Thursday, December 22, 2005

Pre-Review: Penetration Tester's Open Source Toolkit

Today I received a copy of the new Syngress book Penetration Tester's Open Source Toolkit by Johnny Long, Chris Hurley, SensePost, Mark Wolfgang, Mike Petruzzi, et al. This book appears unnecessarily massive; it's probably 1/2 thicker than my first book, but at 704 pages it's nearly 100 pages shorter than Tao. I think Syngress used thicker, "softer" paper, if that makes sense to anyone.

The majority of the book appears to be the standard sort of hacker stuff one finds in books like Hacking Exposed, with some exceptions. The book contains two chapters on Metasploit which look helpful. I do not know yet how well these Metasploit 2.0-based chapters apply to the new Metasploit 3.0, whose alpha stage was announced last week. Similarly, chapters on Nessus may not hold up well for Nessus 3.0, also recently released.

A major selling point of the new book is its integration of the Auditor live CD. I learned that Auditor is going to merge with "competitor" IWHAX to produce BackTrack in early 2006. Consolidation among similar open source projects to pool resources and create better results? Heresy!

3 comments:

John Collins said...

Sounds interesting. I've started tooling around with both Auditor and Whax recently. I know of one particular Red Team that uses Whax occasionally and has experimented with Auditor. Besides mobility, what are the advantages of having these live attack CD's over adding these tools to a permanent OS? For example, Whax has a google email enumerator called goog-mail.py. What is the advantage of having this in Whax versus just installing it on my Core 4 box? My point is, all of the tools found in Auditor and Whax are open source and can be installed on any Linux distro. I know you can install Whax to the hard drive, but it doesn't come with all the functionality of Core 4.

With that said, I see this as a potential security oversight by many sysadmins. On large scale Windows networks like the one's I work with, I have never seen the BIOS password feature enabled. So what? Well, what is to stop an insider from bringing in a live CD like Whax and booting up their workstation with it. If the network switch has port security turned on it doesn't matter because the box will still have the same MAC address. I may not be 100% right on that, if not let me know. This individual has bypassed the firewall (physically) and is on the inside network. They can perform a full enumeration and footprint of the internal network. My coworker is saying to me right now, "You can install scanning software for Windows, so why would you want to waste time with the live CD?" Not true, I don't have admin rights on my Windows box so I can't install anything. But with a live CD and boot sequence change rights, I don't need admin rights. I'm root on my box now with my own little hacker suite.

Just something to think about while you're stuffing your mouth with Christmas dinner. Ho Ho Mofo's!

Richard Bejtlich said...

Hi John,

I do not personally use live CDs for any security work. I may boot a live CD in a research environment to learn about new tools that may be installed on the live CD. Then I add that tool to my own laptop. I am never comfortable doing work in someone else's environment, whether it's a live CD or on a system provided by a client.

I agree that live CDs have really serious security implications inside companies. Setting a BIOS password and disabling booting from CD-ROM can help, as long as the user can't physically erase the BIOS settings.

A system running a live CD will have the same MAC, unless the live CD decides to change the MAC.

Anonymous said...

live cd's are useful. it's nice to load up the tools when you need them and run them whenever, then revert the machine back to whatever you usually use it for. rememeber, not everyone does security 100% of the time. my time is split up between 50% windows scripting , 25% bash scripting, and maybe 25% security which includes everything under the sun (patching, centalized AV, centralized anti-spyware, policy writing, e.t.c..).

on a side note, if i was an evil meannie beannie and i managed to get into your network, i wouldn't bother with WHAX. i would just install rootkits on the VP and his secreatiries machines and perhaps try to steal as many of your backup tapes as I can get my hands on.

;-0