Matt's Unix Security Page

Matt's Web World presents...

Established November 1, 1995.
Last updated on June 17, 2009.

Welcome to my Unix security page! This page is not a complete listing of Unix security information and tools. What is hosted here is what I personally find useful and/or interesting. Hyperlinks to other sites are provided at the bottom of this page for those seeking something not listed here.
Thanks to everyone who has referenced and linked to this site over the years! This is now the #1 site listed on Google when searching for "unix security"! Does this make it the most popular Unix security site on the net?

For those who might think it unwise to publicly disclose security holes and the techniques used to pass through them, I urge you to read Charles Tomlinson's Rudimentary Treatise on the Construction of Locks.
These links aren't really Unix related, but they are security related, and you may find them interesting:

The MIT Guide to Lock Picking
Greg Miller's Guide to Lock picking for Beginners
Companies that Find People.

Everything here is provided for informational purposes only. The presence of any link on this page is not an endorsement of its content. And I certainly do not endorse unauthorized access to other people's computers! Property rights exist and should be respected.

Click the blue section separator to return to this table of contents.

What's New
File Formats & Extensions
Published Papers
Miscellaneous Information
Unix-based Software
DOS & Windows-based Software
Hyperlinks

What's New

June 17, 2009:

New content coming soon!

There Be Dragons...

The file archive uses various extensions, sometimes with multiple extensions in series. The extensions are summarized in the following table and links to the utility software needed to read these formats are provided.

Extension	File Format Info
`.c`	'C' language source file. Use gcc to compile to machine code.
`.gz`	Gzip compressed file. Use gzip or Winzip to decompress these files.
`.pdf`	Adobe Acrobat file. Use Acrobat Reader to view and print these files.
`.ps`	Adobe Postscript file. Use Ghostview to view and print these files. Ghostscript also does Postscript-to-ASCII conversions.
`.tar`	Unix Tape Archive file. Use your Unix's native `tar` command or on Windows try Winzip to handle these files.
`.txt`	ASCII Text file. Use standard text editor or browser.
`.zip`	PKZip compressed file archive. Use Info-Zip or Winzip to handle these files.

Published Papers

Sorted alphabetically by author name.

The papers here were orignally in Adobe Postscript (.ps) format. I have converted them all to Adobe Acrobat (.pdf), since this is the successor format from Adobe, and has many advantages to Postscript. Mostly I just wanted to be able to click the link for the paper and read it on my Win2k workstation's screen. Using GhostScript worked but it was a pain.

The Postscript .ps files are all gzip'd and therefore end in .ps.gz

The .pdf PDF files are almost as small as their gzip'd counterparts and therefore have not been compressed; just click and read (or print)!

Unix Computer Security Checklist AUSCERT, Australian Computer Emergency Response Team; 1995; ASCII Text; 89k: A comprehensive checklist for securing your Unix box.
Packets Found on an Internet Bellovin, Steven M.; 1993; Acrobat format; also available in Postscript format: A very interesting paper describing the various attacks, probes, and miscellaneous packets floating past AT&T Bell Labs' net connection.
Security Problems in the TCP/IP Protocol Suite Bellovin, Steven M.; 1989; Acrobat format; also available in Postscript format: A broad overview of problems within TCP/IP itself, as well as many common application layer protocols which rely on TCP/IP.
There Be Dragons Bellovin, Steven M.; 1992; Acrobat format; also available in Postscript format: Another Bellovin paper discussing the various attacks made on att.research.com. This paper is also the source for this page's title.
An Advanced 4.3BSD IPC Tutorial Berkeley CSRG; date unknown; Acrobat format; also available in Postscript format: This paper describes the IPC facilities new to 4.3BSD. It was written by the CSRG as a supplement to the manpages.
NFS Tracing by Passive Network Monitoring Blaze, Matt; 1992; ASCII Text: Blaze, now famous for cracking the Clipper chip while at Bell Labs, wrote this paper while he was a PhD candidate at Princeton.
Network (In)Security Through IP Packet Filtering Chapman, D. Brent; 1992; Acrobat format; also available in Postscript format: Why packet filtering is a difficult to use and not always secure method of securing a network.
An Evening with Berferd Cheswick, Bill; 1991; Acrobat format; also available in Postscript format: A cracker from the Netherlands is "lured, endured, and studied."
Design of a Secure Internet Gateway Cheswick, Bill; 1990; Acrobat format; also available in Postscript format: Details the history and design of AT&T's Internet gateway.
Improving the Security of your Unix System Curry, David, SRI International; 1990; Acrobat format; also available in Postscript format: This is the somewhat well known SRI Report on Unix Security. It's a good solid starting place for securing a Unix box.
With Microscope & Tweezers Eichin & Rochlis; 1989; Acrobat format; also available in Postscript format: An analysis of the Morris Internet Worm of 1988 from MIT's perspective.
The COPS Security Checker System Farmer & Spafford; 1994; Acrobat format; also available in Postscript format: The original Usenix paper from 1990 republished by CERT in 1994.
COPS and Robbers Farmer, Dan; 1991; ASCII Text: This paper discusses a bit of general security and then goes into detail regarding Unix system misconfigurations, specifically ones that COPS checks for.
Improving The Security of Your System by Breaking Into It Farmer & Venema; 1993; HTML: An excellent text by Dan Farmer and Wietse Venema. If you haven't read this before, here's your opportunity.
A Unix Network Protocol Security Study: NIS Hess, Safford, & Pooch; date unknown; Acrobat format; also available in Postscript format: Outlines NIS and its design faults regarding security.
A Simple Active Attack Against TCP Joncheray, Laurent; 1995; Acrobat format; also available in Postscript format: This paper describes an active attack against TCP which allows re-direction (hijacking) of the TCP stream.
Foiling the Cracker Klein, Daniel; 1990; Acrobat format; also available in Postscript format: A Survey of, and Improvements to, Password Security. Basically a treatise on how to select proper passwords.
A Weakness in the 4.2BSD Unix TCP/IP Software Morris, Robert T; 1985; Acrobat format; also available in Postscript format: This paper describes the much ballyhooed method by which one may forge packets with TCP/IP. Morris wrote this in 1985. It only took the media 10 years to make a stink about it!
Covering Your Tracks Phrack Vol. 4, Issue #43; Acrobat format; also available in Postscript format: A Phrack article describing the unix system logs and how it is possible to reduce the footprint and visibility of unauthorized access.
Cracking Shadowed Password Files Phrack Vol. 5, Issue #46; Acrobat format; also available in Postscript format: A Phrack article describing how to use the system call password function to bypass the shadow password file.
Thinking About Firewalls Ranum, Marcus; 1992; Acrobat format; also available in Postscript format: A general overview of firewalls, with tips on how to select one to meet your needs.
Addressing Weaknesses in the Domain Name System Protocol Schuba, Christoph L.; 1993; Acrobat format: Describes problems with the DNS and one of its implementations that allow the abuse of name based authentication.
Public Key Certification & Secure File Transfer Shuba & Sheth; approx. 1994; Acrobat format: This document describes secure file transfer between agents, providing confidentiality and integrity of transferred files, originator authentication, and non-repudiation.
Countering Abuse of Name-based Authentication Schuba & Spafford; approx. 1994; Acrobat format: Discusses conceptual design issues of naming systems, specifically DNS, and how to address the shortcomings.
TCP Wrapper Venema, Wietse; 1992; Acrobat format; also available in Postscript format: Wietse's paper describing his TCP Wrapper concept, the basis for the TCP Wrappers security and logging suite.

Miscellaneous Information

Generic Unix Security Information CERT Advisory Team, 1993, ASCII: A good general commentary on Unix security, with specific places to look for suspicious files if you believe your machine's security may be compromised. It's a bit dated, so don't pay attention to the version numbers (Sendmail 8.6.4 is definitely not current anymore!)
HP-UX Boot Single User: The magic incantation for booting an HP-700 series machine into single user mode.
IP Spoofing CERT Advisory Team, 1995, ASCII: Not too exciting, but useful for the uninitiated.
Securing Anon FTP Servers CERT Advisory Team, 1995, ASCII: This CERT advisory details the access permissions and server configuration which should be followed to prevent anonymous FTP security breaches.
Source Routing Info: An interesting discussion of TCP/IP stuff from comp.security.unix.
TCP SYN Flood (Phrack): From Phrack Volume 7, Issue 48. Includes explanation of this denial-of-service attack as well as Linux source implementation.
TCP SYN Flood (CERT): Here's the CERT advisory warning of the above article.

Unix-based Software

Sorted alphabetically by name

arnudp.c: Source code demonstrates how to send a single UDP packet with the source/destination address/port set to arbitrary values.
block.c: Prevents a user from logging in by monitoring utmp and closing down his tty port as soon as it appears in the system.
COPS v1.04: COPS (Computer Oracle and Password System) checks for many common Unix system misconfigurations. I find this tool very valuable, as it is non-trivial to break a system which has passed a COPS check. I run it on all the systems I admin. It's getting a bit old, but it's still an excellent way to systematically check for file permission mistakes.
Crack v4.1: Crack is a tool for insuring that your Unix system's users have not selected easily guessed passwords which appear in standard dictionaries. (Only a very small dictionary is included so grab the one below if you wish.)
Crack Dictionary: A general 50,000 word dictionary for use with Crack.
esniff.c: Source for a basic ethernet sniffer. Originally came from an article in Phrack, I think.
fping: Like Unix ping(1), but allows efficient pinging of a large list of hosts. V2.2.
hide.c: Code to exploit a world-writeable /etc/utmp and allow the user to modify it interactively.
ICMPinfo v1.1: ICMPinfo is a tool for looking at the ICMP messages received on the running host.
identd.c: A modified identd that tests for the queue-file bug which is present in Sendmail versions earlier than 8.6.10 and possibly some versions of 5.x.
ISS v1.3: The Internet Security Scanner is used to automatically scan subnets and gather information about the hosts it finds, including the guessing of YP/NIS domainnames and the extraction of passwd maps via ypx. It also does things like check for verisons of sendmail which have known security holes.
listhosts.c: Requests a DNS name server to do a zone transfer and list the hosts it knows about.
mnt: This program demonstrates how to exploit a security hole in the HP-UX 9 rpc.mountd program. Essentially, it shows how to steal NFS file handles which will allow access from clients which do not normally have privileges.
netcat v1.1: Like Unix cat(1) but this one talks network packets (TCP or UDP). Very very flexible. Allows outbound connections with many options as well as life as a daemon, accepting inbound connections and allowing commands to be executed. Now at version 1.1!
NFS-Bug: Demonstrates a bug in NFS which allows non-clients to access any NFS served partition. AIX & HPUX patches included.
NFS Shell: A shell which will access NFS disks. Very useful if you have located an insecure NFS server.
RootKit: A suite of programs like ps, ls, & du which have been modified to prevent display of certain files & processes in order to hide an intruder. Modified Berkeley source code.
rpc_chk.sh: Bourne shell script to get a list of hosts from a DNS nameserver for a given domain and return a list of hosts running rexd or ypserve.
seq_number.c: Code to exploit the TCP Sequence Number Generator bug. An brief but clear explanation of the bug can be found in Steve Bellovin's sequence number comment. Note that this code won't compile as-is because it is missing a library that does some of the low-level work. This is how the source was released by Mike Neuman, the author.
Socket Demon v1.3: Daemon to sit on a specified IP port and provide passworded shell access.
Solaris Sniffer: A version of E-Sniff modified for Solaris 2.
Strobe v1.03: Strobe uses a bandwidth-efficient algorithm to scan TCP ports on the target machine and reveal which network server daemons are currently running. Version 1.03 is an update to 1.02.
Telnetd Exploit: This tarfile contains source code to the getpass() and openlog() library routines which /bin/login can be made to link at runtime due to a feature of telnetd's environment variable passing. Root anyone? The fix is to make sure your /bin/login is statically linked.
Traceroute: Traceroute is an indispensable tool for troubleshooting and mapping your network.
ttysurf.c: A simple program to camp out on the /dev/tty of your choice and capture logins & passwords when users log into that tty.
xcrowbar.c: Source code demonstrates how to get a pointer to an X Display Screen, allowing access to a display even after "xhost -" has disabled acess. Note that access must be present to read the pointer in the first place! (Originally posted to USENET's comp.unix.security.)
xghostwriter-1.0b: xghostwriter takes a string, or message, and ensures that this string is "typed" from the keyboard, no matter what keys are actually pressed. Useful for injecting keypress commands into an X session. More info from the auther is here in his USENET post.
xkey.c: Attach to any X server you have perms to and watch the user's keyboard.
xspy-1.0c: xspy is mostly useful for spying on people; it was written on a challenge, to trick X into giving up passwords from the xdm login window or xterm secure-mode. More info from the auther is here in his USENET post.
xwatchwin: If you have access permission to a host's X server, XWatchWin will connect via a network socket and display the window on your X server.
YPX: YP/NIS is a horrible example of "security through obscurity." YPX attempts to guess NIS domain names, which is all that's needed to extract passwd maps from the NIS server. If you already know the domain name, ypx will extract the maps directly, without configuring a host to live in the target NIS domain. (GZip'd Bourne Shell Archive)
ypsnarf.c: Exercise security holes in YP / NIS.

DOS & Windows-based Software

Etherdump: Etherdump is a vanilla DOS Ethernet sniffer. Dumps all frames to a file. Filtering is not supported, unfortunately.
Etherload: Etherload is a utility for measuring performance and other characteristics of Ethernets, such as packet origination via the MAC address.
netcat v1.1: Like Unix cat(1) but this one talks network packets (TCP or UDP). Very very flexible. Allows outbound connections with many options as well as life as a daemon, accepting inbound connections and allowing commands to be executed. Now at version 1.1!
sniff.c or sniff.exe: DOS based Ethernet sniffer with logs readable by sniffod.c filtering tool. Requires a packet driver at 0x60.
sniffod.c or sniffod.exe: DOS based filter for sniff.c logs.

Novell Single Sign On

Cool Links

All links verified 4/22/2002. If you find a broken link, please let me know so I can fix it. (Thanks!)

2600, The Hacker Quarterly -- The original goes online.
Steven Bellovin's Research Papers (att.com)
Bugtraq Mailing List Web Archive -- Exploits, good discussion, searchable.
COAST -- Computer Operations, Audit, and Security Technology.
CuD Home Page -- Computer Underground Digest. Excellent Mag.
DEF CON Convention -- The ultimate hackercon.
Edwin Kremer's Personal Hotlist -- Edwin has a nice hotlist.
Enigma Logic, Inc -- An interesting assortment, if a shade small.
www.freefire.org -- Focused on tools and information to create free security systems
Hacked! -- 2600's archive of historical web site hacks.
Hack Watch News -- Interesting, but very strange.
L0pht Heavy Industries -- Interesting underground site.
Marcus Ranum's Personal Page -- Marcus is a firewall & Internet security expert.
NIH's Unix Security -- Excellent resource!
Phrack Magazine Home Page -- The infamous hacker zine. Not down, just I had the wrong address. :-|
Ping o' Death Page -- (down?) Just one (big) ping packet and crash!
Rscan Homepage -- Heterogeneous Network Interrogation.
SecurityFocus.com -- Portal for security issues. Includes famous Bugtraq Forum Archive!
Spaf's Homepage -- Gene Spafford's home page.
squirrel.com home page -- Lots of security links.
SUNET FTP Security Archive -- Large, organized archive of files.
t3q security -- Cool looking new site. Check it out.
unix / net / hack page -- Original tools and interesting links.
Wietse's collection of tools and papers -- Excellent, but it's a slow link.