Using Open-Source Software to Audit Networks
Network security has received intense focus in recent years, and many Windows network administrators are tasked with assessing the security of their networks. An administrator is forced to decide whether to hire an outside company to perform the assessment or to purchase commercial software and perform the assessment internally—both options can be costly. While using open-source software can greatly reduce this cost, the majority of the software is only available for UNIX and its variants (AIX, Linux, etc.), which is a disadvantage for many administrators.
A common question of users new to the world of UNIX is, “Which version is best?” Each flavor has its advantages and disadvantages, but for those new to the UNIX world, it’s best to start with one that uses Red Hat Package Manager (RPM) to help simplify the installation and update of programs. RPMs started with Red Hat Linux, but have now been used as the basis for a number of different distributions (distros for short). A quick search of www.linux.org shows a list of 24 Linux distros for Intel-compatible systems derived from Red Hat that are currently maintained and available in English. These distros include Red Hat Enterprise Linux, Fedora Core and Mandrake Linux, among others. The steps here are based on Mandrake Linux 10.1 Official. However, much of this also will apply to other RPM-based distros.
Now that you’ve chosen a version, you must choose the hardware. A laptop or desktop can be used, depending on the need. In either case, it is highly recommended that the chosen distro supports the hardware. While unsupported hardware might work, supported hardware will simplify things greatly. After confirming hardware compatibility, it is time to prepare the drives. Sufficient drive space is very important, typically 20 GB to 30 GB of free space for the operating system and additional files.
One more step remains before starting the installation: the acquisition of the software. How this is done will depend on personal preferences. For some distros, a commercial package that includes the disks and some documentation can be purchased, either in a retail package or as a download from the Internet. Usually a free version also is available for download. However, to help encourage the continued development of the chosen distribution, it is highly recommended that the software be purchased. No matter how the software is obtained, all files should be on CD or DVD (if available) and ready for use.
The first disk should be bootable, so boot from that disk and simply follow the on-screen directions. In rare cases, additional parameters will need to be provided if problems arise. A quick search of Google or the vendor’s Web site will usually provide the necessary parameters.
With the RPM-based distros, the installation routine should be fairly straightforward. Each has its own options, so the exact choices vary, but it’s important to choose packages to install for all distros. In order to install most programs, the development option should be chosen so that the development tools will be installed. Also, create a “normal user” that will be the account used for most purposes. Just as on a Windows system, logging in as an administrator (“root” on most UNIX systems) can be a dangerous thing and should only be done when necessary.
There are two ways to gain root access when necessary. First, a number of the GUI-based utilities will prompt for the root password when started. Or, at the terminal prompt (command-line) the command su will temporarily provide root access. Simply typing su at the command prompt will prompt for the root password. After entering the proper password, the > in the prompt will change to a #, indicating root access. Remember, the command-line in Linux is case-sensitive.
Finally, if given the option to install a firewall, do not do so. While a firewall is normally a good thing, many security tools will not work correctly running through a firewall.
Now that Linux is installed, boot into the new installation by choosing one of the Linux options from the boot menu. The first step after booting is to update the installed packages. For Mandrake, urpmi is used to update the sources for the various packages. The Web site easyurpmi.zarb.org is great for help configuring these sources. Just follow the directions on the Web site to select and update the list of sources for downloading and installing new programs and updates.
Installing updates is the next step and is as simple as choosing “Update MandrakeLinux” from the menu. Follow the prompts until the main screen that says “Software Packages Update” appears. Choose all three types of updates—security updates, bugfix updates and normal updates—and click on the box labeled “All.” Click “OK” on any messages regarding dependencies, and then click on “Install.”
After installing the updates, the following packages need to be installed if they are not already: Bison, Flex, Libnet 18.104.22.168, libGTK+1.2 (searching for libgtk+ should find this and the next one), libGTK+2.0, libpcap and OpenSSL.
To install these packages, choose “Install Software” in the menu, enter each value in the search field and click on “Search.” On the list of applications that appears, simply check on the box next to the application to be installed and search for the next application. Click on “OK” if prompted for any additional packages to install. After selecting all of the applications, click on the “Install” button. A progress bar is provided to show the status of the installations. If any problems arise, perform the steps above and try a different source.
While most programs are available as pre-created RPM packages, there is one big disadvantage—the RPMs are not always up-to-date. For example, the most recent stable version of nmap available as an RPM is 3.55, while a newer, stable version, 3.81, is available as source. Downloading and compiling the programs ensures that the latest version available is installed.
The first program to install is nmap. Nmap is an excellent port scanner that can be downloaded from www.insecure.org. However, before doing this, any previous versions of nmap should be uninstalled. To do this, start “Remove Software” from the menu. The steps are the same as installing software above. Just use nmap in the search field and select it to remove it.
When downloading nmap, there are two types of files to choose from—either a .tar file compressed with gzip (file name ending in .tgz or .gz) or a .tar file compressed with bzip (file name ending in .bz2). Either will work fine. To uncompress a gzipped file, run the following command:
- tar -xvzf
(For a bzipped file, replace the z with a j.)
After uncompressing the file, a directory with the same name as the compressed file will be created under the current directory. Change to this directory (cd) and run the following commands as a normal user:
And then run su to gain root access and run the following:
- make install
Be sure to watch for any errors with each step. If the packages mentioned above are not installed, there likely will be errors regarding nmapfe. If this happens, just run the command make clean, install the missing package (in the case of nmapfe, this is likely libGTK+1.2) and run the commands again. Nmap now has been successfully installed.
There are a few options for running nmap. The first choice is to use the graphical interface or the command-line-only version. For those new to the program, the GUI is much simpler. For more details, consult the docs section of www.insecure.org. However, here are a few helpful tips to get started.
Before using nmap, it is important to note that only the root user can fully utilize the features of nmap. While a normal user c