Matt's Web World presents...

Established November 1, 1995.
Last updated on January 28, 2013.

Table of Contents

Click any of the blue section separators to return to this table of contents.

Icons indicate a link which will take you away from this site. (In the same window! Shift-click on links if you want them in a new window.)

What's New? File Formats & Extensions Published Security Papers Unix Source Code Hacks Unix Security Tools Multi-platform Security Tools Windows Security Tools Live CDs Lockpicking Hyperlinks	There Be Dragons...

What's New?

January 28, 2013

Most recent, but not really new anymore, changes include:

• The old, crusty, and sometimes invalid HTML 4 tags have been updated to shiny, new, standards compliant XHTML 1.0 tags. This should insure it looks right and parses quickly on all browsers.
• All the links have been validated and freshened, and little icons have been added for all links that leave the site.
• There are a few new papers and other files added, tagged with the new icon.
• The Unix code has been split into hacks/exploits and tools sections.
• A Windows tools section has been added with links to modern open source tools that are much more usable than the old DOS junk from the last century which was here before. 
• There is a new section with links to my favorite "Live CDs" which are .iso images which can be burned to CD and then booted directly for such things as OS repair & forensics, or to play with GNUStep, a modern build of NeXTStep/OpenStep.
• The lockpicking content has been moved to its own section.
• The dragon image is now back to its original, larger self.

File Formats & Extensions

The file archive uses various extensions, sometimes with multiple extensions in series. The extensions are summarized in the following table and links to the utility software needed to read these formats are provided.

Published Security Papers

Sorted alphabetically by author name.

The papers here were orignally in Adobe Postscript (.ps) format. I have converted them all to Adobe Acrobat (.pdf), since this is the successor format from Adobe, and has many advantages to Postscript. The Postscript .ps files are all gzip'd and therefore end in .ps.gz The .pdf PDF files are almost as small as their gzip'd counterparts and therefore have not been compressed; just click and read (or print).

Unix Computer Security Checklist
AUSCERT, Australian Computer Emergency Response Team; 1995; ASCII Text; 89k

A comprehensive checklist for securing your Unix box.

Packets Found on an Internet
Bellovin, Steven M.; 1993; Acrobat format; also available in Postscript format

A very interesting paper describing the various attacks, probes, and miscellaneous packets floating past AT&T Bell Labs' net connection.

Security Problems in the TCP/IP Protocol Suite
Bellovin, Steven M.; 1989; Acrobat format; also available in Postscript format

A broad overview of problems within TCP/IP itself, as well as many common application layer protocols which rely on TCP/IP.

There Be Dragons
Bellovin, Steven M.; 1992; Acrobat format; also available in Postscript format

Another Bellovin paper discussing the various attacks made on att.research.com. This paper is also the source for this page's title.

An Advanced 4.3BSD IPC Tutorial
Berkeley CSRG; date unknown; Acrobat format; also available in Postscript format

This paper describes the IPC facilities new to 4.3BSD. It was written by the CSRG as a supplement to the manpages.

NFS Tracing by Passive Network Monitoring
Blaze, Matt; 1992; ASCII Text

Blaze, now famous for cracking the Clipper chip while at Bell Labs, wrote this paper while he was a PhD candidate at Princeton.

Generic Unix Security Information
CERT Advisory Team, 1993, ASCII Text

A good general commentary on Unix security, with specific places to look for suspicious files if you believe your machine's security may be compromised. It's a bit dated, so don't pay attention to the version numbers (Sendmail 8.6.4 is definitely not current anymore!)

IP Spoofing
CERT Advisory Team, 1995, ASCII Text

Not too exciting, but useful for the uninitiated.

Securing Anon FTP Servers
CERT Advisory Team, 1995, ASCII Text

This CERT advisory details the access permissions and server configuration which should be followed to prevent anonymous FTP security breaches.

Network (In)Security Through IP Packet Filtering
Chapman, D. Brent; 1992; Acrobat format; also available in Postscript format

Why packet filtering is a difficult to use and not always secure method of securing a network.

An Evening with Berferd
Cheswick, Bill; 1991; Acrobat format; also available in Postscript format

A cracker from the Netherlands is "lured, endured, and studied."

Design of a Secure Internet Gateway
Cheswick, Bill; 1990; Acrobat format; also available in Postscript format

Details the history and design of AT&T's Internet gateway.

Improving the Security of your Unix System
Curry, David, SRI International; 1990; Acrobat format; also available in Postscript format

This is the somewhat well known SRI Report on Unix Security. It's a good solid starting place for securing a Unix box.

With Microscope & Tweezers
Eichin & Rochlis; 1989; Acrobat format; also available in Postscript format

An analysis of the Morris Internet Worm of 1988 from MIT's perspective.

The COPS Security Checker System
Farmer & Spafford; 1994; Acrobat format; also available in Postscript format

The original Usenix paper from 1990 republished by CERT in 1994.

COPS and Robbers
Farmer, Dan; 1991; ASCII Text

This paper discusses a bit of general security and then goes into detail regarding Unix system misconfigurations, specifically ones that COPS checks for.

Improving The Security of Your System by Breaking Into It
Farmer & Venema; 1993; HTML

An excellent text by Dan Farmer and Wietse Venema. If you haven't read this before, here's your opportunity.

A Unix Network Protocol Security Study: NIS
Hess, Safford, & Pooch; date unknown; Acrobat format; also available in Postscript format

Outlines NIS and its design faults regarding security.

A Simple Active Attack Against TCP
Joncheray, Laurent; 1995; Acrobat format; also available in Postscript format

This paper describes an active attack against TCP which allows re-direction (hijacking) of the TCP stream.

Foiling the Cracker
Klein, Daniel; 1990; Acrobat format; also available in Postscript format

A Survey of, and Improvements to, Password Security. Basically a treatise on how to select proper passwords.

A Weakness in the 4.2BSD Unix TCP/IP Software
Morris, Robert T; 1985; Acrobat format; also available in Postscript format

This paper describes the much ballyhooed method by which one may forge packets with TCP/IP. Morris wrote this in 1985. It only took the media 10 years to make a stink about it!

Covering Your Tracks
Phrack Vol. 4, Issue #43; Acrobat format; also available in Postscript format

A Phrack article describing the unix system logs and how it is possible to reduce the footprint and visibility of unauthorized access.

Cracking Shadowed Password Files
Phrack Vol. 5, Issue #46; Acrobat format; also available in Postscript format

A Phrack article describing how to use the system call password function to bypass the shadow password file.

TCP SYN Flood (Project Neptune)
Phrack Vol. 7, Issue #48; 1996; HTML

Includes explanation of this denial-of-service attack as well as Linux source implementation. Also of interest may be the CERT document warning that Phrack had published this vulnerability.

Thinking About Firewalls
Ranum, Marcus; 1992; Acrobat format; also available in Postscript format

A general overview of firewalls, with tips on how to select one to meet your needs.

Addressing Weaknesses in the Domain Name System Protocol
Schuba, Christoph L.; 1993; Acrobat format

Describes problems with the DNS and one of its implementations that allow the abuse of name based authentication.

Public Key Certification & Secure File Transfer
Shuba & Sheth; approx. 1994; Acrobat format

This document describes secure file transfer between agents, providing confidentiality and integrity of transferred files, originator authentication, and non-repudiation.

Source Routing Info
Usenet comp.security.unix; 1995; ASCII Text

An interesting discussion of TCP/IP source routing stuff.

Countering Abuse of Name-based Authentication
Schuba & Spafford; approx. 1994; Acrobat format

Discusses conceptual design issues of naming systems, specifically DNS, and how to address the shortcomings.

TCP Wrapper
Venema, Wietse; 1992; Acrobat format; also available in Postscript format

Wietse's paper describing his TCP Wrapper concept, the basis for the TCP Wrappers security and logging suite.

Unix Source Code Hacks

Sorted alphabetically by name

arnudp.c

Source code demonstrates how to send a single UDP packet with the source/destination address/port set to arbitrary values.

block.c

Prevents a user from logging in by monitoring utmp and closing down his tty port as soon as it appears in the system.

esniff.c

Source for a basic ethernet sniffer. Originally came from an article in Phrack, I think.

hide.c

Code to exploit a world-writeable /etc/utmp and allow the user to modify it interactively.

identd.c

A modified identd that tests for the queue-file bug which is present in Sendmail versions earlier than 8.6.10 and possibly some versions of 5.x.

listhosts.c

Requests a DNS name server to do a zone transfer and list the hosts it knows about.

mnt

This program demonstrates how to exploit a security hole in the HP-UX 9 rpc.mountd program. Essentially, it shows how to steal NFS file handles which will allow access from clients which do not normally have privileges.

NFS-Bug

Demonstrates a bug in NFS which allows non-clients to access any NFS served partition. AIX & HPUX patches included.

NFS Shell

A shell which will access NFS disks. Very useful if you have located an insecure NFS server.

RootKit

A suite of programs like ps, ls, & du which have been modified to prevent display of certain files & processes in order to hide an intruder. Modified Berkeley source code.

rpc_chk.sh

Bourne shell script to get a list of hosts from a DNS nameserver for a given domain and return a list of hosts running rexd or ypserve.

seq_number.c

Code to exploit the TCP Sequence Number Generator bug. An brief but clear explanation of the bug can be found in Steve Bellovin's sequence number comment. Note that this code won't compile as-is because it is missing a library that does some of the low-level work. This is how the source was released by Mike Neuman, the author.

Socket Demon v1.3

Daemon to sit on a specified IP port and provide passworded shell access.

Solaris Sniffer

A version of E-Sniff modified for Solaris 2.

telnetd Exploit

This tarfile contains source code to the getpass() and openlog() library routines which /bin/login can be made to link at runtime due to a feature of telnetd's environment variable passing. Root anyone? The fix is to make sure your /bin/login is statically linked.

ttysurf.c

A simple program to camp out on the /dev/tty of your choice and capture logins & passwords when users log into that tty.

xcrowbar.c

Source code demonstrates how to get a pointer to an X Display Screen, allowing access to a display even after "xhost -" has disabled acess. Note that access must be present to read the pointer in the first place! (Originally posted to USENET's comp.unix.security.)

xghostwriter-1.0b

xghostwriter takes a string, or message, and ensures that this string is "typed" from the keyboard, no matter what keys are actually pressed. Useful for injecting keypress commands into an X session. More info from the auther is here in his USENET post.

xkey.c

Attach to any X server you have perms to and watch the user's keyboard.

xspy-1.0c

xspy is mostly useful for spying on people; it was written on a challenge, to trick X into giving up passwords from the xdm login window or xterm secure-mode. More info from the auther is here in his USENET post.

xwatchwin

If you have access permission to a host's X server, XWatchWin will connect via a network socket and display the window on your X server.

YPX

YP/NIS is a horrible example of "security through obscurity." YPX attempts to guess NIS domain names, which is all that's needed to extract passwd maps from the NIS server. If you already know the domain name, ypx will extract the maps directly, without configuring a host to live in the target NIS domain. (GZip'd Bourne Shell Archive)

ypsnarf.c

Exercise security holes in YP / NIS.

Unix Security Tools

Sorted alphabetically by name

COPS v1.04

COPS (Computer Oracle and Password System) checks for many common Unix system misconfigurations. I find this tool very valuable, as it is non-trivial to break a system which has passed a COPS check. I run it on all the systems I admin. It's getting a bit old, but it's still an excellent way to systematically check for file permission mistakes.

Crack v4.1

Crack is a tool for insuring that your Unix system's users have not selected easily guessed passwords which appear in standard dictionaries. (Only a very small dictionary is included so grab the one below if you wish.)

Crack Dictionary

A general 50,000 word dictionary for use with Crack.

fping

Like Unix ping(1), but allows efficient pinging of a large list of hosts. V2.2.

ICMPinfo v1.1

ICMPinfo is a tool for looking at the ICMP messages received on the running host.

ISS v1.3

The Internet Security Scanner is used to automatically scan subnets and gather information about the hosts it finds, including the guessing of YP/NIS domainnames and the extraction of passwd maps via ypx. It also does things like check for verisons of sendmail which have known security holes.

lsof v4.82

List All Open Files. Displays a listing of all files open on a Unix system. Useful for nosing around as well as trying to locate stray open files when trying to unmount an NFS-served partition.

netcat v1.1

Like Unix cat(1) but this one talks network packets (TCP or UDP). Very very flexible. Allows outbound connections with many options as well as life as a daemon, accepting inbound connections and allowing commands to be executed.

RScan

An older tool for Heterogeneous Network Interrogation. Includes links to a Usenix paper as well.

SATAN

Security Administrator Tool for Analyzing Networks. Dan Farmer's tool that caused a huge stir in the media back in '95 when he wrote it and released it. I believe he ended up leaving SGI over this thing. So silly. Where is SGI now? That's what I thought...

Strobe v1.03

Strobe uses a bandwidth-efficient algorithm to scan TCP ports on the target machine and reveal which network server daemons are currently running. Version 1.03 is an update to 1.02.

Tiger

Tiger is a security tool that can be use both as a security audit and intrusion detection system. It is similar to COPS or SATAN, but has system specific extensions for SunOS, IRIX, AIX, HPUX, Linux and a few others. The original TAMU project has been resurrected and is now being maintained as part of Savannah.

Traceroute

Traceroute is an indispensable tool for troubleshooting and mapping your network.

Multi-platform Security Tools

Sorted alphabetically by name

Kismet

Kismet is an 802.11 layer 2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11a, 802.11b, and 802.11g traffic.

PuTTY

PuTTY is a free implementation of Telnet and SSH for Windows and Unix platforms, along with an xterm terminal emulator.

TrueCrypt

TrueCrypt creates virtual encrypted file-systems which can be stored as a file or as a whole disk partition. Works on USB sticks too. Don't lose your data if your PC is stolen -- encrypt it!

WireShark

The best network sniffer & protocol analyzer out there.

Windows Security Tools

Sorted alphabetically by name

NetStumbler 0.40

NetStumbler is a wireless LAN tool which scans for access points and reports back with a list which includes signal strengths and protocols in use. More details are available here in the NetStumbler Readme.

Fiddler

Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. The application is Windows-only but it hooks very low level API's which allows it to work with any browser (IE, Firefox, Opera, etc.) and also decrypt SSL traffic without setting up the required private cert keys (as in WireShark).

netcat NT v1.1

Like Unix cat(1) but this one talks network packets (TCP or UDP). Very very flexible. Allows outbound connections with many options as well as life as a daemon, accepting inbound connections and allowing commands to be executed.

Password Safe

Password Safe allows you to safely and easily create a secured and encrypted user name/password list. With Password Safe all you have to do is create and remember a single "Master Password" of your choice in order to unlock and access your entire user name/password list. Much safer than re-using passwords between sites!

Sam Spade 1.14

Sam Spade is an integrated network query tool for Windows. Most of what it does can be had elsewhere, but it has the ability to parse email headers and determine where forgeries have been made in the headers and forwarding chain. Very useful for well forged spam, reduces analysis time a lot to have Sam take a crack at it first.

Secunia PSI

This is a great tool which scans your system for old and unpatched application software which has security vulnerabilities. Does for applications what Windows Update does for the Windows OS.

Security Essentials

Security Essentials is Microsoft's new real-time anti-virus and malware protection solution. It's reported to be better than most anti-virus compeitors and it's free.

WinDirStat

Scans NTFS filesystems and represents them as a colored, graphical heat map based on size. Great for seeing what is taking up the most space on your system. Think of it as graphical du for Windows.

WinSCP

Free SFTP, FTP and SCP client for Windows. This is a great Windows file transfer client which also supports SCP, which most ISP's are moving to now for secure file transfer.

Live CDs

Sorted alphabetically by name

BackTrack

BackTrack is the #1 Linux LiveCD focused on penetration testing.

BartPE

BartPE is a preinstalled environment builder for Windows. It uses your original Windows media to create a Live CD bootable CDROM OS image.

GNUStep/OpenStep

Remember the NeXT cube running NeXTStep? Well I do, and this LiveCD brings it all back. No other reason to include it other than it's Unix, and I miss my cube.

Helix

Helix is focused on incident response, forensics, and e-discovery. Free CD with option to buy support and access to the member community.

Knoppix

This is not a security distro, but it's the best general Linux Live CD going, so it gets included for general usefulness.

Knoppix-STD

Security Tools Distribution of the Knoppix LiveCD. Zillions of things here, for all aspects of security work.

Trinity Rescue Kit

Trinity Rescue Kit or TRK is a free live Linux distribution that aims specifically at recovery and repair operations on Windows machines, but is equally usable for Linux recovery issues.

Lockpicking

These links aren't Unix related, but they are security related, and you may find them interesting. Ultimately, the integrity of your computer's electronic security rests on the integrity of its physical security. So you need to know how locks work because your whole security world is premised on them. Perhaps a section on alarm systems will be next...

• The MIT Guide to Lock Picking
• Greg Miller's Guide to Lock picking for Beginners
• Schneier on Security -- "Lockpicking and the Internet"
• Lockpicking by Deviant Ollam
• Master-Keyed Lock Vulnerability -- Matt Blaze's 2003 work on physical "master keyed" lock vulnerabilities.

Hyperlinks

Links last verified January 1^st, 2010. All of these external links leave this site.

People

• Steven Bellovin's Research Papers
• Edwin Kremer's Unix Page -- Edwin has a nice hotlist. And he takes nice photos too!
• Marcus Ranum's Personal Page -- Marcus is a firewall & Internet security expert.
• Spaf's Homepage -- Gene Spafford's home page.
• Wietse's collection of tools and papers -- Excellent site.

Places & Organizations

• Bugtraq Mailing List Web Archive -- Exploits, good discussion, searchable.
• COAST -- Computer Operations, Audit, and Security Technology.
• DEF CON Convention -- The ultimate hackercon.
• Hacked! -- 2600's archive of historical web site hacks.
• Insecure.org -- home of Nmap and other exciting things.
• L0pht Heavy Industries -- The now famous underground group's site.
• SANS Reading Room -- very large and extensive coverage of security topics.
• SecurityFocus.com -- Portal for security issues. Includes famous Bugtraq Forum Archive!

Tools & Download Sites

• Freefire -- Focused on tools and information to create free IT security systems.
• SUNET FTP Security Archive -- Large, organized archive of files.
• unix / net / hack page -- Original tools and interesting links.

Zines & Publications

• 2600, The Hacker Quarterly -- The original goes online.
• Cu Digest Home Page -- Computer Underground Digest. Excellent Mag.
• Phrack Magazine Home Page -- The infamous hacker zine. Sometimes on the blink.