Knoppix STD 0.1
security tools distribution

The good stuff first

Knowing that a tool exists is the first step to mastering it, so I created a specific directory for each set of tools under /usr/bin. Most of them simply contain scripts or symlinks. Each tool set also has its own KDE menu. Tools are grouped as follows:

Authentication
/usr/bin/auth/

• freeradius 0.8.1 : GPL RADIUS server
• PAM config

Cracker
/usr/bin/cracker/

• john 1.6 : John the Ripper password cracker. Includes the CERIAS dictionary: allwords2 (27 MB!) and NTLM patch

Encryption
/usr/bin/crypto/

• gpg 1.2.1: GNU Privacy Guard
• openssl 0.9.7a
• cryptcat : netcat + encryption
• sslwrap : SSL wrapper
• stunnel : SSL wrapper

Forensics
/usr/bin/forensics/

• sleuthkit 1.61 : atstake/sleuthkit.org's extensions to The Coroner's Toolkit forensic toolbox.
• autopsy 1.71 : Web front-end to TASK. Evidence Locker defaults to /mnt/evidence
• mac-robber 1.0 :  TCT's graverobber written in C rather than perl
• fenris .07: code debugging, tracing, decompiling, reverse engineering tool
• wipe : wipe a partition securely. good for prep'ing a partition for dd
• secure_delete : securely delete files, swap, memory....
• and other typical system tools used for forensics (dd, lsof, strings, grep, etc.)

Firewall
/usr/bin/fw/

• iptables 1.2.7a
• gtk-iptables : GUI front-end
• shorewall 1.4 : iptables based package
  

Honeypots
/usr/bin/honeypot/

• honeyd 0.5-2 
• labrea 2.3-2 : tarpit (slow to a crawl) worms and port scanners

IDS
/usr/bin/ids/

• snort 1.8.7-4: but of course
• aide 0.9 : host baseline tool, tripwire-esque
• swatch 3.0.1 : monitor any file, oh like say syslog
• sha1sum
• md5sum
• syslogd

Network Utilities
/usr/bin/net-utils/

• LinNeighboorhood : Linux network neighborhood
• cheops 0.61-4 : snmp, network discovery and monitor tool
• etherape 0.8.2-3 : network monitor and visualization tool
• ntop 2.1.0 : network top, protocol analyzer
• iptraf : network monitor
• arptool : monitor and manage arp
• arping : ping hosts by MAC
• arpwatch : another arp tool
• macchanger : change your MAC addr. works with wireless too.
• mtr : traceroute
• samba 2.2.3a

Penetration Tools
/usr/bin/pen-test/

Way too many to list. All the usual suspects. dsniff toolkit, much THC, ADM, Gobbles, RFP, nmrc, teso, irpas routing tools, brute force tools, buffer overflows, dns spoofing, man in the middle, tcp/ip hijacking, denial of service... Includes exploits for cve-2002-0392, cve-2001-0241, can-2002-1337, can-2002-0656, can-2003-0109. There is some overlap into Vuln-test tools. These tools are meant to test IDS systems and to learn how exploits in the wild are used and written. Be very careful and read /usr/bin/pen-test/rtfm/dont-be-a-dick.README before using any of these. You are entirely responsible for your own actions.

When source code was available you'll find it under /usr/bin/pen-test/src/. Speaking of which: To all you coders:  Thanks for all the hard work. To everyone else: coders that release source are not your enemy.

Servers
/usr/bin/servers

• apache 1.3.27
• smail 3.2
• sshd 
• vnc
• bind9
• net-snmp
• iacd
• tftpd
• xinetd
• netcat
• httptunnel

Packet Sniffers and Assemblers
/usr/bin/sniff/

• ethereal 0.9.5 : simply amazing.
• ettercap 0.6.a : sniff on a switched network and more.
• ngrep : network grep, a sniffer with grep filter capabilities
• netsed : network sed, change the contents of packets traveling through your gateway on the fly
• tcpdump 3.6 : the core of it all (libpcap 0.6)
• ip-sorcerer : magic and ipmagic packet assemblers
• nemesis 1.4 beta 1 : Packet injector or "a portable IP stack"
• paketto 1.10 : fun with TCP/IP, scanning, tracerouting, NAT
• tcpreplay 1.4.0 : replay tcpdump or snoop captures
• dsniff 2.4 : sniffs only for username:password pairs passed on the wire in clear text protocols (telnet, ftp, http .....)

Vulnerability Assessment
/usr/bin/vuln-test/

• nessus 2.0.4 : what else?
• nasl : command line nessus to trigger nasl scripts directly
• nmap 3.10 : a necessity (also w/ a front-end for gui freaks)
• amap 2.5 : application mapper (can find apps running on strange ports. like http on 2993.)
• chkrootkit 0.40: look for rootkits
• rpcinfo : hmmmm.... info from RPC?
• snot : replay snort rules back onto the wire. test your ids/incidence response/etc.
• whisker 2.1 : cgi web vulnerability scanner (Thanks for everything RFP!)
• winscan tools: SMB enumeration
• hping2 : port scanner, host enumerator, packet assembler, traceroute on any port, much underrated, essential tool!

Wireless tools
/usr/bin/wireless/

• airsnort : sniff, find, crack 802.11b
• wardrive : ditto
• kismet 2.6.2 : ummm ... yeah, ditto
• macchanger : change your MAC address
• patched orinoco drivers
  

heal thyself

Each tool set also contains a rtfm/ directory with READMEs and docs for the apps. Most rtfm/ directories will have an STD-directory.README file. START HERE. You won't get far without going through this directory. Don't forget 'man command'.

the rest

This distribution is just a customized and updated version of Knoppix 3.2 3-30-03-BETA. It's been customized with an emphasis on information security tools. Hence, Security Tools Distribution, STD (yeah, I know). I primarily removed the games, KOffice, and abiword. I'll remove more as needed for new security tools. You should find most of your favorite knoppix apps under the Utilities menu. Even though there are multiple windows managers available in Knoppix, you'll find most of the tools in STD are command line. So why have a GUI at all? 13373r's use command line! Yeah, ok, whatever. ctl-alt-f2 will make you happy.

I had several goals in putting this together. I wanted a portable, bootable security toolkit, but I also set STD up as a teaching aid for people interested security. Sometimes just installation is the biggest obstacle, especially when you can't dedicate a machine for just "playing around". So STD is a great place to learn these tools and the concepts behind them. Everything is pre-installed on a temporary OS. When you realize their use and utility perhaps you'll be more willing to go through the pains of installation for something more permanent. (which isn't to say that STD can't be used for permanent installations.)

misc

Mozilla and Konqueror are pre-populated with security related bookmarks.

No, there is no root password. Try "sudo cmd" or "sudo su root" or just type in "rootme".

Thanks to everyone on www.knoppix.net,Klaus Knopper (!!!!!), and everyone that realizes the strange fact that that the art of keeping secrets can't be a secret itself.

Send any stupid STD tricks, comments, suggestions, requests, flames to: t1ck_t0ck@knoppix-std.org

homepage: http://www.knoppix-std.org
forum: http://forum.knoppix-std.org