I’ve always used my Macbook or a Windows machine to perform network captures and analysis. The Macbook is still my preferred machine but I am not leaving my Macbook anywhere so capturing traffic is limited to while I am onsite. The Windows machine isn’t reliable enough to stay up long enough to deem worthy and all the security patched (which all require a reboot) is creating more of a hassel then its worth. Also with Windows they use CIFS which means that Windows is unable to utilize even half the available bandwidth (this is fixed in Windows 7 from my understanding but other issues exist with Windows 7 currently not making it available).
So what is the correct tool to use to capture network traffic and analze over a period of time. Answer: Ubuntu!
I found an old Dell Inspiron 6000 that the LCD monitor doesn’t work anymore on but the VGA output works find if connected to a monitor so I am using that laptop for my network laptop. I plugged in an old Compaq 10/100 PCMCIA card that I will use for regular network connection which will also allow me to connect to the laptop remotely. I will utilize the built in 1Gig connection for my Sniffer connection to a spanned port on the switch.
First step was to insert the Ubuntu Desktop 9.10 CD and select Install when booted off the CD. I selected to erase the drive and I selected the default partition schema.
The installation takes about 15-20 minutes to copy off everything from the CD to the Harddrive, so its a patience/waiting game (hopefully you brought your Macbook with you so you have something to surf the internet with).
After the reboot and you login click on System – Administration – Update Manager (this will update all your packages with the latest security updates and will probably take about 15-20 minutes, good thing you have your MacBook still with you to surf the internet)
- Install Ubuntu Desktop 9.10 (20min)
- Update Packages (20min)
- Install Darkstat
- sudo apt-get install darkstat
- sudo gedit /etc/darkstat/init.cfg
- sudo /etc/init.d/darkstat start
- sudo apt-get install wireshark
- (edit Application menu and change properties for wireshark to include gksu before wireshark)
sudo agt-get install etherape
sudo apt-get install ethstatus
[*]Reboot[*]Install SSH[*]Configure VNC
system – preferences – remote desktop
[*]Install FTP Server
sudo apt-get install vsftpd
sudo gedit /etc/vsftpd.conf
sudo /etc/init.d/vsftpd start
Other Ubuntu Network Tools that should be loaded on your Ubuntu Network Analyzer Desktop or Laptop.
- Nessus – a powerful remote network security auditor, with a nice GUI. Nessus supports plugins and offers a usually current attack database. It also features useful scripting abilities, allowing you to automate many tasks. Install the nessus package using your favorite package manager.
- Nmap – the standard network mapper. Has a thousand and one uses. To install Nmap install the nmap package.
- Kismet – a wireless sniffing tool. Includes support for GPS map scanning with in use of the gpsdrive package. Install the kismet package from the Universe Repository.
- Chkrootkit – chkrootkit can be used to help determine if a machine has been compromised. While not what you should use for the ‘final word’ on if you have been compromised, it runs a lot of useful checks and can direct suspicions towards finding a solution. To install chkrootkit install the chkrootkit package.
- Rkhunter (Ubuntu 6.06 and above only) – another rootkit detection software. Install the rkhunter package from the Universe Repository.
- tiger – Tiger is a package consisting of Bourne Shell scripts, C code and data files which is used for checking for security problems on a UNIX system. It scans system configuration files, file systems, and user configuration files for possible security problems and reports them. Install tiger chkrootkit john.
- GnuPG – also known as GPG, is an open source PGP replacement implementing the OpenPGP standard. Lacks support for IDEA, but is incredibly useful. Included by default. GnuPG will allow you to encrypt emails, digitally sign, and integrates well into the Evolution mail client as well as Thunderbird.
- Seahorse – a light-weight Gnome frontend for GPG, makes managing keys much easier. Install the seahorse package from the Universe Repository.
- Nemesis – a command-line based packet injection utility. Requires a bit of reading the documentation to get full use from. To install nemesis install the nemesis package from the Universe Repository.
- Tcpdump – while its name suggests that it works for only TCP, tcpdump also supports UDP, BGP, NFS, and a lot of other packet types. It is a powerful network utility that should be in every admins toolbox, allowing you to pull in everything off the wire. In combination with ethereal it doesn’t miss much. To install tcpdump install the tcpdump package.
- OpenSSH – OpenSSH almost singlehandedly stopped admins from using telnet, an insecure protocol. The OpenSSH client is installed by default. Generally you want to use SSH instead of telnet or rsh. In some situations, such as large number of clients, you might want to pursue other options, such as telnet with ssl. To install the ssh server install the openssh-server package.
- denyhosts (Ubuntu 6.10 and above only) – scans your SSH logs to find brute-force attacks, and then blocks the IPs they came from. To install denyhosts install the denyhosts package.
tracetcp – excellent tool that doesn’t rely on ICMP for checking for open ports… you can also scan for open ports (example to scan between 130 and 140: tracetcp 188.8.131.52 -h 3 -m 1 -p 1 -t 500 -c -r 130 140 -n)