| I l@ve RuBoard | |
Popular tools as Nmap, Netcat, and Whisker are covered later in the book based on their functions. They are among the cream of the crop of UNIX-based security tools and we are almost certain to use them on any penetration-testing exercise.
UNIX-based tools are generally scripts or executable code that can be run to accomplish a specific purpose, such as to gain information on the network or to execute a specific attack. There are commercial tools among this collection, but a majority of these are developed in the underground, and the source code is often available as open source, freeware, or shareware in one or more online repositories of security (hacking) tools. These tools can be specific to a single UNIX flavor or may work on a large collection. However, it is not likely that a tool will work on all variants (at least not the latest versions and patch levels). To discuss all such tools here would be prohibitive. We try to present those that we have found useful in our experience.
One popular class of such tools includes those dedicated to decrypting UNIX passwords. An obvious goal of hacking a box is to grab all its passwords. This can allow a hacker to gain access to that machine again in the future as well as to compromise other machines in the connected networks since users often reuse their passwords. We cover several UNIX password-cracking tools in Chapter 15.
URL: www.packetstormsecurity.org
Description Datapipe.c is a port redirector that can allow you to bypass port filtering rules at routers and firewalls. It works by establishing a pipe from a local port to a port on a remote machine. For example, if a datapipe exists between HostA:5000 and HostB:79, finger commands against HostB can be made to HostA on port 5000. Datapipes can be strung together and used in conjunction with Netcat to quite effectively bypass port-blocking mechanisms on the target network.
Usage Once compiled, the command to use datapipe is the following:
# ./datapipe <local port> <remote port> <remote host>
There are additional scripts, such as crackpipe.c, that attempt to bypass port-filtering routers and firewalls.
URL: www.packetstormsecurity.org
Description QueSO is one of the original tools designed to perform OS identification. Since Nmap began to incorporate this functionality, the usage of QueSO has significantly decreased. We mention it because we have still found that, as of this writing, QueSO can have better success at identifing certain flavors of BSDs than Nmap. Also, this tool is still used to perform OS identification in the Cheops tool (discussed next).
Usage The command to use QueSO is:
# ./queso <target:port>
The target port does not have to be specified. The following options are available with QueSO:
-v— displays the version
-d— debug mode, print received packets
-w— update quest.conf when new OS is found
-f srcIP— select correct In/Out IP
-c file— alternate configuration file
-t seconds— set reception timeout (default = 3)
-n times— how many times packets are sent (default = 1)
We have not found that any of these options are truly necessary. However, you may want to transmit packets multiple times.
URL: www.marko.net/cheops
Description Cheops is a GUI-based network-mapping tool that is quite useful in developing a visual layout of the target network. We prefer to develop network maps of our targets to provide a visual picture of the network topology so we can understand the path traffic follows from the source machine through the Internet and on to the target hosts. In addition, it is beneficial to have a network map to present to organizations since companies often want to compare it to their own maps of the network.
Usage The command to bring up the Cheops GUI is simply:
# ./cheops
On launching the program, the user is given the option to map the current network. It is a good idea to select this option so that the network path from your present location to the target domain can be traced out. However, this is not a necessary step. You can directly map the client's network by selecting the Add Network option from the Viewspace tab on the pull-down menu. A window will appear in which the network and the subnet mask (as shown in Figure 9-1) can be identified.
Cheops uses icons to represent individual hosts identified and detected on the target network. For example, a red devil is used to depict the BSD operating system. Figure 9-2 illustrates the use of a penguin for a Linux box.
Cheops can present additional information on the individual host: running the cursor over the item shows the host's name (if found), IP address, and OS. As mentioned, QueSO is used to perform the OS detection.
In addition, right-clicking on an icon makes available additional tools, including Traceroute, Ping, Scan, and Monitoring functions, as shown in Figure 9-3. The Traceroute and Ping options run their respective UNIX command line tools. The Scan option performs a rudimentary scan of the hosts. The results are shown in Figure 9-4. The Detect option presents the window that is shown when the left mouse button is clicked. The Monitoring option allows the user to monitor the host for Web, mail, FTP, and other servers.
A reverse DNS option is also available under the Viewspace tab. This process reveals the host name of identified hosts.
In our use, we mainly employ Cheops for its mapping functions, although having additional functionality, such as OS detection, is very helpful. Other tools in our tool kit are used for additional functionality, such as Nmap for port scanning and VisualRoute for a traceroute.
URL: ftp://ftp.cs.vu.nl/pub/leendert
Description: The nfsshell tool is essentially a client that can access NFS servers over either TCP or UDP. This tool is helpful in testing and verifying the existence of potential exposures in NFS servers. The source code is available as freeware and has been tested on several UNIX variants, including AIX, DEC, SunOS, and Linux (including Red Hat 5).
Usage: nfsshell is a straightforward, easy-to-use command line tool with numerous options that works much like an FTP client. It allows remote connection to an NFS server in much the same way an FTP client remotely connects to an FTP server. The following command allows you to access the client:
# nfs
At this point, the prompt should change to the following:
nfs>
From here, the help command brings up a list of available commands, many of which will be familiar, including the cd, uid, get, and put commands that allow a user to change the directory, change the user ID, get a file from the remote host, and put a file onto the remote host, respectively. The complete list, taken from the help documentation, follows.
host <host>—set remote host name uid [<uid> [<secret-key>]]—set remote user ID gid [<gid>]—set remote group ID cd [<path>]—change remote working directory lcd [<path>]—change local working directory cat <filespec>—display remote file ls [-l] <filespec>—list remote directory get <filespec>—get remote files df— —file system information rm <file>—delete remote file ln <file1> <file2>—link file mv <file1> <file2>—move file mkdir <dir>—make remote directory rmdir <dir>—remove remote directory chmod <mode> <file>—change mode chown <uid>[.<gid>] <file>—change owner put <local-file> [<remote-file>]—put file mount [-upTU] [-P port] <path>—mount file system umount—umount remote file system umountall—umount all remote file systems export—show all exported file systems dump —show all remote mounted file systems status —general status report help —this help message quit —it's all in the name bye—good-bye handle [<handle>]—get/set directory file handle mknod <name> [b/c major minor] [p] —make device
More interesting commands include the host <hostname> command that initiates a connection to the specified target (using either its host name or IP address). The export command then lists the target's export list. These files or directories can be mounted with the mount command.
URL: www.packetstormsecurity.org
Description: The XSCAN tool identifies insecure X servers on hosts within a target subnet. The tool has been tested on the Sun and Linux variants of the UNIX OS but has been known to work on other variants as well. Once a running X server is detected with weak access control, XSCAN begins to perform keystroke capture on the target and write the keystrokes to a file on the attacking machine.
Usage: The command to use XSCAN is:
# xscan target
where target can be the fully qualified name or IP address for an individual host or subnet. Multiple hosts or subnets can be scanned by simply spacing out the targets, as in the following command:
# xscan target1 target2
Further, individual hosts and subnets can be scanned simultaneously, as in the following command:
# xscan 10.10.10.5 10.20.30
When a subnet address is used, the final host portion of the address can be omitted.
Keystrokes are written to a file on the local machine and are identified by the host name to which they apply.
| I l@ve RuBoard | |