Date: Mon, 7 Dec 1998 03:03:22 -0600 From: Mark Spencer <markster@MARKO.NET> Subject: Cheops To: BUGTRAQ@NETSPACE.ORG I've been developing a new network administration and access tool for Linux called Cheops. From the README: "Cheops is a network "swiss army knife". It's `network neighborhood' done right (or gone out of control, depending on your perspective). It's a combination of a variety of network tools to provide system adminstrators and users with a simple interface to managing and accessing their networks. Cheops aims to do for the network what the file manager did for the filesystem." Now, while Cheops is designed to give the administrator and the user a powerful view of their networks, but it could also be used to provide a cracker with a view of your network as well. The purpose of this message is two fold: (a) to inform of the availability of cheops, and encourage people to see if it can help them with maintaining their network and (b) to educate as to the methods employed by cheops to help preempt its potential use as a "point-and-hack" interface. Technologically, there is nothing new about cheops. It uses techniques from traceroute, queso, and halfscan to determine network topology, operating systems, and services. What is somewhat new about cheops is the interface that it presents the user of the network, much like files are represented with a file manager. Right clicking on a host presents a menu of services and easy point-and-click access to them. Rudimentary mapping functionality is also available. So, signs that someone is using cheops on your network would include: * Ping activity (discovery) * lots of traceroute activity (cheops uses the same ports as traceroute) * TCP packets with unusual flags (queso-style OS detection) * Half-scaning (for determining the menu, only when someone right-clicks a host) For more information on Cheops, please see its web site at http://www.marko.net/cheops or download it at ftp://ftp.marko.net/pub/cheops. Cheops builds on glibc Linux systems with the GTK (libc5 also works, but you must edit the Makefile and possibly a header file) and is distributed under GNU GPL. I eagerly welcome any comments or suggestions regarding cheops from both a user/administrator perspective and a security perspective. Mark