Hacking For Beginners – Manthan Desai

2010

SARA (Security Auditor’s Research Assistant)

http://www-arc.com/sara



The Security Auditor's Research Assistant (SARA) is a third generation Unix-based security analysis tool thatsupports the FBI Top 20 Consensus on Security.SARA operates on most Unix-type platforms including Linux & Mac OS XSARA is the upgrade of SATAN tool.Getting SARA up and running is a straight forward compilation process, and the rest is done via a browser.

SARA (Security Auditor's Research Assistant), a derivative of the Security Administrator Tool for Analyzing Networks(SATAN), remotely probes systems via the network and stores its findings in a database. The results can be viewed withany Level 2 HTML browser that supports the http protocol.

When no primary_target(s) are specified on the command line, SARA starts up in interactive mode takes commandsfrom the HTML user interface.

When primary_target(s) are specified on the command line, SARA collects data from the named hosts, and, possibly, fromhosts that it discovers while probing a primary host. A primary target can be a host name, a host address, or a networknumber. In the latter case, SARA collects data from each host in the named network.

SARA can generate reports of hosts by type, service, and vulnerability by relationship. In addition, it offers tutorialsthat explain the nature of vulnerabilities and how they can be eliminated.

By default, the behavior of SARA is controlled by a configuration (config/sara.cf). The defaults can be overruled viacommand-line options or via buttons etc. in the HTML user interface.

Linux Rootkits



One way an intruder can maintain access to a compromised system is by installing a rootkit.A rootkit contains a set of tools replacement executables for many of the operating system's criticalcomponents, used to hide evidence the attacker's presence and to give the attacker backdoor access to thesystem.Rootkits require root access to to install, but once set up, the attacker can get root access back at any time.

Conventionally, UNIX and Linux have been known to have rootkits built, as the intruder is aware of the code. Here we willfocus on rootkits that use the LKM or Loadable Kernel Module.

A brief review: Rootkits appeared in the early 90's, and one of the first advisories came out in Feb 1994. This advisoryfrom CERT-CC addressed "Ongoing Network Monitoring Attacks" CA-1994-01 revised on September 19, 1997. Rootkitshave increased in popularity since then and are getting increasingly difficult to detect. The most common rootkits areused for SunOS and Linux operating systems. Rootkits contain several different programs. A typical rootkit will include anEthernet Sniffer, which is designed to sniff out passwords. Rootkits can also include Trojan programs used as backdoorssuch as inetd or login. Support programs such as ps, netstat, rshd, and ls to hide the attacker directories or processes.Finally, log cleaners, such as zap, zap2, or z2, are used to remove login entries from the wtmp, utmp, and lastlog files.Some rootkits also enable services such as telnet, shell, and finger. The rootkit may also include scripts that will clean upother files in the /var/log and var/adm directories. Using the modified programs of ls, ps, and df installed on the box, theintruder can "hide" his/her files and programs from the legitimate system administrator.

The intruder next uses programs within the rootkit to clean up the extensive log files generated from the initialvulnerability exploitation. The intruder then uses the installed backdoor program for future access to the compromisedsystem in order to retrieve sniffer logs or launch another attack. If a rootkit is properly installed and the log-files are

www.hackingtech.co.tv

Page 88