Using Trinux

Why
Trinux?

Trinux attempts to provide the most comprehensive and up to date set of security tools found in any Linux distribution--all in a format that is easy to use, can be installed in a matter of minutes, yet fits in shirt pocket.

Here are some common uses for Trinux.

Vulnerability Scanning
The most rudimentary way to find vulnerable or misconfigured services (at list on a Unix box) is to conduct a port scan. Nmap allows you to do this and much more. Although nmap was recently ported to Win32, its natural habitat (and will always be) Linux (with the possible exception of OpenBSD. After discovering active ports, you then gather banner information to look for FTP, IMAP, POP, DNS, HTTP, or whatever the 'exploit of the month.' Trinux provides command-line tools from the SATAN/SARA/SAINT toolkits and tools such as ADM-smb and nbtstat for probing Windows boxes. Probe your boxes before the 'script kiddies' do, but after getting written permission. If you have a commercial IDS in place (RealSecure, Cisco Secure IDS, Dragon, etc.) see what it picks up and what its misses.

Network Analysis
Tcpdump is the standard sniffer that comes with non-commercial versions of UNIX such as Linux and the BSDs. Although its protocol decodes are not a comprehensive or as readible as commercial sniffers or as Ethereal for a quick peek at what is going on your network, it can't be beat. Hardly a day goes by that I don't use tcpdump. Perhaps just as important is its ability to log traffic for follow-on analysis or forensic work. Although not as rock-solid as tcpdump, Ethereal provides an interface and protocol decode capability that rivals commercial sniffers. For the first time, Trinux ships with the console version of Ethereal. Another useful tool is network grep (or ngrep) which allows to apply the power of regular expressions to application layer payloads. One of the newest tools to be included with Trinux is p0f which performs passive OS detection off the wire or from saved tcpdump files. I reccomend the latter.

Security Research
Curious about how one of your network devices will respond to certain types of TCP, UDP, or ICMP packets? Want to learn how sequence number attacks work or conduct other spoofing attacks? Read the man pages for these tools (I won't tell you which ones) and learn how. Use of these tools in production environments is highly discouraged and could get you fired, or arrested in some countries. It could also land you a good job if you really understand how they work. In fact, I use headless Trinux boxes as my standard distribution for security testing because most distributions have become so bloated. Store your packages and SSH keys on a local HTTP server.

Secure Connectivity
Trinux 0.7x is the first version of Trinux to include OpenSSH the Open Source implementation of the SSH1/SSH2 protocol that is the defacto standard for securely administering remote Unix systems. Using scp it is possible to securely transfer sensitive data (packet traces, vulnerability finding) to remote sites for further analysis. You could email someone a Trinux boot disk with SSH public keys saved on it and remotely troubleshoot or test their network. If you enable SSH port forwarding (don't ask me how, figure it out for yourself), you can even access your Trinux boxes behind a packet filtering firewall. It is also possible to configure Trinux to mail PGP encrypted system files across the network.

Forensics and Backup/Recovery
Starting in version 0.80rc2 (using the ide boot floppy), Trinux can be used to perform computer forensics and filesytem repair and recover. Trinux provides low-level disk utilities from The Coroner's Toolkit (TCT) as well as TCTUTILS that can be used to analyze and recover filesystems. Trinux also provides packages for building and repairing Linux ext2 and reiser filesystems and well as low-level tools such as Linux Disk Editor (LDE) and several tools for searching and viewing binary files in the fileutil.tgz package as well as [cfs]disk for modifying paritions. Kernel modules are available to support nearly all filesystems supported by the Linux kernel.