February 28, 2007

Securing Linux by breaking it with Damn Vulnerable Linux

Author: Mayank Sharma

Damn Vulnerable Linux (DVL) is everything a good Linux distribution isn't. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn't built to run on your desktop -- it's a learning tool for security students.

DVL is a live CD available as a 150MB ISO. It's based on the popular mini-Linux distribution Damn Small Linux (DSL), not only for its minimal size, but also for the fact that DSL uses a 2.4 kernel, which makes it easier to offer vulnerable elements that might not work under the 2.6 kernel. It contains older, easily breakable versions of Apache, MySQL, PHP, and FTP and SSH daemons, as well as several tools available to help you compile, debug, and break applications running on these services, including GCC, GDB, NASM, strace, ELF Shell, DDD, LDasm, LIDa, and more.

DVL was initiated by Thorsten Schneider of the International Institute for Training, Assessment, and Certification (IITAC) and Secure Software Engineering (S²e) in cooperation with Kryshaam from the French Reverse Engineering Team.

"The main idea behind DVL," says Schneider, "was to build up a training system that I could use for my university lectures." His goal was to design a Linux system that was as vulnerable as possible, to teach topics such as reverse code engineering, buffer overflows, shellcode development, Web exploitation, and SQL injection.

Schneider says that DVL's sole purpose is to give users as many security tools and training options as possible. "DVL is made by people with significant black hat backgrounds, incorporating the community of ReverseEngineering.net and Crackmes.de. It contains a huge amount of lessons, including lesson descriptions and solutions if the level has been solved by a community member at Crackmes.de.

"We wanted to build up a plug-and-play system. Simply run DVL in a virtual machine, with all the required tools installed, [and you have] functional training lessons included, ready to go."

Josh Sweeney, a security expert working for SPI Dynamics and editor of SecurityDistro.com, agrees. "The DVL staff," he says, "recognized that most of the tutorials on the Internet were either hard to follow, didn't work, or were just too advanced for many users. They packaged tools, workbooks, text tutorials, and exploits into one easy-to-use live distribution, then took the extra step to create their own video tutorials."

Sweeney believes that DVL as a learning distribution will most likely be paired with security distributions like OWASP LabRat and Hakin9. "The main difference in LabRat is that it is being purpose-built for Web application security and OWASP tools. Hakin9 is also a great learning CD, but only if you get the CD with the magazine. The downloadable ISO does not contain all of the tutorials that are in the magazine version. To the best of my knowledge there are no other live security distributions made specifically for learning. BackTrack, nUbuntu, Knoppix-STD, and others are built for security professionals to use on their own. They can be used for learning but were not purpose-built for that task."

Click to enlarge

DVL bundles a set of break-in exercises with their solutions and exploits. The exercises demonstrate various PHP exploits and can be accessed from a Web browser. For the exploits, you have to use the command line and various CLI and GUI tools.

I'd anyone interested in the distro to download the videos available on DVL's Web site. The first steps video is an introduction to DVL, where you get a tour of the distribution along with a brief description and overview of the various tools. Once you are comfortable with DVL, download the first lesson video, which details a buffer overflow.

The videos aren't been included in the distribution to keep its size down. But it would be nice to have two versions of DVL -- a vanilla version with only the tools, and an extended version with the videos as well.

So what exactly does one learn?

Security is a wide topic and security issues can arise from almost everywhere. Schneider says the tutorials are split into three parts. "The first is about binary exploitation, buffer overflows, format string vulnerabilities, or shellcodes. The second is about Web exploitation such as SQL injection, path retrieval, and Web site insecurity. The third part is about reverse code engineering and copy protection analysis and teaches how vulnerable copy protections are in reality."

"The one thing that sets DVL apart the most," Sweeney says, "is the focus on buffer overflows and disassembly." Disassembly, he says, is often talked about in conjunction with buffer overflows and reverse engineering. "Disassembling is when someone breaks down a program into the assembly language for further analysis. By doing this, users can analyze code at a very low level and look for security issues. There have been many excellent papers on the subject over the years, but these generally don't come with learning tools in a self-contained, easy-to-use environment."

More releases and videos coming up

Since DVL isn't a normal distribution, I asked Schneider how the developers plan to release updates. He promises upcoming releases with more tools, such as the Metasploit framework, while later releases will focus more on the training material and lessons. "The next release will be a tool release mainly, with a few more training lessons. After this we focus on the tutorial section. However, one of the next releases will contain a perverted Linux kernel which is highly vulnerable. Also we are planning to extend DVL into a hacking wargame."

Many projects that have promised great things have failed to deliver. There are currently just two videos available on DVL's Web site, though they are very detailed. "The training video section will grow soon," Schneider promises. "However, producing such videos takes a lot of time and so the progress appears slow to some people. But we'll try to speed up. Text tutorials depend on the community, since the more the community helps, the faster the tutorial section grows. However, people can add their own challenges via the Crackmes.de Web site. This will spawn DVL tutorials faster."

DVL is an interesting distribution with an interesting goal. Even though I am not a security student, I was able to follow and try out a buffer overflow exploit. DVL has enough lessons to keep one occupied for quite some time. If Schneider sticks to his plans and puts out tutorials and lessons at a steady pace, DVL will continue to be a great learning tool.


  • Security
Click Here!