aHack: automated network auditing
aHack is essentially a re-implementation with permission
of Alec Muffet's AutoHack tool as described in his WAN-hacking with AutoHack paper.
aHack is essentially an engine for doing things to hosts on a
network and recording the results. These things range from
harmless information gathering to hostile actions such as breaking
aHack can be a very useful tool for gathering information about
large networks, so that questions like how many web servers do we
have can be answered.
Actually using aHack to break into systems can also provide
valuable information (and motivation to improve security) but should
only be done with the full knowledge and consent of the system
aHack is designed for probing WANs. It is able to expand a
simple IP address specification into all the matching addresses, and
test them for validity (can the address be ping'd or does it respond
to a UDP echo packet?). Validated addresses are then passed on to the
The first think aHack does with an address, is a TCP port
scan. It then uses snmp, rpcinfo and other harmless probes to gather
general information about the address. This information is often all
that is wanted, but can be used by the next phase.
It is amazing how many UNIX machines are running software which is
years behind the current release. In most cases this means the
machines are vulnerable to well known and easily implemented
aHack is supplied with a collection of "Attack" modules which
test for these known vulnerabilities and it is simple to add to the
If you have management support, you can let aHack
exploit the vulnerabilities it finds to actually break into the
system. In all the supplied exploits the goal is to create a harmless
file on the system to prove the breach but no more.
aHack can produce reports about the systems it has probed. A
secure host may show nothing more than the harmless information
gathered in the first phase, while an old or insecure system may
produce a report like:
host 192.168.10.2 rex
date Fri Sep 29 17:27:20 EST 1995
192.168.10.2 ***** sendmail security hole #1
192.168.10.2 ***** direct access as root
192.168.10.2 ***** confirm sendmail security hole #2
192.168.10.2 ***** confirm sendmail security hole #1
192.168.10.2 **** passwd file available via tftp
192.168.10.2 **** passwd file available via rcmd
192.168.10.2 **** might have sendmail security hole #2
192.168.10.2 **** got 12 passwd entries to crack
192.168.10.2 **** direct access as uucp
192.168.10.2 **** direct access as sys
192.168.10.2 **** direct access as sjg
192.168.10.2 **** direct access as operator
192.168.10.2 **** direct access as nobody
192.168.10.2 **** direct access as games
192.168.10.2 **** direct access as ftp
192.168.10.2 **** direct access as daemon
192.168.10.2 **** direct access as bin
192.168.10.2 **** direct access as adm
192.168.10.2 **** access via telnet as games with NO passwd
192.168.10.2 * version='Sendmail 4.0/SMI-4.0'
192.168.10.2 * uname: SunOS rex 4.0 sun
192.168.10.2 * sendmail='sendmail-5'
192.168.10.2 * info: last probed Thu Sep 28 23:00:20 EST 1995
192.168.10.2 * hostname='rex'
Keep in mind that on most UNIX systems, access as any unprivileged
user can quickly be turned into root access.
aHack is available under license, and is supplied with
source code and a useful collection of probe/exploit modules. A
porting service is available as is assistance for
developing additional probe modules.