AUDITOR SECURITY COLLECTION NOTES
Notes Provided by
Douglas Lancaster and collected from various sources.
Irongeek's note: You can get Auditor from http://new.remote-exploit.org/index.php/Auditor_main
What is Auditor?
Auditor is a self-booting Linux-based collection of tools that are very useful for auditing a system. As described by the developers, it is the "Swiss army knife of security tools". Not only is it very useful for conducting security audits, but it is also very useful for retrieving files from a damaged hard drive in a non-booting system. Just like a Swiss army knife, the potential uses of Auditor is limited only by your imagination.
As Auditor is based on Linux, having a good grasp of Linux commands is very useful but not essential. In this paper, we will use Auditor to retrieve files from a non-booting workstation and transfer the files to another workstation. The same principle can be applied to retrieve log files and other information from a workstation that has been compromised or infected by a virus.
Check BIOS settings to make sure that the system will boot off of the CD-ROM first. Insert the Auditor CD-ROM and reset the system. Auditor will boot up to the initial start screen. At this point, press F1 to enter the Help Menu.
At the prompt, type:
vmlinuz lang=us screen=800x600 (or 1024x768)
Note the spelling of vmlinuz not vmlinux. On older versions of Auditor, if you booted normally, the system would default to a different keyboard which makes navigation somewhat difficult. With the newest version, it is no longer necessary to input the language variable as a menu will appear allowing you choose from various language options. Various screen sizes are available depending on your preference. Other parameters are shown on the Help screen. The most useful of these is "wheelmouse" which forces the discovery and use of a wheel mouse.
Auditor will boot according to the parameters passed on to it and when finished, the user will be greeted with a Graphical User Interface very similar to Windows or Linux desktop environments. Like most GUIs, a drop-down menu can be obtained through a right-click on the desktop. Other menu items can be obtained through the Go button on the menu bar. The most useful item is at the top of either menu, and also available as a quick button on the menu bar – XTerm, the terminal emulation program. This will open up a terminal windows in which you will be able to type various commands. Think of it as a DOS window on steroids.
When you first start up a terminal, you will be greeted with something that looks like this:
This indicates the user name (root), the location (terminal window #0), and the present working directory in [ ] (root). At this command prompt, you can type in various commands. To obtain assistance with most commands, you can type in a /? or - - help after the command to display the help screen. Some of the more useful commands are:
pwd - displays present working directory
passwd - change the password of the current user
cd - change directory; cd by itself will go to the "home directory" (/root)
cp - copy a file from one location to another
mv - move a file from one location to another
ifconfig - identical to ipconfig on Windows 2000, provides network information
ls - list directory contents
man - followed by any command will open up the manual pages for that command
mc - will start the Midnight Commander file manager
mcedit - will start the Midnight Commander editor
Unlike DOS, directories are divided by a / and not a \. So the Linux equivalent of the DOS command cd \windows\system would be cd /windows/system. Note that a / before the name does the exact same thing the \ does in a DOS command – it goes to the root of the file system and will attempt to locate the directory there. The same principles hold true to Linux as DOS with regards to using periods – cd .. will go up the tree one directory (but don't forget the space between the cd and the periods – unlike DOS, Linux is very specific). Another benefit of Linux is command-line completion. If you type the first few letters of a command, and then hit the Tab key, the system will either show a number of commands that start with those letters or complete the command if there is only one command.
Auditor recognizes most popular network cards, including wireless devices. To configure a network card under most circumstances, click on the Go button and choose "Configure your network device" from the Configuration menu item. A screen will pop up asking if you wish to use DHCP. Click Okay and the system will obtain an IP address from the nearest DHCP server, otherwise you will be prompted for all of the necessary information.
If you use DHCP, a screen will open showing all of the TCP/IP information once the system has obtained it from the DHCP server. Make note of the IP address as it will be most useful later. This information can always be obtained by typing ifconfig /all from the command prompt in a terminal.
Mounting Hard Drives
Before you can manipulate any data on the hard drive on the system, it will be necessary to mount it. For those not familiar with Linux, all partitions are "mounted" prior to use. Most hard drive partitions will be recognized and mounted automatically by Auditor during boot, but some will require manual intervention.
The mount command is used from a terminal command prompt. The general format of the command is to specify the device name and then the mount point (directory name). Generally, all mount points are located in the /mnt directory. If you change to the mnt directory, and do a directory listing, you will see numerous directories with names such as hda1, hda2, etc.
mount /dev/hda1 /mnt/hda1 –r –t ntfs
The preceding mount command will do the following: mount the first partition of the first hard drive (/dev/hda1 = device, hard drive a, partition 1) to the mount point /mnt/hda1. The –r will mount the hard drive in Read Only mode. The default is –w which is Read / Write mode. If you are auditing a hard drive and looking for evidence, it is imperative that you mount in Read Only mode to preserve any data on the hard drive. The –t depicts the type of format, in this example NTFS. The last two commands in the example will change the directory to hda1 and display the contents of the drive. The directory structure of the hard drive will be essentially the same as under the normal operating system, only instead of starting at C: it would start at /mnt/hda1. As an example, the directory Program Files in a DOS window would show up as C:\progra~1 while in Auditor, it will show up as /mnt/hda1/program files.
Once you have mounted a hard drive, you will need a way of moving the data to a location where you can do something with it. One of the more useful ways of transferring data (such as log files, etc) from the audited system to another system is via File Transfer Protocol or ftp. However, prior to using ftp, it will be necessary to allow a user to log on via ftp. As Auditor is designed to be a one-user system, you can not add additional users. Even if you could, it would not make much sense as each time you reboot the system, all the user information would be lost.
Since you can not add additional users, the easiest way to grant access via ftp is to allow one of the existing users access. This is done through editing the /etc/ftpusers file and commenting out one of the users listed here by placing a # at the beginning of the name. Since the reason for using ftp under Auditor is to move information, it is acceptable to grant ftp access to root.
NOTE: Granting ftp or telnet access to root is normally not done. Doing so is a severe security risk. All ftp information, including user name and password are sent as clear unencrypted text.
Although there are numerous ways of editing the ftpusers file, the easiest is to use Midnight Commander, a Norton Commander clone. From the command prompt, enter in mc to start Midnight Commander. You will see two windows with directory listings and you can navigate the directories with Tab and the directional keys, including Home, End, etc. Using MC is fairly self-explanatory – once you have found the file you wish to edit, press F4 to enter the editor and then press F10 and save the changes.
It will also be necessary to change the password for root in order to log in through ftp. From a terminal, use the passwd command and you will be prompted twice for a new password. Normally you would type in a username after the passwd command, but since you are the root user, it automatically assumes that this is the password you wish to change.
Start the ftp server from the command prompt:
The –D switch starts the ftp server as a daemon. Once the ftp server has been started, you should be able to access it from another system through any ftp client software. If you are using ftp from a command line, the standard ftp (Unix) commands will work. For the purposes of transferring numerous files, it is preferable to use a graphical ftp client.
Auditor also comes with VNC client and server software. VNC allows you to access the system remotely, view the desktop and run programs. As with FTP, VNC is not very insecure. However, for the purposes intended, it is a very useful tool. To start the VNC server on the Auditor system, enter in the following command:
vncserver –geometry 800x600
The geometry is any allowable parameters for video resolution. Once the command has been entered in a terminal, you will be prompted for a password. After entering in the password, the VNC server is ready to accept incoming connections.
To connect to the VNC server, you will need a VNC viewer. There are a number of VNC viewers available for various operating systems, all free for the download. Once you have downloaded and started your VNC viewer, you will be asked for a server. In the server box, type in the IP address of the VNC server with a :1 immediately after it, ie:
This will connect you to the VNC server and allow you to work on the system remotely. Some people may be asking why you would wish to do so. The simple answer is that the audited system and the workstation you are using to analyze the downloaded data may be in different locations. Once VNC is set up, you can access the system to perform simple tasks instead of constantly walking between the two systems.
BKHive and Samdump
Two tools included in the system which demonstrate that like a Swiss Army knife, Auditor can be dangerous in the wrong hands are BKHive and Samdump. With Windows NT, 2000 and XP, the user has the option of using the syskey command to increase security. Syskey adds additional encryption to the SAM database where the user passwords are stored. One of the favorite methods of attack in the past was to obtain a copy of the SAM, and then utilize a program such as L0phtCrack LC4 to crack the passwords. With syskey, the attacker must now "break through" the additional encryption.
However, Auditor contains some useful tools that bypasses any extra security that syskey may have provided. BKHive will generate the bootkey that syskey uses to encrypt the system. The SAM and SYSTEM files that contain the hashed passwords and the bootkey respectively are located in the winnt\system32\config directory. Once the hard drive has been mounted, change to that directory and use the command:
bkhive-linux system /root/keydump
This will generate the bootkey from the SYSTEM file and dump it in a file named keydump located in the /root directory. You can now use the Samdump program from the same directory to generate a dumped version of the SAM that can be cracked with almost any password cracker:
samdump2-linux sam /root/keydump >/root/samdump
This will use the SAM from the current directory and the bootkey generated by bkhive to dump the contents of the SAM into the file samdump in the /root directory. Once this file has been created, you can view it to see all of the account names and run some of the password cracking tools on Auditor such as John the Ripper, or simply copy the file to a different system and use a tool such as L0phtCrack LC4 to crack all of the passwords. For a more detailed account of using these two tools, see http://studenti.unina.it/~ncuomo/syskey/syskey.txt.
Once again, the old adage proves true – if someone can physically access your system, it is no longer your system.
Other Useful Tools
Thus far, we have been looking at Auditor as a tool for obtaining information from a hard drive and copying that information to another system. For this purpose, the program is quite useful and can salvage a lot of data that would otherwise be lost if a hard drive is not bootable. This is not the only use of Auditor – it can be used for many other purposes.
Other programs included in Auditor include web browsers (Dillo and Firefox), a graphic editor (GIMP), various editors and a calculator. There are also a myriad of text-based tools located in the /bin and /usr/bin directories. This makes Auditor a great place to learn Linux without worrying about crippling the system; if you do, just press Reset and reboot from the CD ROM.
There are also a number of tools for auditing the system as well as performing network audits. There are a number of port scanners, network protocol sniffers and other very useful tools available. The best way to find out what these things do is to play with them in a controlled environment where you can't do any damage to a running network.