Auditor: The security tool collection


By Mikael Vingaard

To get started, download the latest image of Auditor and burn it as a bootable image. Remember to use the image option — just copying the file will not produce a bootable image. After you have successfully written the image to disc, you can start Auditor directly from the CD. It will not install any permanent software on the hard disk unless you request it to, so don’t be nervous to use Auditor on a client workstation.

The structure of Auditor

Auditor’s menu is divided into several “tool groups” for easy recognition:

  • Footprinting — Applications to gain initial knowledge about a server, such as Whois and Dig.
  • Analysis — Tools to analyze a network, such as Ethereal.
  • Scanning — Tools to scan the network, such as Nmap.
  • Wireless — Applications to test the wireless network.
  • Brute-forcing — The brute-force password cracking word list holds more than 64 million word entries, according to the Auditor Web site.
  • Cracking — Cracking tools to be used with the brute-force word lists.


How can Auditor help you with IT security?

Many security engineers arrive on a client’s site and find that the network documentation required for solving the task properly is incorrect or even obsolete. In Auditor’s Scanning submenu you’ll find the Nmap network scanner. You can choose the traditional shell version or Nmap FE, which provides a graphical front-end for Nmap.


After you have gained a basic overview of the network you can use NBTScan, a NetBIOS name scanner, and Nessus, a vulnerability scanner. If the audit includes Web applications, try the Nikto and Amap application scanners.

Let’s say you’ve been called in to examine a possible compromised server, and until the integrity of the server has been established you are not allowed to install any forensic software or even take the server offline. You can take your Auditor CD and start running the chkrootkit utility to see if any known rootkits are installed on the server. If you find any suspicious activity, you can take a disk image with the dd command and examine it for any possible rootkits or strange processes. You can also use the Autopsy Forensic Browser, a graphical interface that can analyze Windows, Linux, and BSD file systems (NTFS, FAT, Ext2/3) to search for files. If you are analysing a Linux or Unix system, you can use Nibbler to extracts known offsets from binaries to find hidden trojan horses.

Suppose you’ve been asked to do the security survey on a wireless network for possibly weaknesses. Auditor includes the Kismet and wellenreiter wireless analyzers, which both support automatic hardware identification, helping you avoid wasting time configuring your wireless card. Also on the Auditor CD is Airodump, a kind of wireless TCPdump application which can capture packets to assist in brute force analysis of the data later. Furthermore, there are many crackers, including some against WEP encryption to crack the wireless key. Another interesting application is hotspotter, a program for wireless client hijacking.

In addition to all the security tools Auditor includes several common useful applications, such as the Firefox and Konqueror Web browser and some text editors. You can write full reports directly from the Auditor CD and either burn the result on a CD with the Cdrecord program or place it on a remote server with either SSH or remote desktop tools.