aHack: automated network auditing

aHack is essentially a re-implementation with permission
of Alec Muffet's AutoHack tool as described in his WAN-hacking with AutoHack paper.


aHack is essentially an engine for doing things to hosts on a network and recording the results. These things range from harmless information gathering to hostile actions such as breaking into systems.

aHack can be a very useful tool for gathering information about large networks, so that questions like how many web servers do we have can be answered.

Actually using aHack to break into systems can also provide valuable information (and motivation to improve security) but should only be done with the full knowledge and consent of the system owners.

Address testing

aHack is designed for probing WANs. It is able to expand a simple IP address specification into all the matching addresses, and test them for validity (can the address be ping'd or does it respond to a UDP echo packet?). Validated addresses are then passed on to the probe engine.

Information probing

The first think aHack does with an address, is a TCP port scan. It then uses snmp, rpcinfo and other harmless probes to gather general information about the address. This information is often all that is wanted, but can be used by the next phase.

Vulnerability probing

It is amazing how many UNIX machines are running software which is years behind the current release. In most cases this means the machines are vulnerable to well known and easily implemented attacks.

aHack is supplied with a collection of "Attack" modules which test for these known vulnerabilities and it is simple to add to the collection.

Exploiting Vulnerabilities

If you have management support, you can let aHack exploit the vulnerabilities it finds to actually break into the system. In all the supplied exploits the goal is to create a harmless file on the system to prove the breach but no more.


aHack can produce reports about the systems it has probed. A secure host may show nothing more than the harmless information gathered in the first phase, while an old or insecure system may produce a report like:
host rex
date Fri Sep 29 17:27:20 EST 1995	  *****	  sendmail security hole #1	  *****	  direct access as root	  *****	  confirm sendmail security hole #2	  *****	  confirm sendmail security hole #1	  ****	  passwd file available via tftp	  ****	  passwd file available via rcmd	  ****	  might have sendmail security hole #2	  ****	  got 12 passwd entries to crack	  ****	  direct access as uucp	  ****	  direct access as sys	  ****	  direct access as sjg	  ****	  direct access as operator	  ****	  direct access as nobody	  ****	  direct access as games	  ****	  direct access as ftp	  ****	  direct access as daemon	  ****	  direct access as bin	  ****	  direct access as adm	  ****	  access via telnet as games with NO passwd	  *	  version='Sendmail 4.0/SMI-4.0'	  *	  uname: SunOS rex 4.0	sun	  *	  sendmail='sendmail-5'	  *	  info: last probed Thu Sep 28 23:00:20 EST 1995	  *	  hostname='rex'
Keep in mind that on most UNIX systems, access as any unprivileged user can quickly be turned into root access.


aHack is available under license, and is supplied with source code and a useful collection of probe/exploit modules. A porting service is available as is assistance for developing additional probe modules.


Copyright © 1997-2001 Crufty.NET