oreilly.comSafari Books Online.Conferences.


Tools of the Trade: Part 1

by Carl Constantine

In my previous articles, Beyond Firewalls and Securing your Home Network, I covered some basic security principles and touched on other broader administrative issues.

Now, in this short series of articles, I'm going to delve deeper into Linux security and discuss protective measures such as VPN systems and tripwire. Even though I'm aware of the many different security analysis tools out there, I'm not experienced in every one of them. I will be, however, covering the tools that have been successful for me. And I'm adding new tools all the time.

In some cases, I've picked from the most popular tools available. Other times I've selected options that clearly illustrate the points I'm trying to make. In any given instance, there may be better choices for a task, but the tool I select will certainly get the job done. I'm an advocate of the "use what you want to accomplish the task" philosophy

Before I get to the actual tools, however, I need to put on a different hat ... a black hat.

Comment on this articleLet's discuss the use of honey pots, and if you want touch on the other tools such as nmap and Ethereal.
Post your comments

To stop mischievous crackers -- more commonly called "black hats" in the security community -- from breaking in to your network, you must learn the same tactics that they know, and become familiar with the same tools that they use. It helps to think like they think. Why you ask? It's better to be the first person that finds a hole in your security before your network is compromised by others.

So even though we're going to spend our time covering the various tools available for the Linux system administrator, I don't want you to forget to put on the black hat every now and then and look closely at your network from the outside.

Tools! Tools! My kingdom for tools!

When talking about tools for security analysis, you're actually talking about two different things. Security analysis includes not only the actual programs that you may use to track down an attacker or discover what he's done to your system, but also systems or procedures for tracking down attackers.

In the first category, there are many programs to choose from. For this series of articles I'll cover: nmap, tcpdump, Ethereal, snort, syslog, and Tripwire. Because I only have a short amount of space here, I won't go into great detail on any one tool. I'll leave that for you to pursue depending on which tools strike your fancy. But I will provide a brief overview and some samples of exactly what you can do with these tools.

As for the "procedural tools," let's take a look at honey pots.

Honey pots

One very popular method of learning how black hats think and to find out what script kiddies are up to, is to set up a system (or a network) that is specifically designed to let the attacker in, preferably without the attacker knowing he's being watched. This system is called a honey pot.

Why a honey pot? The saying is you can attract more flies with honey, so the analogy is that you attract more would-be attackers if you have a system that at least looks vulnerable to exploit. Generally the honey pot is set up with various tools such as Tripwire, syslog configured to output remote and hard-copy logs as well as keep logs on the system (you at least have to let them "think" they have covered their tracks when they delete the log files, right?), and other tools such as snort (which I will cover in a later article) to monitor the attacker's movements.

Additionally, you may not want to install patches for known security issues on a honey pot to simply learn how one of these holes can be exploited.

To this end, there are many sites on the Internet devoted to creating the "perfect honey pot." However, I'm only going to point you to the one I believe is the best, The HoneyNet Project. The HoneyNet Project grew out of a series of articles called "Know Your Enemy." They are archived on the project's web site. These are excellent articles, and I highly recommend them to anyone who's interested in building a honey pot or just learning about practical security issues.


Linux Network Administrator's Guide, 2nd EditionLinux Network Administrator's Guide, 2nd Edition
By Olaf Kirch & Terry Dawson
2nd Edition June 2000
1-56592-400-2, Order Number: 4002
503 pages, $39.95

The nmap network mapper, is one of the premier tools you can use to detect problems on your network. nmap isn't an analysis tool per se; rather, it's a port-scanning tool. You can get nmap in either tarball or RPM formats. nmap is written by "Fyodor" (sorry, that's all the name provided) and continues to be actively developed and maintained. However, don't be fooled by its simple appearance. Under the hood there's much more than just a port scanner.

Using nmap you can ping scan (determine which hosts are up), port scan (to determine the services available on a particular host), and perform TCP/IP fingerprinting (remote host operating system identification). nmap also performs decoy scanning, sunRPC scanning, reversie-identd (identification daemon) scanning, and more.

nmap itself is a console-based tool. However, included in the package is one of two existing graphical front-end clients for nmap. NmapFE was written by Zach Smith using the GTK+ widget set but is now maintained by Fyodor himself. The second front end is KNmapFE written by Ian Zepp for KDE. If you use KDE, you can download KNmapFE.

Well, even though I can talk about nmap until I'm blue in the face, let's look at a session. Here, I'm running a scan against the machines on my home network. My home network only consists of three computers: my primary Linux box (Mallard), my iMac, and my Firewall. View this session here.

Let's look at what's happening on the command line.

-O activates remote host identification via TCP/IP fingerprinting, using various techniques to detect subtleties in the underlying operating system's network stack for the computers you are scanning. Additionally, the "uptime" test is also performed with this scan. This option uses the information it gathers to "fingerprint" the system and determine the OS. If nmap cannot determine the OS, it provides a URL you can submit the fingerprint to.

In my example above, nmap was unable to determine my primary machine is running Storm Linux (a Debian variant). For the iMac (, nmap reported too many fingerprints. Finally for the last machine, my firewall, nmap was able to determine the OS correctly. It also shows that Mallard has been up for 17 days and my firewall for 49 days. This kind of information can be very valuable to a would-be attacker.

-sS is a TCP SYN scan. This scan doesn't open a full TCP connection. Instead it sends a SYN packet, as if you are going to open a real connection and waits for a response. One main advantages to this scan is that few sites actually log it. You need to be root to use this scan.

In my example above, nmap shows all the open ports on Mallard (, no open ports on the iMac, and that my firewall has very few ports open.

P.S. Don't let the open telnet port on my firewall fool you. Telnet can only be accessed from the internal IP not the external interface.

The last argument tells nmap to scan all 256 possible addresses in that IP range.

Let's shift a bit, and use NmapFE. In this example, I'm explicitly scanning my firewall. I'm also scanning a range of ports, 1-1024 only, and not the full gamut.

The nmap display window.

The nice thing about NmapFE is that it shows you the command you're creating on the command line. If you're not accustomed to using command-line tools, a GUI front end that shows you the command-line equivalent like this can be very valuable.


Let's look at one more tool, Ethereal. Ethereal is a free network protocol analyzer for both Unix (GTK+) and Windows. It allows you to examine data from a live network or a capture file on disk (very useful for analysis away from the target site).

Once again, Ethereal has a plethora of programmers who constantly keep it in tip-top shape. You can download Ethereal here.

Ethereal allows you to "capture" or "sniff" a TCP session from right off the network. Ethernet works in such a way that when a packet is sent from one machine on a network to another machine on a network, it arrives at its destination, but it also hits every single machine on that network or subnet. Let's look at a TCP session between myself and a temporary box I set up on my internal network.

Screenshot -- click for full-size view.
Click for full-size view.

Here's a telnet session happening between Mallard and the other system. I can click on any line to take a look at the captured data. Some of the data shown is my keystrokes going out. Some of data is the response coming back. Notice what's showing in this screenshot. I, as the potential attacker, am just waiting for someone to type in their password. In fact, it's captured just a few data bits down the line. If you've never been scared into not using telnet, you are about to be now.

Ethereal has some great functionality. One feature I particularly like is the Follow TCP Stream option in the Tools menu. Using this option on the captured session, let's see what we can find.

Screenshot -- click for full-size view.
Click for full-size view.

OOOOPPPSS!! I've now acquired the root password for this machine simply by monitoring the TCP traffic on the network. The blue text is the response text from the remote system. The red text is what was sent to the server.

For the sake of argument, let's look at that exact same session, but this time I'm using Secure Shell (SSh) instead of telnet.

Screenshot -- click for full-size view.
Click for full-size view.

There's a big difference in what can be gathered if admins and users would just use secure communications instead of relying on insecure technology.

Ethereal is much more powerful than what I've shown here. I encourage you to take a look at it and even use it on your network. If you're not the admin, bring these issues to the admin and management. I'm sure they don't want their passwords to budgetary data sniffed by Joe User in the company.

Avoiding being sniffed

One way you can avoid this kind of breech is to deploy a switched network. In a switched network, the source machine sends a packet to another machine on the network and that packet goes only to that one machine. A malicious user can't just randomly monitor traffic happening on the network.

However, that being said, if the attacker was able to set up a remote monitoring session on a machine, or if he is monitoring traffic to his own machine, then a switch will not work. The above session was captured on a switched network simply because I was running Ethereal on the source machine.


Web sites:


  • Network Intrusion Detection, 2nd Ed. (New Riders) ISBN: 0-7357-1008-2
  • Intrusion Signatures & Analysis (New Riders) ISBN: 0-7357-1063-5
  • Maximum Linux Security (SAMS) ISBN: 0-672-31670-6
  • Linux Network Administrator's Guide, 2nd Edition (O'Reilly) ISBN: 1-56592-400-2
  • Practical Unix and Internet Security (O'Reilly) ISBN: 1-56592-148-8
  • Running Linux, 3rd Edition (O'Reilly) ISBN: 1-56592-469-X
  • Linux System Security (Prentice Hall) ISBN: 0-13-015897-0


This is just the tip of the iceberg: There's a lot more to cover. Stay tuned for the next installment where I'll talk about syslog, tcpdump, and Tripwire.

Carl Constantine works for Open Source Solutions, Inc. ( as a Linux Trainer and Programmer.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: