Security Auditing with Linux Live CDs

if you've ever needed to do a little security auditing deep-dive into the state of your network, systems or applications, there is a way to get access to all the tools you could possibly need, and not even install a single peace of software. They're called Live CDs.

Did you ever want to see what was really happening on your networks and systems but thought to yourself "Ugh... I don't have the time to find and install lots of auditing tools..."? Well, if you've ever needed to do a little deep-dive into the state of your network, systems or applications, there is a way to get access to all the tools you could possibly need, and not even install a single peace of software. "Huh?!?!" I hear you say... "How could that actually be possible?"

Well, there's a really interesting class of Linux (and BSD and occasionally Windows) distributions out there that are collectively known as "Live CDs." Live CDs are OS distributions on a CD- or DVD-ROM that can be booted up on a desktop or laptop system in such a way that you can run a live copy of the OS and all the tools on the CD-ROM out of RAM instead of off the hard disk.

Live CDs are used for all sorts of things these days, principally as demos -- kind of a try-before-you-buy approach to software distribution. There are Live CDs for Linux desktop distributions like Ubuntu, for Arcade Games, Parallel Computing and Clusters and Grids, Scientific/Mathematical Computing, Bio-informatics... and of course, system security testing and auditing (there's a resource list at the end of this article that highlights some of the better known Auditing Live CDs).

The Tool

In this installment of The Right Tool for the Right Job, we'll take a look at a Linux Live CD for System Auditing. There are many, many Live CDs for security; it seems that everyone has a different idea on what tools people might need, or how a security tool set should look. We're going to look at is Backtrack, which is one of the better presented systems in terms of both its tool-set and its overall presentation.

Putting Live Auditing CDs to the Test

First, (some more) words to the wise:

NMap, covered in my last article, was a another very powerful tool -- Linux Auditing Live CDs are hundreds of times more powerful as they contains hundred of more tools. NMap was a system for scanning hosts for known vulnerabilities and open ports that might otherwise go unnoticed ... most of these Live CD Auditing/Security suites have that digital equivalent of lock-picks and system cracking tools on them; they are very useful for helping to secure your network. However, like NMap, Baktrack has even more powerful tools can get you into a lot of hot water should they be used in an inappropriate way. (As they say, You Have Been Warned.)

More Tools Than You Can Shake A Stick At

Backtrack, like most Auditing Live CDs, comes with dozens and dozens of tools; the creators have tried to break the large selection of tools that Backtrack makes available into manageable chunks of functionality (this section uses the names that BackTrack uses, other Live CDs may use different terminology):

  • "Exploit Archives" - This includes links to databases/sites of listings of known exploits, vulnerabilities as well as links to patches
  • "Enumeration" - DNS and directory services type tools useful in examining what kinds of services a host or network is presenting on the network and using those services to acquire information.
  • "Scanners" - These are tools like NMap that help an auditor discover systems on a network, or probe a given host(or set of hosts) to find open ports or known vulnerabilities
  • "Password Crackers" - These are, literally, password cracking systems. These are used not to break in to systems but to see if users have password that are vulnerable to being broken into.
  • "Spoofing" - These are tools that allow the auditor's machine to masquerade are a number of different kinds of systems or services to see who well other network services or systems can code with a variety of security situations.
  • "Sniffers" - Sniffers comprise a wide variety of tools, from network analyzers like WireShark (formerly know as "Ethereal"), to protocol analyzers that look at high-level protocols like AOL Instant Messenger, IRC, and Jabber or even database transaction sniffers.
  • "Wireless Tools" - A collection of 802.11 wireless network scanners and other tools for monitoring, analyzing and testing WiFi networks
  • "BlueTooth" - A similar set of tools for examining BlueTooth networks and devices
  • "CISCO Tools" - A collection of tools for probing and connecting to CISCO Routers
  • "Database Tools" - A collection of tools that will allow you to analyze database connections and traffic for a number of common databases
  • "Forensic Tools" - A collection of tools that are very useful in systematically documenting data discovered during an audit; some of these tools save data into databases, others are systems that allow an investigator to make a pristine copy of a hard drive in order to secure a disk image for examination.

The Backtrack system also includes a large number of servers (i.e., web servers, etc) that can be run locally and other systems like "honey pot" tools that can be used to attract attackers on a network for the purpose of seeing what tools they are using to attack or survey your systems and networks.

Linux Auditing Live CDs can be used in any number of modes: As purely probative tools they can be used to find out what's running on a network (e.g., with a network analyzer) in terms of services and information flows (who is talking to whom, and what about). Or, they can be active in terms of auditing the state of security of a specific system (e.g., trying to break in using password crackers or testing for known exploits). And, lastly the forensic data capture tools can allow you to keep all the data you generate and organize it in a way that can be used to create a chain of evidence that can be use in a formal audit or other investigation.

Finally, you might be wondering how you would save any of the data you are capturing when the system you're running basically exists only in the RAM of a laptop that will revert to whatever it was running before at the next reboot? The designers of these Live CD seem to have thought of everything: You can activate the network interface and give your temporary auditing station an IP address and then access your network file systems as you normally would, or you could just pop a USB flash drive into a free USB port and save your data there.

The Right Tool for the Right Job

Obviously in a relatively short article there's no way to do justice to the scope and breadth of a tool-set like Backtrack (or any of the other Live CD-based auditing/security systems that are available). However, it's plain to see that if you need to be able to quickly set up an auditing suite to be able to satisfy your boss (or yourself) that all's right with you network you can't go wrong with a tool like Backtrack.

Auditing/Security Live CDs

As stated, Auditing/Security Live CDs come in many, many flavors. Some are full blown distribution in their own right (i.e., you often have the option to install them onto the system disk, not just run them as Live CDs), others are small enough to be run completely from a USB flash drive.


Editor's Picks