great at finding things out and tracking down bad guys
Offers Windows based whois, graphical trace route, finger
Can find owner of Ips (IPBlock)
Can find the abuse contact and file a complaint
Find out if your mail server is on a blackhole list
Get it at www.samspade.org/ssw
Sam Spade Demo : Sam Spade Demo
Open Source Software Needs : Open Source Software Needs Opportunities to contribute and gain experience and reputation
Better Windows Tools!
Encryption
Windows VAS
Windows Snort tools
OpenVAS project or side projects (like NCC!)
Better Unix wireless tools
REPEAT�Security Tool Warnings : REPEAT Security Tool Warnings DO NOT run these tools on any machines that don’t belong to you without WRITTEN permission
Be very careful when running them on production machines at work
Failure to abide by this could result in getting fired, legal action or losing your ISP connection.
Questions / Comments? : Questions / Comments? Email me at thowlett@netsecuritysvcs.com
Most of the tools mentioned and more can be found in my book “Open Source Security Tools”, available from your bookseller or online