The Network Admin's Ultimate Custom Rescue CD

By Carla Schroder | Jul 26, 2005 | Print this Page
http://www.enterprisenetworkingplanet.com/netos/article.php/3523166/The-Network-Admins-Ultimate-Custom-Rescue-CD.htm

In the beginning was tmsrtbt, "The most GNU/Linux on 1 floppy disk"- a complete bootable Linux-on-a-floppy disk. Perfect for rescue, testing, diagnostic, and maintenance missions of all kinds.

But computers continued to grow in ability and complexity, and the tiny floppy disk could not hold everything a network admin needed, and thus was born the first bootable Linux-on-a-CDROM, H. Peter Anvin's SuperRescue CD.

Then came Knoppix, which quickly became the glamor child of the live CD-based Linuxes, the darling of the rescue-CD crowd. Knoppix supplies fully-featured KDE and IceWM desktops, supremely excellent hardware detection, and fun tools for things like encrypted data storage on USB keys, disinfecting virus-plagued Windows PCs, wardriving utilities, and gobs more.

Knoppix also inspired a flood of specialized Knoppix-based knockoffs. It is amazing what is found here: language-localized, little tiny compact editions, clustering, medical, security, server, embedded- you name it, somebody probably already put it together.

Since Knoppix burst onto the scene in a blaze of glory, it seems like everyone has jumped on the bootable liveCD bandwagon; check out Frozen Tech's LiveCD List.

What this all means for the hardworking network administrator is a wealth of great bootable liveCDs to choose from for your toolkit. There are two indispensable tools in my personal rescue kit: an old laptop with a modem, 10/100 Ethernet NIC, and serial port with a null modem cable, and every software network diagnostic/monitoring/repair utility I could find; and my own custom liveCD that also contains a bale of software network utilities.

I created the CD back in the early Knoppix days, using the instructions for re-mastering Knoppix. It was great to be able to create a CD containing all the applications that I needed, but re-mastering Knoppix is not for the faint of heart. It's a complex process and it's too easy to make mistakes, as I did -- I built up quite a coaster collection. But once I figured it out I had my very own Ultimate Networking Rescue Disk, and that little disk has saved me more hassles and time than any other tool. While the customized laptop is essential and useful, a CD-ROM has one big advantage: It is non-writable, so it cannot be compromised.

These days you can find all manner of excellent ready-made network rescue disks; we'll look at my two favorites, and then we'll look at a couple of good programs for creating your own custom CD.

Linux LiveCDs for the Network Admin
Knoppix STD (Security Tools Distribution) is the powerhouse of network-oriented liveCDs. It has just about everything: honeypots, vulnerability assessment, forensics, all manner of crypto, password crackers, wireless LAN, and the usual firewall and TCP/IP utilities. It has one major weakness: it supports only the Orinoco (Prism chipsets) drivers for wireless NICs, which means it has no drivers for 802.11a/ab/ag/abg or Centrino cards. Since popping in a liveCD to test hardware is one of the main reasons to have a liveCD in the first place, this won't do you much good if you support a lot of wireless PCs.

If you need wireless drivers and still want to use Knoppix STD, you can re-master it to include the bits you need. (Follow the standard Knoppix Re-mastering Howto.)

Knoppix STD comes with a batch of useful utilities for Windows:

  • LinNeighborhood, for browsing Samba shares.
  • chntpw, for re-setting Windows passwords. Yes, even Administrator.
  • pwl9x, for cracking Windows 9x passwords
  • Samba server. Very useful for testing connectivity problems, or for testing before deploying.
  • testdisk, for restoring deleted partitions
  • readdbx, to convert Outlook Express .dbx files to mbox
KnoppixSTD also comes with a collection of specialized packet sniffers. Yes, you can configure Ethereal or tcpdump to display only the packets you want to see, but having a specialized sniffer is a nice little time-saver:
  • urlsnarf, for capturing HTTP requests. (Part of dsniff.)
  • driftnet, for capturing images from TCP streams. Yeah, baby, now you can see what your users are looking at.
  • msgsnarf, for monitoring IRC and ICQ traffic, like AIM, MSN Messenger, and AOL-IM. (Part of dsniff).
  • webspy, which mirrors all the sites visited by a selected host in your own browser. (Part of dsniff).

KnoppixSTD requires some horsepower to run; at least a Pentium II with 128 megabytes of RAM. A lighter-weight alternative is INSERT (Inside Security Rescue Toolkit). At 50 megabytes it fits on a credit-card sized CD-ROM. Because it uses Fluxbox for a graphical desktop, you can have a nice graphical environment even on old feeble hardware. INSERT comes with more wireless drivers and a useful array of tools, including:

  • Clam anti-virus
  • ettercap, a multi-purpose sniffer/interceptor/logger for a switched LAN
  • iproute2 (See Resources)
  • ndiswrapper, for using Windows wireless drivers on Linux
  • wakeonlan, for booting hosts with no floppy or CD drive

.. plus a nice selection of network monitoring and analysis utilities, disk management, and file recovery. INSERT gets my vote as best all-around lightweight system and network rescue CD.

Rolling Your Own Custom CD
Why would you want to create your own custom live-CD? It's the best way to ensure that you have exactly what you want, to weed out extraneous stuff, and to use customized kernels. Because liveCDs run in memory you'll improve performance considerably by excluding non-essentials. There are a number of nice roll-your-own programs; my two favorites are iBuild and Knoppix. Yes, I did crab about Knoppix earlier. It's still not easy, but it is much improved, and the instructions are excellent.

iBuild (Intellibuild) is based on Debian. It requires an up-to-date Debian system to create the liveCD image, though it promises to someday run on most *nix variants and Windows. iBuild draws on the Debian package repositories, so that gives you over 13,000 packages to choose from. If you're familiar with Debian, this is an easy way to build a custom liveCD.

A bit more difficult, but more flexible, is following the Knoppix Re-mastering Howto. A good reason to go this route is to modify one of the existing customized Knoppix derivatives; for example, start with Damn Small Linux and add the apps you want. You'll have a nice compact customized liveCD built to your specifications with hardly breaking a sweat.

Essential Network Utilities
I'm running out of space, but this article simply won't be complete without a list of what I think are essential network administration utilities. This does not include forensic tools, which occupy their own large category. Check out the package list for Knoppix STD to see a good selection of forensic applications:

tcpdump, Ethereal, Nmap, Nessus, ping, traceroute, netcat, cryptcat, OpenSSH, OpenVPN, John the Ripper, crack, checkpw, ntop, ngrep, mii-tools, mii-diag, wipe, Hping2, Nemesis, LSOF (list open files), Firewalk, dsniff, Cheops, IpTraf, pppd, Quagga, pppoe, Snort, telnet (yes, really!), minicom, arping, iptables, ipchains (if you're stuck on a really old system), TCPdump, TCPTraceroute, Putty, Stunnel, Ettercap, OpenSSL, BIND-utils, arpwatch, FreeNX, VNC, lspci, lsusb, cardctl, ClamAV, F-Prot, chkrootkit, rkhunter, testdisk, Linux fdisk.

Wireless utilities:
Kismet, Netstumbler, AirCrack, AirSnort, AirTraf, wireless-tools.

Windows stuff:
chntpw, pwl9x, regviewer, LinNeighboorhood, Samba server and client.

Resources