| atk > faq (frequently asked questions) | Last update: 2005/01/16 by Marc Ruef |
FAQ (Frequently Asked Questions)
Why
should I use the ATK?
If you are interessted in checking
the security of a system, you can do this with various tools and techniques.
The ATK is one of the possible choices to fulfill your task.
When
should I use the ATK?
The ATK is perfect to verify a specific
vulnerability, perhaps found by another scanning or enumeration utility.
If you are not shure that your (closed-source) security scanner has just
detected a false positive (or negative), you could determine the real existence
of the potential flaw. It is also possible to do an real exploitation of
the weakness, a very important and characteristic step in every penetration
test.
|
Is
it legal to use the ATK?
The use of security scanners is
usually legal as long as you have the permission to check a target system
and the testing does not affect other systems (e.g. routers of other networks).
Is
the ATK not a tool just for skript-kiddies and hackers?
This is a philosophical question
and the answer is not easy. The ATK can make an attack easier - But it
is not possible to hack a system without understanding the exploited vulnerability
or handling of the software. The ATK was written to make my work (security
auditing and penetration testing) easier and more efficient. I think many
people in the IT security business can gain the same effort of the ATK
so I made the whole project public. I do not want to support people who
attack or destroy systems just for fun or profit. But it seems to be impossible
to publish a tool and not making it reachable for evil people. As long
as people use the ATK for testing and securing their systems, the ATK project
will be public and available for everyone who wants to take a look at it.
Why
should I prefer the ATK instead of an other security scanner (e.g. Nessus)?
The ATK has in many ways different
approaches to fulfill a task. Let me show you an example: The checking
of a potential vulnerability is done like in Nessus and many other vulnerability
scanners. But in Nessus you don't have the ability to do a slight modification
of a check. The ATK gives you the availability of changing everything in
a plugin withing seconds. I usually choose a few security scanners for
a security audit. So I can do some specific checks very optimized and cross
check possible flaws. You find a listing of the well-known security scanners
with pros and contras in the links section. The following table shows some
possible criterias to evaluate a vulnerability scanning solution (September
2004):
|
* If a standalone or client/server based solution is better, depends from the needs of the user. So many users don't like client/server based solutions because of the overhead. In this comparisation I use the possibility of client/server usability as a pro.
Is
the ATK better than other security scanners?
The answer for this question depends
on your needs. In a very large security assessment you may count on the
high speed of GFI LANguard to gather all informations as quickly as possible.
In a specific penetration test you may want do have the ability to do a
quick modification of an access attempt. In this case the ATK may be the
first choice. The ATK is more an addition to classic security scanners
(e.g. nmap or Nessus) and not a replacement.
My
anti virus solution says there is a virus in the ATK. What is this all
about?
Some anti virus solutions list the
ATK as hacking tool or exploit. But this does not mean, the tool is nor
contains a virus. Some anti virus solutions alert also if a joke utility,
client part of a remote control software or a popular security tool is
found. The ATK 1.0 was first detected on 26/07/2004 as HackTool.Win32.AttKit.a.
How the anti virus solutions will react on ATK 2.0 or if they are able
to detect it is not know yet. The reason for the detection of a non-virus
is, that the developers of the anti virus solution can advertise their
software with more "detection rules of computer viruses". Thus, this is
just a marketing strategy. Some anti virus solutions are able to de-activate
the detection routine for non-viruses as like security utilities are. If
you have got a problem with your anti virus solution because you want to
use the ATK, please deactive such a detection. ATK is open-source so everyone
has access to the source code of the software
and is able to compile from these open sources. If you don't believe a
compiled version of the software, please feel free to analyze the source
code and report problems. All files from the ATK project are scanned for
viruses on a regulary basis with different and up-to-date anti virus solutions
(e.g. TrendMicro
Antivirus, Avast Antivirus,
AntiVir
Personal Edition). To be sure that there is no virus infection, please
scan the files with your anti virus solution too and contact
me if a an additional possible infection is found.
What
anti virus solutions detect the ATK as hacking tool or exploit?
As far as I know, the following
anti virus solutions are able to detect the ATK. If you know another software
with the ability of detection, please inform
me.
|
When
I try to start the software I get an error message that some OCX files
are missing. What now?
As described before, ATK is written
in Microsoft Visual Basic 6.0. Visual Basic projects need often some libraries
to run correctly. The three files COMDLG32.OCX, MSCOMCTL.OCX and MSWINSCK.OCX
are used to display some special elements and to do the socket handling.
You have to download these files and put them in the system32 directory
of your Windows directory (usually C:\WINDOWS\system32\). You'll get the
files in the download
section.
When
I am starting the ATK I get the error message that an OCX file may be outdated.
What now?
This error occours if there is a
version conflict of the specified OCX file given. If the OCX file in the
working directory of the ATK and the installed OCX file in the system32
directory of your Windows operating system is not the same, you will not
be able to start the application. This happens usually withing older Windows
systems as like Microsoft Windows 95, 98 and ME. The newer Windows 2000
and XP are usually not affected. There are several ways to solve this problem.
The best one is to backup the older file and to overwrite the older version
of the file with the
newer one. Usually copying the OCX file from the ATK directory to your
system32 directory (e.g. C:\WINDOWS\SYSTEM32) fixes the problem. I may
prevent such errors in upcoming releases of the ATK by using an installer
and setup routine.
Is
it possible to limit the scanning features to let admins just audit their
hosts?
No, this is not possible. Everyone
who could start ATK on his machine is able to use the software with all
the features. Only Nessus allows such a limitation of scanning. Symantec
NetRecon has the ability to limit the program start with a simple password.
Why
is the ATK not client/server based?
In some discussions came the request
that ATK should be client/server based as like Nessus is. This approach
has some interessting advances, but they don't seem important for the classical
goal of ATK. But it may be possible that future versions of ATK are client/server
based.
Is
it possible to run the ATK under Unix/Linux?
Not really. I did some testings
with the ATK 2.1. It was possible to start the software within my Debian
GNU/Linux wine environment. But when starting an attack there was an
error message. When I was developing the ATK I was not very aware of beeing
able to run the ATK with wine. But I think in further releases this compatibelity
may be available. If somebody knows how to do this successful, please feel
free to contact me.
What
kind of plugins are supported by the ATK?
First the ATK plugins itself are
supported. Additionally in NASL written Nessus plugins could be imported.
But this part of the code is still experimental and won't sometimes work
correctly. If there is an NASL and an ATK plugin for the same check around,
please prefer the ATK plugin. It may be possible that in the future other
plugins or methods are supported.
Why
was Nessus NASL support not implemented in ATK 3.x?
The support for Nessus NASL plugins
was implemented since the first official release of the ATK. This feature
was very experimental and just a bunch of simlpe pattern based plugins
were supported. With the release of ATK 3.0 I decided to drop this highly
experimental feature to minimize the size of the project and to increase
the speed of the application. As I get many emails concerning this decision,
I began to re-introduced a completely new routine for the Nessus NASL support
in ATK 4.0. It is possible to load most of the network based plugins. Especially
pattern matching based ones are imported very well and usable as like the
originals. If you are interessted in using Nessus NASL plugins please upgrade
at least to ATK 4.0.
What
is a silent check?
A silent check is a check that is
done without touching the target host. You could gather a banner of an
host and then look if any of the imported plugins detect a potential flaw.
This increases the speed of an audit enormely. Nessus call this feature
"KB saving" (Knowledge base). It is documented in the Nessus project at
http://www.nessus.org/doc/kb_saving.html.
Other security scanners do sometimes nearly or exactly the same attempt
for two different checks. That causes a higher amount of network traffic
and data analysis. Silent checks should always be activated. You won't
loose anything.
I
don't understand the points in my scan report. Can you help me?
Not really. It doesn't make sense
that you use a security scanner if you don't understand how security works.
You could post your question on a board
and hope that somebody help you out.
Is
the ATK able to fix a detected vulnerability automaticly?
The plugin may use the detected
vulnerability to send a command that fixes the exploited flaw. This needs
some additional requests in the plugin besides the detection and exploiting
procedures. Be aware that this may cause uncontrollable conditations -
As usual in automated reaction and fixing environments. It is planned for
a further release to split the plugin request procedures in different parts.
The normal procedure will detect the vulnerability. Another one will be
possible to fix a detected bug with additional techniques.
In
which language is the ATK written?
It is written in Microsoft Visual
Basic 6.0. See http://msdn.microsoft.com/vbasic/
for more details. It is planned to port the software into Visual Basic
.NET - Perhaps ATK 3.x will be using the .NET framework.
Why
is the ATK written in Visual Basic (VB)?
A question I hear all the time.
Well, first I started the ATK as a very handy tool that should realize
small checks (e.g. banner grabbing). I enhanced the software more and more
so I get a full functionally vulnerability scanner. Now I am to lazy to
do a C port - or wathever - of the software. Visual Basic has some really
ugly and nasty points, but most of them could be gone around with a smart
programming technique. Most of them can be pointed out by automated software.
I documented some of the used optimizing techniques. See the documents
for the essay. As long as the software works fast and realiable, I don't
see a really good reason to invest a large amount of my time to port the
software. If somebody else would like to do it - a Linux-port would be
great -, I will support the idea.
The
source code is sometimes not really easy to read. Why?
The main goal of a productive software
is to do the wanted work. I think that this wanted work should also be
done so fast as possible. So I spent the most time to optimize the source
code for fulfilling the goals. And it is no surprise that if you optimize
a source code some parts of ot are not easily readable anymore.
Why
is the ATK written for Windows?
On Unix/Linux there is Nessus around.
A very good software to check an environment for potential flaws. A Windows-only
version of Nessus is not available. There are just some more or less good
ports of the Nessus client around. But you need always a Nessus server
on an Unix operating system - Without it Nessus could not be used. On Windows
there are some vulnerability scanners around. GFI LANguard is good to gather
the information in a network. It is shareware. The big players are ISS
Internet Scanner and Symantec NetRecon - Both are closed-source and commercial.
Thus, you have nearly no chance to do an security audit on Windows without
be dependent from Unix/Linux or spend a lot of money for a commercial solution.
I wanted an open tool for Windows-only that help me to do the work I could
just do with Unix/Linux or a commercial product on Windows. See "Why
should I prefer the ATK instead of an other security scanner (e.g. Nessus)?"
for more details of the benefit of using the ATK instead of other similar
solutions.
In
which language are the ATK plugins written?
Every ATK plugin is saved as a single
ASCII file. So it is possible to edit them without specialized software
and knowledge of proprietary encoding techniques. A plugin exists as a
summary of different fields. These provide values to specific topics (e.g.
name of the plugin, used protocol). The scanning routine of a plugin is
written in a very handy scripting language. You'll find more information
on how to write a plugin in the plugin documentations.
How
long does it take to write a vulnerability check?
Well, this depends from your knowledge
about the ATK plugin structure, the use of the prefered editor and the
complexity of the check you want to implement. I create the most ATK plugins
with the internal plugin editor. A normal check or exploit attempt takes
me approximiatly 10 minutes to develop. It is no surprise that I was able
to write more than 20 plugins in a single day. This proofes the easyness
and modularity of the ATK project and the ATK plugin scripting language.
Changing an existing plugin is also possible during runtime within a few
seconds.
How
do I write a new plugin and how should it be published?
First of all I have to say that
the plugin developement is working very independently. This means everybody
is able to create new plugins and publish them. If a ATK plugin developer
thinks his plugin should be published in the official ATK plugin repository,
he could send them to me and I put them online. All the credits for creating
a plugin are given to the initial developer (there are special remark fields
for that supported!). I think this is not a problem because just a bunch
of people is writing new checks. The chance that two people develope the
same plugin at the same time is very small. And if this happens it may
be possible to merge the files to get a better plugin with more detailed
informations. Or perhaps we find out that there are several ways to detect
the same flaw. The technical developelemt of an ATK plugin is very easy.
First of all download the (latest) release of the ATK software on the project
web site at http://www.computec.ch/projekte/atk/
- After unzipping/installing the software start the application by opening
the EXE file. When the application is loaded, click on the Edit button
in the ToolBar menu. A new frame should open. In this one you are able
to create new plugins or edit existing ones. As you can see there are different
fields that have to been filled. Usually fields like plugin_name or bug_description
are recommended due the usefullness for the users. The core fields of a
checking are the detection and exploiting routines. (see the Attack Data
tab). In these the whole "programming" of the checking is done. There are
different simple commands used to open network connections, send data and
search for patterns. The easiest way to get in touch with the ASL (Attack
Scripting Language) is to make a click with the right mouse button in one
of these procedure textboxes. Afterswards a small context menu is opening.
By using the "Add command" and "Add template" entries new commands can
be inserted very quickly. I am able to create a working pattern matching
based within 5 minutes. If this is the first time you are using a scripting
language or creating a ATK/NASL plugin, you may copying and editing an
existing plugin. Very easy to understand are most web server checks with
pattern matching. A good example is ATK plugin id 1 (Apache web server
detection). The commands are "open|send HEAD / HTTP/1.0\n\n|sleep|close|pattern_exists
HTTP/1.[0-1] ### *Server: Apache*":
How
is quality ensurance of the software and the plugins done?
I compile, check and test new software
releases and plugins on and against different systems. If large parts of
the code has changed, my beta testers have to verify first, that the new
parts are stable. For example the alpha and beta test before the first
release of ATK 1.0 needed over 3 months: Alpha test from 2003/11/01 to
2004/01/20 and beta test from 2004/02/11 to 2004/02/30; this included houdreds
of compilations and thousends of virtual security audits. If the new release
passes the tests, the new version is put on the web site. I use the ATK
in all of my security audits and penetration tests, so I find in-the-wild
most bugs very quickly. Also the public release of the software and the
source code help to improve the solution.
Why
were the initial alpha and beta test not public?
These tests were done with an absolutely
unstable version of the software. I knew that there were many bugs around
and some of the implemented features did not worked properly. But I wanted
to see what some of other people I know they understand the principles
of my idea would find. They did a great
work and pointed out some bugs I haven't seen. This generated enough work
for me so I have had enough to do the last two months before the initial
stable release of 1.0. It would be senseless to offer the buggy software
to a large amount of people, because this would generate an information
exchange overhead that decreased the programming productivity. And the
programming productivity is the most important before an initial release.
Which
license underlies the ATK and its parts?
The ATK and its parts underlies
the General Public License (GPL) if not . The use of the software is free.
Also the source code is available and can be edited as long as the edited
version underlies the same license. Please read the GPL
for more information.
What
is the benefit of an open-source scanning solution?
The first benefit is the ability
to see into the product. If you have question in how is something done
or why this result is given, you can do a first checking of the source.
False positives and negatives could be eliminated with a small investigation.
Stephen Northcutt and Judy Novak also postulate in their best selling book
"Network Intrusion Detection" such a state for Intrusion Detection Systems
(IDS). An open-source solution does also ensure a global developement of
the software. Because everyone could check the source code, bugs and errors
could be found and fixed very quickly. This is the main reason, why Nessus
grow to such a big player in the business.
I
found a bug in the software or a part of it. What should I do?
The best approach is to send me
a bug report. This should include a short description of the potential
bug. Perhaps I will ask a few questions so I can reproduce the bug. Then
I will fix it as soon as possible. It may also be possible that you send
me a patch for the source code, if you can do this part for yourself.
I
would like to have some new fields in the plugins. Can you implement them?
Sure. Just send
your suggestions to me, I will check this and try to implement your wishes
in the next release of the ATK software. The solution is not limited in
such cases. If you think my implementation procedure is not fast enough,
feel free to do the changes in the open-source
code yourself. I would be happy if you let me know which changes you
have made, why and how. So I could add them in the next official release
of the ATK software too.
How
can I support the ATK project?
You can support the ATK project
in many different ways: This starts from putting a link to the project
on your website, goes to writing plugins and ends on developing the core
parts of the software. If you want to help the project, please drop me
an email so we can co-ordinate the
further steps. Please be aware that I need sometimes a really long time
for a response.
I
want to write about the ATK project. Can you support me?
Please feel free to write about
the project (e.g. an article or just a link tipp). If you need some additional
information about the project and the software, drop me an email.
I try to respond very quick to help you. If you already have written something,
please inform me so I can put this information (and the article) on the
project
web site.