Crash Course: Open-Source Security Tools a Double-Edged Sword

The good news: Plenty of open-source tools are available to test the security of your network and alter your network settings. They're freely available as part of your OS or over the Internet, and they usually cover a wider range and scope than off-the-shelf security products. And, often, these open-source tools have more features than comparable commercial options (though this can mean more complexity). In general, these tools are easy to acquire and install.

The bad news: Would-be attackers know about and have access to these tools, too. Therefore, you must know how intruders can use these tools against you and how to recognize when one is at work in your network.

Start Probing

Open-source network security tools fall into three main categories: those that probe the network; those that listen on the network; and those that alter the network. The most popular way to probe the network is by using the venerable ping command, a standard tool in every OS. It lets you see which computers are present and available on the network (perhaps including those that shouldn't be there). But a better ping is hping, an enhancement to ping that goes beyond sending the typical ICMP ECHO request. Hping can send nearly any type of packet in any manner, and you can easily craft non-standards-conforming packets with hping to determine if your computers or network gear will malfunction when faced with such traffic.

Hoping uses Layer 3 methods to find computers responding on the network; for Layer 2 discovery, there's arping, which uses the Ethernet ARP (Address Resolution Protocol) to determine if a machine is responding on a particular Ethernet segment. This method, often considered harmless by most computers, is usually not blocked by software firewalls.

Arping can be harmful if it's abused: It can send unsolicited ARP replies to arbitrary computers on your Ethernet segment. These replies will update any other computer's ARP table on your Ethernet segment. Make sure you understand how your key servers and network gear react to unsolicited ARP replies. There are productive uses for sending unsolicited ARP replies--at the University of Wisconsin-Madison Computer-Aided Engineering Center, we use it in a homegrown clustering solution. Clusters have difficulty convincing networking gear their IP address has changed Ethernet addresses when the IP address moves from one computer to another. So as part of the process that starts the service on a node in a cluster, we use arping to update the ARP table on the router.

New Connections

Another tool we use is netcat, which lets you create inbound or outbound connections on any TCP or UDP port to connect to Internet services (or even other instances of netcat). In TCP outbound mode, netcat is similar to telnet, but has vastly superior support for input and output streams. Combine that with netcat's receive ability, and you can easily set up your own raw file transfer. Netcat is also useful for poking at most plain-text TCP Internet services like HTTP, SMTP and similar style servers. With it you can easily probe open ports on the network, to see what is responding and how it responds.These tools are great for interactively querying your network, but often you need more systematic tools, like nmap. Nmap identifies the computers responding on the network, the ports they have open and even their operating systems. You can change many settings with nmap, including how fast it runs (or how sneaky it tries to be), what protocols it uses and other cloaking and spoofing options.

With the data that nmap provides and amap, another open-source probe, you get more in-depth information on a particular port. Nmap tell you which ports are open and the services typically associated with those ports. It will always say, for example, that Port 25 is SMTP, without having the intelligence to confirm it really is a SMTP-capable service responding on that port. Amap, though, uses a number of heuristics to determine what is running on a particular port, even a nonstandard port. We've used amap to find ssh daemons running on nonstandard ports and on our network, which nearly always means a computer has been compromised.

Listen Up

Once, only commercial packages were available for recording network traffic. Not anymore. Our favorite open-source network-monitoring device is Ethereal, which is available for Windows, Linux, Mac OS and other operating systems. Complete with plug-ins to monitor different protocols, Ethereal is a powerful and easy-to-use network scanner, and is our network scanning tool of choice.

Another tool that's a must for any server subnet is arpwatch, which watches for changes on your network and notifies you when they occur. When new machines show up on the network, or when machines start using different IP addresses, arpwatch lets you know. Most of the time arpwatch just alerts us when co-workers here at the university make changes on the network. The real value of this tool, however, is when it detects changes that shouldn't be happening, such as when a new, unauthorized computer is being attached to your network, or when a computer is sending out unauthorized ARP replies (such as with arping or Ettercap).Since most network attacks occur over the network gateway, listening at the borders of your network for inappropriate activity is helpful. Our favorite open-source tool for this is Snort, which is used in much the same way some commercial intrusion detection/prevention systems are used. The downside with Snort is that, unlike commercial solutions where the configuration is typically GUI-based, Snort is often installed and configured over a command line interface--though add-on GUIs are available for download. A nice feature of Snort, however, is it can easily be combined with p0f (passive fingerprinting) to record operating systems used both on your network and on the remote computers.

Potential Troublemakers

There are other less socially acceptable listening tools attackers can use against you. Dsniff, which listens on the network for passwords, is simple to use and fast--and you'll be shocked at how many passwords you can find with dsniff if you run it on a computer that sees large amounts of traffic. Dsniff can recover passwords from many different network protocols, including HTTP, POP3, IMAP, SMTP and FTP. Other open-source tools that come with dsniff capture files transmitted over NFS and HTTP. Dsniff demonstrates why encryption is necessary, particularly if you are still getting resistance to it within your organization. So, be on the lookout for dsniff being used on your network by a would-be attacker.

While dnsiff itself is a passive tool, Ettercap goes a step further and attempts to inject itself into your network by using unsolicited ARP replies (like one of arping's options). So if machine A is trying to talk to machine B, Ettercap butts in and tells A "I'm B," and tells B, "I'm A." This way, when A and B try to send packets to each other, both really talk to Ettercap, and Ettercap records the packet and then passes it along to the destination machine. Unless you are watching with arping (or a similar tool), neither A nor B will be aware that anything illicit is occurring.

Ettercap is not a tool for a production network, but you should know what it looks like when it is nefariously running on your network. That way, you can quickly identify it and shut it down. Try it out on a test network, with arpwatch running, to see how arpwatch responds--be warned, though, arpwatch will get very noisy.

The key with these tools is to remember that your IT people are probably not the only ones trying to run these against machines on your network. Even if you have firewalls, having a crunchy outside but soft and gooey inside means you're only one firewall misconfiguration away from intruders getting inside your network. Consider using these free tools against your own network, so you can see what any intruder would see--before he or she sees it.

Jeff Ballard is the Unix systems manager for the Computer-Aided Engineering Center at the University of Wisconsin-Madison. Send your comments on this article to him at [email protected].

DBAN Destruction

While we're on the topic of open-source security tools, there's a non-network tool worth mentioning--DBAN (Darik's Boot And Nuke). DBAN is a bootable disk that does just one thing (but it's a big thing): It wipes all hard drives on a computer clean, so compromised data on those hard drives is not recoverable.DBAN does military-style formatting, so it also can be used to try to hide data from those who want to get at your information. Unless you're an international spy, this isn't something you would typically use DBAN for. Instead, the conventional enterprise uses DBAN to ensure a compromised machine hit by a virus or worm, for instance, is completely formatted and clean. Beware that since DBAN is a bootable CD with no options, there is no way to stop it once it starts its work (except hitting the power button). Insert the CD, reboot the computer, go to lunch and, voila!, a clean machine.

But DBAN is a loaded weapon. Don't point it at something you don't want to destroy. Label it clearly, so you don't confuse it with something nondestructive and boot from it accidentally, thereby inadvertently destroying something you need.