Enterprise security pros are often charged with hunting down lost or mismanaged Windows-based passwords, and if...
the organization's password management practices are lacking, Cain & Abel can help.
Check out other demos of free tools at our SearchSecurity.com screencast page or read the transcript below.
Hey everybody, this is Peter Giannoulis. Welcome to this month's SearchSecurity.com screencast. Thanks for coming out again, guys. We appreciate it.
This month we're going to look at some of the free malware detection-type tools that are available out there. You know, we've done a lot of vulnerability assessment-type tools like Nessus and Nmap and so on. I want to kind of switch it around a bit and look at some of the free malware detection tools.
So we're going to look at Rootkit Hunter this month and get away from some of the Windows stuff that we've been doing over the last few months. So let's take a look here. What is Rootkit Hunter? Rootkit Hunter is essentially a free tool that's available on the Internet like many of the other ones that we display in our monthly screen cast. It's a rootkit scanner is essentially what it is. It looks for a bunch of rootkits in malware and all that nasty stuff that can affect your computer and kill it.
Now one thing about it, like I said, it's Linux-based so most Linux and BSD distributions are supported, AEX, HPUX, Ubuntu, Red Hat, all of those distributions are supported. Essentially in depth features of Rootkit Hunter are it scans for rootkits, backdoors, local exploits, and those are some of the tests that are on the slide. You'll see the MD5 hash captures or compares, sorry. It actually runs.
It looks for default files used by rootkits and the wrong file permissions for specific binaries. So some binaries should only be read-only, and all of a sudden there's a red flag there. It will find that and catch it. Obviously, it looks for hidden files which rootkits tend to do a lot.
You'll see, we have a reference down at the bottom of the slide so if you guys want to learn a little bit more about Rootkit Hunter or rootkits period, you can hit that URL at rootkit.nl. So where do I get rootkit, you may ask? Again, you can go to rootkit.nl and learn a bunch about the rootkit, but it is going to forward you over to the word source for the actual download. So let's go ahead and download it.
What we're going to focus on in this video, guys, because we don't have, you know, all the time in the world is we're going to focus on downloading it, installing it, updating it, and then running it against the default Ubuntu installation. There's a rootkit.nl website, and you'll see we're going to go ahead and minimize that, and we'll do a quick app kit of Rootkit Hunter. And that's actually one thing I like about Ubuntu/Debian platforms is that they have the install files for us. You don't have to actually go to the source to download them, I'm just saying. So let's go ahead and we'll put that in there. We'll install rkhunter. Do we want to continue? Yes, we do.
And I want to go through the actual install process so you can see all the actual packages that it needs and all the requirements that it needs to install it itself. So we're going to go ahead. It's reading the database and let this install. It actually doesn't take quite a long time. You'll see it will be done fairly soon. All right. So now the update is done, what I want to first do is just type in the command that will run Rootkit Hunter, but I want you to actually look at all the switches we have.
So you'll see here, if we type in rkhunter and we'll pipe that to more. So you'll see all the different options you get, right? You have the dash C or dash hashtag. We'll check the local system. You know, dash dash bindir will use the specified commands directory and so on. You can use the debug mode obviously by using the debug.
You can disable specific tests if you want to. I wouldn't probably do that unless you know the tool really well. Your best bet is to just kind of do a check and enable everything and make sure it finds what it needs to find. There's obviously some more options here that we have as well and that you'll see, report warnings only so on and so on and so on. Okay, so no big deal.
So what we're going to do now we're going to do a quick update, so it's rkhunter. One second, let's not forget to root that, rkhunter dash dash update. You can see it doesn't take quite a long time here. It just actually goes out to the website to make sure that we're up-to-date. All right. It checks all the mirrors and all our files. Looks like we're up-to-date. So let's go ahead now. We're going to run rkhunter with a dash C option or dash dash check which will check the entire local system.
You'll see it runs a lot of checks here. You'll see it runs them actually in groups, so performing strings command checks is the first thing that it's going to do, and this is actually going to take a little bit of time to run on our system even though it is a default install. You'll see it checking for preloading variables, not found. It checks all our bin directories or our bin directory and our mv or move commands, mount commands. That's that.
It checks all of those because, again, rootkits tend to trojanize those files. Essentially what I mean by that is if a rootkit is listening on a specific port, it might trojanize the net stat file that will show you the ports in order for it not to show the port that the rootkit's running on. So that's basically why we check all of these files.
All right. We found one more thing in the user S bin, unhide as well as the S bin unhide dash Linux26 command. And then here we're looking, checking for rootkits performing known rootkits, files, and directories. You'll find that there's quite a bit that it actually checks for.
I apologize for some of the language in the names of some of the rootkits, but that's what they're called and it's good to know what they're called obviously, especially when you're looking for them. Some of them are really old on here, but still in use out in the wild there, so that's why they're in here. A lot of people might be wondering why, but that's basically why. And then some of the newer ones that are available out there.
Again, sorry about the language on some of them that are coming up there. All right. The torn rootkit, people obviously know about that one. All right. So it's performing additional rootkit checks. It's now checking for rootkit files and directories and strings and so on.
Now it goes into check for backdoor ports for us. So I really like the way rkhunter actually breaks it down and doesn't just kind of sit there and say, "Okay, you're clean or you're not." It actually shows you exactly what its doing and what files it's checking, that it's checking actual ports or slash dev might have some more file in there. And that's it.
So we are now done or, I guess, scan of our local system here. You'll see that file's checked. Its 127, suspect files 2, rootkits checked, so on and so on. We had a couple of suspect files that we're going to actually look at and, again, it's all logged to var log rkhunter.log. So let's go ahead. We can bring that file up again. It's just a text file, right? So we'll go ahead, sudocat/varlogrkhunter.log.
We're not going to look through the whole thing. We'll just pipe that to more here. We'll actually take a peek at all the different steps it took when it actually ran against our local system. So you'll see it found the net stack command/bin net stat but there was nothing bad there. And that's pretty much it. That's exactly how you do it.
There's obviously, it would be a lot more exciting if this actual tool was running a system that was, I guess, rootkitted to help, but, again, this gives you the basics of how to install it, update it, as well as run it on a local system. You can see it's not very hard to do. It's a great tool, again, and it's free.
So let's wrap this up now. Points to remember. What is Rootkit Hunter, again? It's a rootkit scanner. It's very effective and detects dozens of rootkits backdoors so on and so on by looking at hidden directories, files, and so on. It's only available for Linux and BSD distributions, unfortunately, but there are some for Windows that you can use as well. It has the ability to scan locally, and the best part, like I always say every month, it's 100% free.
Thanks very much, guys, for coming out for this month's SearchSecurity.com screen cast. We really appreciate it, and we'll hope to see you next month.
About the presenter:
Peter Giannoulis, GSEC, GCIH, GCIA, GCFA, GCFW, GREM, CISSP, is an information security consultant in Toronto, Ontario. He currently maintains The Academy Pro, which provides streaming video for enterprises and consumers on how to configure and troubleshoot many of today's top security products. He also serves as a technical director for GIAC.
Check out SearchEnterpriseDesktop's list of the top five free security downloads for Windows.
Learn about dumping and cracking password hashes using Cain & Abel.
Read how attackers use the Ophcrack password-cracking tool.