What security programs would be on your dream Live-CD?
I was going to write a post about Samurai Web Testing Framework but someone already beat me to it. It’s a good post so I wanted to pass along the link. I really hate seeing the same topic covered the same way over and over again.
Instead I am going to talk a little about the idea of making your own Security Live-CD. Samurai WTF was the first Live-CD I have used that was built on Ubuntu. I have been using Ubuntu since 5.04 and was really happy to see a familiar GUI. I noticed that all Samurai WTF was essentially, is Ubuntu with a bunch of cool web pen-testing programs preloaded and Firefox preloaded with some cool web pen-testing add-on’s and the best themed Live-CD bar none.
This got me thinking about an article I read earlier this week at Linux.com about a program called Ubuntu Customization Kit (UCK). With UCK you can take an existing install of Ubuntu, Kubuntu, Edubuntu or Xubuntu and create your own pre-configured Ubuntu Live-CD. Just like Samurai WTF and even BackTrack (except BT uses Slax).
I started thinking about how I would like to have one Live-CD, that did it all to use in the Network Security classes I teach. I like BT and I am really starting to like Samurai WTF. But what if I had one Security Live-CD that had all the programs I need and none of the ones I don’t? I could give it to my student when they start the Network Security degree program and they could use it thought the track.
My point being is that most security related Live-CD’s have programs installed that aren’t used by most people. So I want to use this post to get some reader feedback. My question to you is this:
What Linux based security programs would you like to see in a Live-CD?
Please post in the comments the programs, and links to the programs, you feel are the most important to have on a Security Live-CD.
There are 5 Comments to "What security programs would be on your dream Live-CD?"
Well now I have to choose between Linux, Windows, etc – and not all programs work equally well on all platforms. Windows and other commercial OSes have to be licensed. It’s too hard to make one decision, and to teach a class, I think you really need to have at least a modern Linux like Ubuntu along with Windows XP. But there are also tools that are Mac OS X specific (or work differently), or possibly FreeBSD or even OpenBSD.
I wish somebody would make a bootable DVD (or large USB flash disk) that ran Ubuntu Server. However, what would be different/unique about it is that it would also have virtual-machines using Xen guests for Windows XP and OSX86. To tie it all together, there would be an installation of LTSP. LTSP would let you switch between Linux, Windows XP, and OSX86 by using ALT+F1/F2/F3. Then all of the laptops that had native PXE support could just boot into this environment. Those with no PXE support could be given a boot CD/DVD/USB.
In this way, you could teach Burp Suite and Ratproxy under Linux, with Pangolin, Paros, Grendel-Scan, and ProxyStrike under Windows XP, and Proxmon with Pantera under Mac OS X.
It would be nice to have most OSes with standard defaults and very little installed — in order to build on the strengths. For example, Mac OS X 10.5 Leopard comes with Ruby on Rails — so any Ruby programs could be demonstrated on that platform. Of course, Linux and OSX can run .NET managed code with Mono, but why not show off those tools under Windows XP?
There are some great tools for WEP cracking under Windows now (e.g. CommView for WiFi and Aircrack-ng GUI), yet Linux stands to be the champion for WPA attacks for at least another year. I like to use the best tool for the job, and often that means the easiest tool that does most of the configuration and setup work for me, but yet is still highly configurable when I need it to be.
I’d want to show off a lot of application penetration-testing tools such as Fortify and Acunetix demos. This is probably best done under Windows, too.
Certainly, I could come up with some long list of tools (although I suggest checking out past blog posts on my blog, tssci-security.com), but LTSP lets you do a lot more than just enumerate tools for one platform.
If Ubuntu and Xen don’t float your boat, maybe the Ultimatedeployment project will – http://www.ultimatedeployment.org
Cheers!
@Andre Gironda: I was thinking more along the lines of a Linux Live-CD. As you mentioned, costs start adding up, when you add Windows and OS X to the list. You make several good points about using tools in their native environments. Even though some tools are supported on multiple platforms they seem to work best on the ones they were built on.
At this time I don’t cover any OS X material. I should add it into my lectures. But due to the college budget, I don’t expect to see Apple hardware making in into our Windows/Linux lab unfortunately.
I really like your idea about the Linux Server running Xen from a DVD or USB. I will need to play around with that idea. I’m not sure about making it portable though. That would be the actual hard part. Also it would need to work out a way to get Windows and OS X installed, registered and validated for updates.
I’m a big fan of the BSD stuff. I use OpenBSD and FreeBSD for infrastructure type roles. For some reason I feel it’s easier to harden a BSD system, and keep it that way in critical infrastructure roles. I didn’t really get into the client-side use until David Hulton released BSD-Airtools.
Thanks for dropping some names on the programs you use. I am new to the Web Application Security field. I have recently been forced into learning about web application pen-testing due to some recent issues. But that is a future post.
On a side note I found your blog about a year ago. You and Marcin have some great content. I?m still digging in your archives. Thanks for the great comment and for visiting.
@ Thomas:
Hey, man – no problem! Thanks for posting about this and giving me some great ideas.
Now I have all of these ideas running through my head. For example, ReactOS could be used in place of Windows XP to avoid the licensing issues, although it somewhat defeats the purpose of using Windows natively.
It appears that even with SBS2k3 or SBS2k8, one would still need two servers to run Windows Terminal Services. This just ups the resource requirements. I wonder if anyone has got Terminal Services and SBS2k3 running simultaneously on one server instance.
Although this could probably be done on some sort of portable server you bring into environments, especially for teaching. LTSP could allow PXE-booted clients to switch between Linux FreeNX and Windows Terminal Services as if both are running on all clients at the same time. I still don’t know how to best add Mac OS X into this mix, it appears that Mac OS X just doesn’t play very friendly with the thin-client concept. Theoretically, I guess Netboot on MacBooks could be used, but that’s just another server you’d have to run.
I’ve seen LTSP setups, and I highly recommend using them if the goal is to learn many concepts that bridge OSes.
What you said about BSD-airtools is interesting, albeit it’s sad to see the tools a bit outdated now. I don’t think I had ever considered BSD on the client-side until that point either. It’s funny that I use Windows for cracking WEP almost exclusively now (CommView for WiFi, Wireshark with mergecap, and Aircrack-ng-1.0-rc2 GUI). Back when WEP cracking tools were coming out, I would burn several CDROMs and DVDs, including Auditor and FreeSBIE. I found dstumbler with bsd-airtools to be the more stable and user-friendly, even over Kismet at the time. However, aircrack-ng-1.0-[beta|rc][12] and tools such as pyrit.googlecode.com make many WiFi attack tools a thing of the past.
Actually, Karmetasploit looks very interesting – I have not had a chance to try it yet, even though I’ve known about it for months. It would make for a great LiveUSB/CD/DVD concept.
@Andre Gironda: Me to I was was up till midnight last night. I’m going to see if I can get a setup going like you mentioned. I nuked one of my boxes at home, loaded Ubuntu 8.04.1 Server (development) and I’m trying to get Xen running today.
I think your the thid person in 10 years to mention ReactOS. I just told my students about it last mod. I remember reading about in Linux Journal or something years ago. Nobody knew that someone was working on a project like that. I was surprised to know it was still alive. Downloading it now going to see if I can get it running on Xen. I checked and it shows supported by Xen.
I have looked into LTSP and that seems very interesting. The PXE stuff is new to me. I know what it is but never worked with it. Need to Wikipedia that one sometime.
I think with all the other Church of the Wifi stuff and his FPGA biz the BSD-airtools have been left for dead. It was great to have back in the day. I wish I would have taken the chance to meet some of those guys from Dachb0den. They always had the meets on nights I was teaching.
Karmetasploit seems pretty nice. I have a student doing a presentation on the Jasager project – Karma on the Fon. I don’t have enough time to spend on MSF as I would like. I’m still learning db_autopwn and other basics.
I’ll post an update once I know how far I get with my project. I’ll be sure to include you in the credits.
@ Thomas:
Wow, I’ll be happy to hear how far you go with LTSP or ReactOS with Xen.
When I look at the OpenCiphers project, I immediately get excited to hear about external processors that are capable of improving cracking of BT, WPA, and FileVault keys.
However, it appears that some clever people are now working on using the GPU of video cards through the NVIDA CUDA API to attack security protocols. I found this running code a few days ago, but I’ve yet to try it as I don’t have the hardware on hand (although I plan to test it out this weekend). Check out the project (previously mentioned in my last post) at http://pyrit.googlecode.com
Thanks for the pointers to the Jasager project. db_autopwn is well documented (more in a second). What I find interesting about Metasploit 3 is the use of Ruby mixins. Valsmith mentioned mixins in the BlackHat 2007 talk on Metasploit, and more information about it (and db_autopwn) is available in the Syngress Press title, “Metasploit Toolkit”.
There’s even more to read from Dean on the carnal0wnage blog about the FileFormat mixin
http://carnal0wnage.blogspot.com/2008/08/metasploit-and-file-format-bugs.html