Finding the right utility or tool can shave a significant amount of time and effort from a given task or even let you complete tasks that would otherwise be impossible. Many of us have discovered our favorite tools by word of mouth or while looking for the solution to a particular problem. But as you know, finding a great tool is only half the battle: You must then download and install it, learn to use it in your environment, and figure out how to fit it into your existing security toolkit.
Why not let someone else collect and configure several worthwhile tools into a ready-made, portable toolkit? Many savvy administrators are doing just that. Numerous toolkit developers and organizers are using Linux, which lets them customize the OS around their chosen suite of tools, to make bootable CD-ROM toolkits. One such kit is the free Auditor security collection, a set of security tools and utilities organized into the following categories: Footprinting, Scanning, Analyzing, Spoofing, Bluetooth, Wireless, Bruteforce, and Password cracker. If you haven't yet created a security toolkit, Auditor is a great place to start. Those who already have a kit will find it an able, easy-to-use platform, with a few caveats (be sure to read the sidebar "Before You Begin,").
Downloading the Toolkit
Download the most recent version of the Auditor image from http://www.remote-exploit.org and burn the image to a CD-ROM. Auditor's organizers have based the collection on KNOPPIX, a popular bootable CD-ROM collection of GNU and Linux software that supports automatic hardware detection and popular graphics cards; sound cards; Advanced Configuration and Power Interface (ACPI), SCSI, and USB devices; and other peripherals. (Visit http://www.knopper.net/knoppix/index-en.html for more information about KNOPPIX.)
Next, boot the Auditor CD-ROM on a computer that supports CD-ROM bootable images. The contents of the host system's hard disk are unaffected by Auditor, so when you finish running the program, simply remove the CD-ROM and reboot the computer to return it to its regular OS and configuration.
Auditor will ask you to specify the system's resolution (from 800×600 up to 1600×1200) and keyboard (e.g., American-US). The application will default to the Swiss-German keyboard mapping, so be sure to select the proper keyboard or your key mappings will be incorrect. Auditor's load time is fairly quick: only a minute or two on a 2.4GHz Pentium 4 system. After loading, Auditor logs you in as the root user of a simple yet efficient X Window desktop interface, which Figure 1 shows. From this desktop, you can explore the collection's many tools (listed in Web Table 1, http://www.windowsitpro.com/windowssecurity, InstantDoc ID 44648, along with Auditor's additional applications and utilities) through the available menus or through a command prompt. You can access all the Auditor programs through the Go menu, which is an expanding directory structure similar to the Windows Start menu. From the Go menu, you can select from five top-level directories—Auditor, Applications, Utilities, Configuration, and Documentation—or you can select the Terminal option to open a window from which to invoke command-line tools.
Configuring Auditor
Each reboot of the Auditor CD-ROM creates a clean installation of the entire system. Therefore, you must reconfigure your network settings each time you boot Auditor. Happily, Auditor does a good job of keeping its configuration processes brief.
First, you need to configure the host system's NIC. To do so, expand the top-level Configuration directory and click Configure your network interface. This action launches a simple script that walks you through a basic network configuration. The first dialog box lists the NICs that Auditor detects; the second dialog box asks whether to use DHCP. These dialog boxes aren't as descriptive as some that I've seen in other Linux distributions, so if your system has multiple NICs, I suggest you collect each NIC's MAC address to use as a reference during the configuration process.
If the system has a wireless card, expand the Configuration directory and click Configure your wireless interface. Enter the Extended Service Set Identifier (ESSID)/Network name, the preferred channel, and the Wired Equivalent Privacy (WEP) standard encryption key. Be aware that Auditor doesn't support more sophisticated Wi-Fi technologies such as Wi-Fi Protected Access (WPA) and doesn't support all wireless cards, so be sure to check out the Auditor Web site for compatibility information. Also be aware that many of the scanning tools will function even when you don't associate your card with a wireless network.
After configuring your system's NICs, you can test your configuration by running some of Auditor's networking programs (e.g., a Web browser) or by running a network utility such as Ping. Many Linux network tools use the Libpcap packet-capture library, which lets applications access raw packets in promiscuous mode. Essentially, Auditor has efficient, low-level access to any network traffic that your computer is tapped into. For example, after booting Auditor on my laptop, configuring the built-in Ethernet NIC, and plugging it into the network, I was able to begin sniffing packets in less than 5 minutes. Auditor's basic packet-sniffing programs—Tcpdump and Ngrep—worked out of the gate, with no additional configuration. To test your configuration, try capturing packets from your network by running Tcpdump from a command line:
tcpdump -i eth0
where eth0 represents your configured interface. Tcpdump supports promiscuous mode, so if you plug this interface into a hub or a switch port that has been configured to mirror network traffic, you should be able to see not only traffic to and from your computer but network traffic between all computers on that hub or mirror. Many of Auditor's more sophisticated tools rely on this functionality, so test it by running a basic program such as Tcpdump, and resolve any problems before you try out the other tools.