AUDITOR SECURITY COLLECTION NOTES
Notes Provided by
Douglas Lancaster and collected from various sources.
Irongeek's note: You can get Auditor
from
http://new.remote-exploit.org/index.php/Auditor_main
What is Auditor?
Auditor is a self-booting Linux-based collection of tools that are very useful
for auditing a system. As described by the developers, it is the "Swiss army
knife of security tools". Not only is it very useful for conducting security
audits, but it is also very useful for retrieving files from a damaged hard
drive in a non-booting system. Just like a Swiss army knife, the potential uses
of Auditor is limited only by your imagination.
As Auditor is based on Linux, having a good grasp of Linux commands is very
useful but not essential. In this paper, we will use Auditor to retrieve files
from a non-booting workstation and transfer the files to another workstation.
The same principle can be applied to retrieve log files and other information
from a workstation that has been compromised or infected by a virus.
Using Auditor
Check BIOS settings to make sure that
the system will boot off of the CD-ROM first. Insert the Auditor CD-ROM and
reset the system. Auditor will boot up to the initial start screen. At this
point, press F1 to enter the Help Menu.
At the prompt, type:
vmlinuz lang=us screen=800x600 (or 1024x768)
Note the spelling of vmlinuz not
vmlinux. On older versions of Auditor, if you booted normally, the system would
default to a different keyboard which makes navigation somewhat difficult. With
the newest version, it is no longer necessary to input the language variable as
a menu will appear allowing you choose from various language options. Various
screen sizes are available depending on your preference. Other parameters are
shown on the Help screen. The most useful of these is "wheelmouse" which forces
the discovery and use of a wheel mouse.
Auditor will boot according to the
parameters passed on to it and when finished, the user will be greeted with a
Graphical User Interface very similar to Windows or Linux desktop environments.
Like most GUIs, a drop-down menu can be obtained through a right-click on the
desktop. Other menu items can be obtained through the Go button on the menu bar.
The most useful item is at the top of either menu, and also available as a quick
button on the menu bar – XTerm, the terminal emulation program. This will open
up a terminal windows in which you will be able to type various commands. Think
of it as a DOS window on steroids.
When you first start up a terminal,
you will be greeted with something that looks like this:
root@0[root]#
This indicates the user name (root),
the location (terminal window #0), and the present working directory in [ ]
(root). At this command prompt, you can type in various commands. To obtain
assistance with most commands, you can type in a /? or - - help after the
command to display the help screen. Some of the more useful commands are:
pwd - displays present working
directory
passwd - change the password of the
current user
cd - change directory; cd by itself
will go to the "home directory" (/root)
cp - copy a file from one location to
another
mv - move a file from one location to
another
ifconfig - identical to ipconfig on
Windows 2000, provides network information
ls - list directory contents
man - followed by any command will
open up the manual pages for that command
mc - will start the Midnight
Commander file manager
mcedit - will start the Midnight
Commander editor
Unlike DOS, directories are divided by a / and not a \. So
the Linux equivalent of the DOS command cd \windows\system would be cd
/windows/system. Note that a / before the name does the exact same thing the \
does in a DOS command – it goes to the root of the file system and will attempt
to locate the directory there. The same principles hold true to Linux as DOS
with regards to using periods – cd .. will go up the tree one directory (but
don't forget the space between the cd and the periods – unlike DOS, Linux is
very specific). Another benefit of Linux is command-line completion. If you type
the first few letters of a command, and then hit the Tab key, the system will
either show a number of commands that start with those letters or complete the
command if there is only one command.
Network Configuration
Auditor recognizes most popular
network cards, including wireless devices. To configure a network card under
most circumstances, click on the Go button and choose "Configure your network
device" from the Configuration menu item. A screen will pop up asking if you
wish to use DHCP. Click Okay and the system will obtain an IP address from the
nearest DHCP server, otherwise you will be prompted for all of the necessary
information.
If you use DHCP, a screen will open
showing all of the TCP/IP information once the system has obtained it from the
DHCP server. Make note of the IP address as it will be most useful later. This
information can always be obtained by typing ifconfig /all from the command
prompt in a terminal.
Mounting Hard Drives
Before you can manipulate any data on
the hard drive on the system, it will be necessary to mount it. For those not
familiar with Linux, all partitions are "mounted" prior to use. Most hard drive
partitions will be recognized and mounted automatically by Auditor during boot,
but some will require manual intervention.
The mount command is used from a
terminal command prompt. The general format of the command is to specify the
device name and then the mount point (directory name). Generally, all mount
points are located in the /mnt directory. If you change to the mnt directory,
and do a directory listing, you will see numerous directories with names such as
hda1, hda2, etc.
cd /mnt
ls
mount /dev/hda1 /mnt/hda1 –r –t ntfs
cd hda1
ls
The preceding mount command will do
the following: mount the first partition of the first hard drive (/dev/hda1 =
device, hard drive a, partition 1) to the mount point /mnt/hda1. The –r will
mount the hard drive in Read Only mode. The default is –w which is Read / Write
mode. If you are auditing a hard drive and looking for evidence, it is
imperative that you mount in Read Only mode to preserve any data on the hard
drive. The –t depicts the type of format, in this example NTFS. The last two
commands in the example will change the directory to hda1 and display the
contents of the drive. The directory structure of the hard drive will be
essentially the same as under the normal operating system, only instead of
starting at C: it would start at /mnt/hda1. As an example, the directory Program
Files in a DOS window would show up as C:\progra~1 while in Auditor, it will
show up as /mnt/hda1/program files.
FTP
Once you have mounted a hard drive,
you will need a way of moving the data to a location where you can do something
with it. One of the more useful ways of transferring data (such as log files,
etc) from the audited system to another system is via File Transfer Protocol or
ftp. However, prior to using ftp, it will be necessary to allow a user to log on
via ftp. As Auditor is designed to be a one-user system, you can not add
additional users. Even if you could, it would not make much sense as each time
you reboot the system, all the user information would be lost.
Since you can not add additional
users, the easiest way to grant access via ftp is to allow one of the existing
users access. This is done through editing the /etc/ftpusers file and commenting
out one of the users listed here by placing a # at the beginning of the name.
Since the reason for using ftp under Auditor is to move information, it is
acceptable to grant ftp access to root.
NOTE: Granting ftp or telnet access to root is normally not done. Doing so is
a severe security risk. All ftp information, including user name and password
are sent as clear unencrypted text.
Although there are numerous ways of
editing the ftpusers file, the easiest is to use Midnight Commander, a Norton
Commander clone. From the command prompt, enter in mc to start Midnight
Commander. You will see two windows with directory listings and you can navigate
the directories with Tab and the directional keys, including Home, End, etc.
Using MC is fairly self-explanatory – once you have found the file you wish to
edit, press F4 to enter the editor and then press F10 and save the changes.
It will also be necessary to change
the password for root in order to log in through ftp. From a terminal, use the
passwd command and you will be prompted twice for a new password. Normally you
would type in a username after the passwd command, but since you are the root
user, it automatically assumes that this is the password you wish to change.
Start the ftp server from the command
prompt:
in.ftpd -D
The –D switch starts the ftp server as a daemon. Once the ftp server has been
started, you should be able to access it from another system through any ftp
client software. If you are using ftp from a command line, the standard ftp
(Unix) commands will work. For the purposes of transferring numerous files, it
is preferable to use a graphical ftp client.
VNC Server
Auditor also comes with VNC client and server software. VNC allows you to access
the system remotely, view the desktop and run programs. As with FTP, VNC is not
very insecure. However, for the purposes intended, it is a very useful tool. To
start the VNC server on the Auditor system, enter in the following command:
vncserver –geometry 800x600
The geometry is any allowable parameters for video resolution. Once the command
has been entered in a terminal, you will be prompted for a password. After
entering in the password, the VNC server is ready to accept incoming
connections.
To connect to the VNC server, you will need a VNC viewer. There are a number of
VNC viewers available for various operating systems, all free for the download.
Once you have downloaded and started your VNC viewer, you will be asked for a
server. In the server box, type in the IP address of the VNC server with a :1
immediately after it, ie:
192.168.0.10:1
This will connect you to the VNC server and allow you to work on the system
remotely. Some people may be asking why you would wish to do so. The simple
answer is that the audited system and the workstation you are using to analyze
the downloaded data may be in different locations. Once VNC is set up, you can
access the system to perform simple tasks instead of constantly walking between
the two systems.
BKHive and Samdump
Two tools included in the system
which demonstrate that like a Swiss Army knife, Auditor can be dangerous in the
wrong hands are BKHive and Samdump. With Windows NT, 2000 and XP, the user has
the option of using the syskey command to increase security. Syskey adds
additional encryption to the SAM database where the user passwords are stored.
One of the favorite methods of attack in the past was to obtain a copy of the
SAM, and then utilize a program such as L0phtCrack LC4 to crack the passwords.
With syskey, the attacker must now "break through" the additional encryption.
However, Auditor contains some useful
tools that bypasses any extra security that syskey may have provided. BKHive
will generate the bootkey that syskey uses to encrypt the system. The SAM and
SYSTEM files that contain the hashed passwords and the bootkey respectively are
located in the winnt\system32\config directory. Once the hard drive has been
mounted, change to that directory and use the command:
bkhive-linux system /root/keydump
This will generate the bootkey from
the SYSTEM file and dump it in a file named keydump located in the /root
directory. You can now use the Samdump program from the same directory to
generate a dumped version of the SAM that can be cracked with almost any
password cracker:
samdump2-linux sam /root/keydump >/root/samdump
This will use the SAM from the
current directory and the bootkey generated by bkhive to dump the contents of
the SAM into the file samdump in the /root directory. Once this file has been
created, you can view it to see all of the account names and run some of the
password cracking tools on Auditor such as John the Ripper, or simply copy the
file to a different system and use a tool such as L0phtCrack LC4 to crack all of
the passwords. For a more detailed account of using these two tools, see
http://studenti.unina.it/~ncuomo/syskey/syskey.txt.
Once again, the old adage proves true
– if someone can physically access your system, it is no longer your system.
Other Useful Tools
Thus far, we have been looking at
Auditor as a tool for obtaining information from a hard drive and copying that
information to another system. For this purpose, the program is quite useful and
can salvage a lot of data that would otherwise be lost if a hard drive is not
bootable. This is not the only use of Auditor – it can be used for many other
purposes.
Other programs included in Auditor
include web browsers (Dillo and Firefox), a graphic editor (GIMP), various
editors and a calculator. There are also a myriad of text-based tools located in
the /bin and /usr/bin directories. This makes Auditor a great place to learn
Linux without worrying about crippling the system; if you do, just press Reset
and reboot from the CD ROM.
There are also a number of tools for
auditing the system as well as performing network audits. There are a number of
port scanners, network protocol sniffers and other very useful tools available.
The best way to find out what these things do is to play with them in a
controlled environment where you can't do any damage to a running network.
Printable version of this article