The Confessions of A White Hat Hacker

Last week, I spent most of my time installing Linux and a few white hat

applications from hacker Web sites: Firewalk, Nmap, Sniffit, Swatch and

Tripwire. This week, I've had a bit of a chance to play around with


This "white hat" nomenclature confused me when I first heard it. White

hat is a fairly common term for people who hack legitimately - security

staff, researchers and so on. By contrast, black hat hackers hack

maliciously. Basically, white hats are the good guys; black hats are

the bad guys. Gray hats are somewhere between the two, and nobody knows

where Red Hat Linux fits in with all this.

I'm told the terms come from the early Western movies. Because the

movies were filmed in black and white, the chase scenes tended to get a

bit confusing, until someone decided to give the good guys white hats

and the bad guys black hats. Anyway, back to Linux. Frills and Thrills

Nmap impressed me. It's simple, it's powerful, and it does exactly what

it says it does: It maps your network. The author, who goes only by the

name Fyodor, even includes a short but well-written HTML manual in a

choice of five languages. The program is freeware, so you've got to

admire the amount of work that he's put into it.

Nmap runs ping sweeps to find out what machines are connected to your

local network, a port scan to find out what services each machine is

running and TCP/IP fingerprinting to find out what operating system

each is running. The result is a log file giving you a reasonably

complete list of what's on your network and what it's doing. That's

useful information both for a security manager and any hacker.

We also run Internet Scanner from Atlanta-based Internet Security

Systems Inc. (ISS). Internet Scanner can do exactly what Nmap can do

and much more. The big difference between the tools - apart from the

fact that Nmap is free and Internet Scanner most certainly isn't - is

the slant each puts on this function.

The ISS tool gives a much more user-friendly graphical user interface

(GUI), advertises its presence to anyone being scanned and so on. It's

clearly designed to fit into a corporate environment.

Nmap, on the other hand, is designed for technical staffers who want to

dispense with the frills: It's much faster, and it's designed to be run

in "stealth mode" so as to avoid detection by intrusion detection

software. It certainly snuck in beneath the radar of our intrusion

detection software, RealSecure from ISS. That's something we'll have to

sort out.

Sniffing for Hack Attacks

Next up was Sniffit, a network packet sniffer. Packet sniffers are

rather intriguingly named pieces of software that monitor network


Under many networking protocols, data that you transmit gets split into

small segments, or packets, and the Internet Protocol address of the

destination computer is written into the header of each packet. These

packets then get passed around by routers and eventually make their way

to the network segment that contains the destination computer.

As each packet travels around that destination segment, the network

card on each computer on the segment examines the address in the

header. If the destination address on the packet is the same as the IP

address of the computer, the network card grabs the packet and passes

it on to its host computer.

That's how I think it works, anyway. I'm sure there are many network

engineers out there who are champing at the bit to explain the many

subtle but important errors I've made, but frankly, that little model

seems to work for me.

Promiscuous Network Cards

Packet sniffers work slightly differently. Instead of just picking up

the packets that are addressed to them, they set their network cards to

what's known as "promiscuous mode" and grab a copy of every packet that

goes past. This lets the packet sniffers see all data traffic on the

network segment to which they're attached - if they're fast enough to

be able to process all that mass of data, that is. This network traffic

often contains very interesting information for an attacker, such as

user identification numbers and passwords, confidential data - anything

that isn't encrypted in some way.

This data is also useful for other purposes - network engineers use

packet sniffers to diagnose network faults, for example, and we in

security use packet sniffers for our intrusion detection software. That

last one is a real case of turning the tables on the attackers: Hackers

use packet sniffers to check for confidential data; we use packet

sniffers to check for hacker activity. That has a certain elegant

simplicity to it.

I've known of packet sniffers for years, and I've talked about the

dangers of attackers using packet sniffers in many a consulting

assignment, but like many consultants, I've never actually used one


One of the reasons for that is simple fear - I'm not that technical at

the best of times, but networking is by far my weakest subject. So I've

avoided trying packet sniffers because I expected to get swamped by all

sorts of networking jargon and problems that would send me running to

our network support guys. I feel embarrassed enough that I can't get my

head around the concept of subnet masks, so I don't want to display my

greater ignorance if I can possibly avoid it.

The thing that worried me most about Sniffit was how easy it was to

install. It took about three commands and three minutes to get this

thing installed and running on my Linux machine. It even has a GUI (not

exactly pretty, but hey - it's free).

Like Nmap, Sniffit is very easy to use and does exactly what it says it

does: It sniffs your network and shows you what sort of data is getting

passed around.

I'd recommend that you install a packet sniffer and have a look at what

sort of data you can see on your local network. Better still, get one

of your network engineers to install it for you. They probably know of

better, more professional sniffers and will be able to talk you through

some of the data that you see going past. It's an interesting look into

exactly what's going on within your network.

Firewalk, Swatch and Tripwire stumped me. I don't yet know what I'm

doing wrong, but I can't get these things installed. I may not get

around to it, though, because my long-awaited laptop has finally

arrived. Now, I can get back on course with all those projects that

have been on hold for the past couple of weeks.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon