When you mention hacking in the general public, the image most people think of is a nerdy guy breaking into a computer system from his bedroom. This month, I take a look at some of the tools available to do exactly that. Of course, this is for information purposes only, so please don't do anything nasty. Remember, with great power comes great responsibility. Most people have heard of tools like Nmap or Nessus, but here I look at some other available tools for playing with networks.
The granddaddy of network utilities is tcpdump. This utility simply listens to all network traffic going by and records the packets for later analysis. If you have more than one network interface, you can select which one to listen to with the option -i interface. By default, tcpdump puts your network card into promiscuous mode, so it can record all packets that exist on the network cable. If you want to limit the packets recorded simply to those destined for your machine, use the -p option to turn off promiscuous mode. Lots of options are available to tcpdump, so check out the man page for more details.
Say you want to find out what machines exist on your network. Several tools can do this by actively sending out queries on the network. The problem with this technique is that you end up creating traffic on the network, which may be noticed by a good network administrator. A way around this is to use the tool p0f. This utility uses passive techniques to try to guess what machines exist on the network and properties about those machines. If you have more than one network interface, you can select which interface to use with the option -i interface. p0f can work with tcpdump files. If you have a tcpdump file that you created earlier, you can make p0f use it rather than live capture with the -s file option. You also can use p0f to record network traffic into a tcpdump file with the -w file option. If you're using p0f in a script, use the -o file option to dump the output into a text file for later perusal.
By default, p0f looks only at network packets that are addressed to the machine where it is running. To look at all the packets that go by on the network, you need to set the card into promiscuous mode with the -p option. By default, p0f sees machines only when they open new connections. You can try to guess what's going on with already-opened connections with the -O option. This option can generate a lot of data, so you probably won't want to use it for an extended period of time.
More and more often, machines actually are located behind routers and NATs, so they don't really show up as individual machines. You can try to identify these types of machines with the -M option. This uses the masquerade-detection algorithm to try to identify individual machines in these situations.
Once you know what machines exist on the network, you may be interested in what traffic is traveling to those machines, as well as who is generating this traffic. You can use dsniff to see the user names and passwords being used to access services on the network. It can handle many different protocols, such as FTP, HTTP, POP, IMAP, X11 and many others. You can tell dsniff on which interface to listen with the -i interface option. Like most network tools, you can read previously recorded network data with the -p file option. Alternatively, you can use dsniff to record the network data rather than parsing it with the -w file option. You can enable automatic protocol detection by using the -m option. This can give you some of the gory details about people on your network.
Now that you know some details about your network, and the people on it, you may want to check the security of some of the services provided. One common target for security problems are Web servers. You can use the nikto tool to assess your Web server's security. Select the host with the -h hostname option. If you have a series of hosts you want to check, place the hostnames (or IP addresses) in a text file, and hand them to nikto with the -h file option. The default port nikto looks at is port 80. If you want to check out a Web server on some other port, simply use the -p port option. Tons of extra options exist in terms of what specific security issues to test for, far too many to mention here. See the manual at the project's home page for more information (cirt.net/nikto2).
The hack I cover this month is how to check your own backyard. Many people will use this kind of knowledge for nefarious purposes. A utility you can use is chkrootkit. This utility analyzes your systems and tries to determine whether they've been tampered with. You can get a list of the tests it can perform with the -l option. With the standard install on my Ubuntu box, chkrootkit has 69 available tests. You can check things like whether ls has been infected, or you can check for evidence of rootkits that may have been installed. Hopefully, you won't find anything when you run chkrootkit.
Now you have a few new tools you can use to play around with your networks. Hopefully, you won't find anyone doing anything nasty. And remember, if you are going to use these tools, be sure you have permission before you do anything that might be frowned on. Other than that, hack away and keep learning.photo credit: © Štepán Kápl/Shutterstock