Local Community
"If you spend more on coffee than you spend on IT security, then you will be hacked.
What's more, you deserve to be hacked."
-Richard Clarke, Special Advisor to the President on Cyberspace Security
WIRELESS TOOLS are located in the new Wi-Fi section!
Alphabetical listing of tools and apps:
657, AntiSniff, BO2k,
CameraShy,
chkrootkit, Early Bird, l0phtcrack,
lionfind, lsof,
netcat (for *NIX and Win*),
nmap, qrpff.pl, sweeper,
sockstat
Alphabetical listing of documentation:
Fun With the Wap11
Matta Security's Internet-base Counterintelligence
Spamdoors; Using Spam As A Vector Of Back Door Communication
Tools and Apps
Handy Tools:
sockstat.c, for listing running processes and ports they are using and their owners.
lsof, for a listing of all running processes and every file each process has opened, and their owners.
netcat 1.10 for *NIX is *hobbit*'s tool for making network reads/write, and creating raw TCP/UDP connections.
From the README:
| Netcat is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities. Netcat, or "nc" as the actual program is named, should have been supplied long ago as another one of those cryptic but standard Unix tools. |
netcat 1.11 for Win95/98/nt/2k is Weld Pond's port of the original netcat to MS platforms.
Sweeper 2.18 is The Pull's Windows based utility for scanning files
and reporting back on potentially malicious code compilied into them.
From the Author:
| Sweeper operates at the API level. API stands for Application Programming Interface, and this means Sweeper analyzes your binaries for system calls. Here are some example calls Sweeper looks for: "bind", for winsock listening capability; "send", for winsock sending capability; and "createremotethread" for process injection (which allows a trojan to surmount your anti-virus or firewall). |
Sweeper is free for a 15 day trial. It's inexpensive, and well worth it.
Version 2 of Microsoft's "Digital Rights Management" (DRM) scheme
has been cracked, and .WMA files may now be unprotected.
Beale Screamer's utility is provided here for academic reasons, *only*!!!
Don't be breakin' no laws now, ya hear?
This Perl code, all 7 lines and 526 bytes of it, can be used as a descrambler for CSS.
Want other ways to descramble it? Check out the Gallery of CSS Descramblers!
http://www.treachery.net/~jdyson/earlybird/
The Early Bird gets the Worm!
Early Bird is designed to act as a worm catch-all for Apache servers.
It will log the offending IP attempting to propagate Code Red and Nimda variants
and mail the netblock owner a default mail with date, time, IP, and variant type.
Development is constant and ongoing.
From Jay Dyson and Treachery Unlimited.
Early Bird was also featured on SecurityFocus.com!
[ NEW ] Local Mirror
Early Bird 2.6 Source and Documentation | Jay Dyson's PGP Key & Early Bird 2.6 PGP Signature
http://www.chkrootkit.org
From the author's site: "chkrootkit is a tool to locally check for signs of a rootkit."
While it is not a fool-proof design, it does an excellent job of looking for telltale
signatures typically generated by the presence of a rootkit.
While tiny in size, the author has given me permission to mirror the software here, as
his site is located in Brazil.
[ 06.04.14 ] Current version is 0.50.
Download chkrootkit from here (yes, its small @ ~39k) and the MDF signature is available here also.
Chkrootkit relies on a few system binaries to function, but these binaries are themselves
targets of some rootkits, and may be trojaned.
We have assembled tarballs of known clean binaries. Note that files below are not
produced or endorsed by the author of chkrootkit and are provided only by Reznor Allied Technologies.
This tarball is for Slackware 7.1.
This tarball is for Slackware 7.0.
Using Redhat? It's probably too late. Format and install something more secure, like NT. ;)
Also, Lionfind (v0.1.9) checks for the existance of the Linux Lion Worm.
(Older version, 0.1.)
Info on the worm as well as Lionfind's homepage are located here: http://www.sans.org/y2k/lion.htm
Click the banner above to download from the Security Software Technologies,
or download l0phtcrack 2.52 here,
now the Official West Coast Mirror
3.02 is currently available.
l0pht's AntiSniff ver. 1-1-2 Promiscuous Mode Interface Detection
15 Day Trial Unix Version, now includes Linux support.
- OR -
Windows version, self extracting.
http://www.insecure.org/nmap/
Nmap wins Info World's 1998 Best Information Security Product award.
This is by far one of the best and most flexible portscanners available.
Browse around www.insecure.org while you're at it;
excellent resource, and Fyodor keeps a damn handy archive of many various exploits.
[ 3.70 now available ]
http://www.bo2k.com/
Back Orifice 2000
The new, drastically improved Remote Administration Utility from
The Cult of the Dead Cow
The official cDc announcement is found here.
An unbiased, positive review of BO2k from About.com
Forwarded mail from the NT Security List. A must-read.
Texts and Documentation
Fun With The WAP11
"...with a little bit of effort, you can turn the "normal" [Linksys] WAP11 into an
Access Point with suprising range and power, by simply telling it's radio to output a stronger signal."
Mirror of the original WI2600 article .
View the document (~235k, .pdf format).
View the document (~24k html).
Internet-based Counterintelligence
Matta Security of London has released a document in which they mapped
out a portion of the CIA's public network using common lookup tools.
The report is very brief but gives a good idea of how easy it is to pinpoint
potential entrypoints to sensitive networks. Some dual-homed hosts were even
found with public listings of internal network numbers, a boon to attackers.
Using Spam As A Vector Of Back Door Communication
This document discusses how spam can be used as a vector of infection for
back door types of utilities. By Vision Through Sound