A penetration-testing tool kit is a collection of software and hardware that provides automated retrieval of information, interaction with a target network, and a means of exploiting identified weaknesses. No two tool kits look the same (everyone adapts the tools they use to their particular network or preference), but there are several programs that have proven to be very useful and can be found in most tool kits.
This chapter discusses the hardware specifications and basic configuration of a system that can be used to perform penetration testing. These are general parameters and should be seen not as exclusionary but as a suggestion for a starting point for developing your own penetration-testing system. We cover and compare freeware and commercial security tools in later chapters, but we focus on operating system and functional programs in this chapter. These programs form the core of the penetration-testing kit as well as add the functionality that is required to interact in a variety of different network environments. In some instances, we have found specific tools that cut down on the amount of effort or time required to perform a task. These tools have been found indispensable as part of the tool kit.
The choice of hardware for performing penetration testing is between desktop and laptop machines. The dynamic nature of a penetration test makes a desktop system awkward to use, and the limitations of a desktop machine make the test stationary. You would not easily be able to take the machine onto the client's site to perform an internal test or test separate network segments. Ease of movement coupled with the ability to interchange parts (including swappable hard drives, NIC cards, batteries, and so on) make a notebook computer a more flexible hardware platform for penetration testing.
It's important to note that you do not want to use a machine that has critical data or applications on it for penetration testing. Occasionally the use of some penetration-testing tools causes a system crash that could result in lost data or the need to reformat or reinstall your system. A penetration tool kit should be at least a separate hard drive from your production or work system.
While most of the tools we use do not require excessive processing power, brute force and password-cracking programs are specifically limited by the CPU. Using a smaller CPU results in more time spent cracking.
Your network card is your primary conduit to the target system. It is important to have a network interface that can support “promiscuous” mode operations. This allows your system to sniff network traffic and obtain user IDs and passwords. Inexpensive network cards often do not have this feature. Using the ifconfig command in Linux, you should be able to determine whether the card has this capability:
# ifconfig eth0 promisc
This command should put the eth0 card in promiscuous mode.
All of the sniffers we use require the network card to support promiscuous mode. If you find a card that is compatible with a network-based intrusion detection system, you most likely have a card that will go into promiscuous mode. Most networks today are using 10 or 100BaseT Ethernet connections. In some instances you may need more than one network card to access different networks or different segments.
As you use new tools, you'll want to test the software before adding it to your tool kit. A secondary hard drive that can serve as a testing platform is useful for finding out what a program does before using it for production systems. We have found that a program like Tripwire (www.tripwire.com) can be used to create a template of your secondary hard drive before installing a new program. After the installation, you will be able to identify which files have been added or changed. Since many of the new programs you will want to use will not come from commercial vendors, this step provides an added safeguard to ensure the product is touching only the files expected and not installing a virus or Trojan horse.
Standard operating system choices are Windows NT/2000, Linux (or some other x86 UNIX-type system), and Windows 95/98/ME. Each operating system has its advantages and disadvantages. Often users are committed to their operating system of choice and stick to it. It is okay to use the operating system you are most comfortable with, but you should be aware of all your options. The operating systems we use for penetration testing need to be configurable, flexible, and able to support the tools we need to use. Often you will need to use multiple operating systems. Some tools support only UNIX, while others support only NT or Windows 2000. When attacking Windows NT, an NT or Windows 2000 system is needed to perform native NT commands and to use resource kit utilities. Similarly, UNIX systems are necessary to use some of the native UNIX commands when testing UNIX.
We have found that many penetration-testing tools do not work in a Windows 95/98/ME environment. In addition, Windows 95/98/ME does not support many of the networking capabilities that we want to use, such as NT NET commands. There are few programs that require a Windows 95/98/ME environment, and they are specifically stated. The Windows 95/98/ME configuration works well for home systems for users who don't want to interact with the underlying components of system operation.
On the NT platform, we use programs that make information retrieval much simpler. The functionality built into NT for network usage, NetBIOS, and TCP/IP makes it easily configurable. Using NT enables you to access the NET commands (net use, net time, and so on), which offer most of the basic information we need to start a penetration test against NT systems.
The Windows NT Resource Kit contains a wealth of tools that can be used to obtain information from target systems. The tools included are designed to make network administration easier. However, whenever you make network administration easier, you simultaneously run the risk of reducing network security. Many of our attacks take advantage of resources introduced by the NT Resource Kit, such as Remote and Server Manager. It can be relatively easy to get command line access, but the Resource Kit is needed to jump further into the network. (We dissect the Resource Kit in depth in Chapter 16.) There are resource kits for both Workstation and Server. Either one will be sufficient, but if you are running Windows NT Workstation, the resource kit for Workstation will provide many of the server programs you'll need.
Most of the tools coming from the “black-hat” community are designed to run on Linux or another UNIX flavor. This makes understanding UNIX commands and functionality a required skill set for penetration testing. Solaris x86, Debian, FreeBSD, and OpenBSD are popular operating systems for testing as well. Install and run each operating system and use the one that matches your tastes and preferences.
We have found that a dual-boot system running Red Hat Linux with Windows NT Workstation 4.0 to be a good mix for our needs since it allows us to use both the NT-specific and UNIX-specific tools. Windows NT Workstation and Linux offer the functionality and flexibility to provide access to the information we need. Windows NT Workstation is required for some commercial scanners that do not operate from Windows NT Server.
A notebook computer with a dual NT/UNIX boot gives you the features and functionality of both operating systems without having to carry two computers. In addition, load the NT Resource Kit for Workstation on the NT partition and load the tools presented in this book as needed. There are several methods and software packages that enable dual booting between operating systems, including Boot Magic, System Commander, LILO Boot Manager (Linux), and VMware. Any of these packages can achieve the desired boot options. Both Boot Magic and System Commander are relatively easy to install and configure. They both require you to partition your hard drive with a separate partition for each operating system. Partitioning is not difficult but it does reduce the amount of available space for each operating system. Partition Magic is a popular product for “on-the-fly” disk partitioning, and it comes with the Boot Magic multiple operating system boot menu. Make sure your hard drive is large enough to be partitioned to accommodate two operating systems. A 6GB hard drive should provide more than enough room, but the additional software greatly reduces the available space. Add to that the output and reports and the hard drive becomes quite crowded. We have found 10GB hard drives to be sufficient for now.
One of the disadvantages of partitioning your hard drive and using Boot Magic or System Commander is that you will need to reboot your system each time you need to change operating systems. Rebooting can be time consuming, but you gain the advantage that the operating system you use will be able to fully use the system hardware and processing power.
VMware enables you to simultaneously run both Windows NT and Linux by creating a “virtual machine” under a host operating system. This enables you to reap the benefits of both operating systems without having to constantly reboot your system. If you run VMware from within the Windows NT system, a window will pop up that shows the virtual machine booting. Everything from memory check to operating system choice is displayed within this window. The same scenario is true if you boot Windows NT from within Linux. The windows can be made full screen for ease of use, and the ctrl-alt-esc key combination allows you to switch the mouse from the virtual machine and the primary operating system. This allows you to switch back and forth between the operating systems in order to use specific tools. This additional functionality is not without its downside. VMware halves available RAM. If you start with 128MB of RAM, by using VMware you will have two operating systems, each with 64MB of RAM. Also, the added strain on your processor will make each operating system run noticeably slower. During the discovery phase of penetration testing, this added value can be worth the strain. However, as you target specific systems, you will find that it is best to generally launch the penetration test from a laptop running the same operating system as the target, and you may not need the dual-operating system capability provided by VMware.
When using VMware, both operating systems appear as a separate computer on the network. In fact, each binds a separate IP address to the network interface card, and a scan from the network shows two separate computers. Keep this in mind when you are configuring many of the tools that require you to input your IP address to receive return traffic. Users often incorrectly use the IP address of the opposite operating system, causing hacks to not work and leading users to spend time figuring out why.
Unfortunately, VMware is not free. At the time of this writing the list price for the product is approximately $299. A student/hobbyist license is available for $99, and you can obtain a free 30-day evaluation license to try the product. You can purchase VMware directly from www.vmware.com.
Installing and configuring VMware is relatively simple. The instructions and documentation are detailed. Essentially you need a system with Windows NT, Linux, or Windows 95 loaded. You install VMware on this partition and then create guest “virtual operating systems” that are directories in the native file system. Fortunately, the configuration wizard guides you through the installation and configuration of each guest operating system. Remember, you need a valid license for any operating system you install. Once you have VMware and your guest operating system(s) configured, you can easily power VMware on and off and switch between operating systems by selecting the operating system you wish to use. You can install software on each operating system just as if it were the native system. You simply use VMware to select the desired operating system and load the software just as you normally would. Software installation utilities embedded as part of the VMware product can assist you in installing a new operating system.