There Be Dragons...

Matt's Unix Security Page

You are the 43,539th surfer since November 1, 1995.
Page last updated: November 24, 1996.

Welcome to my Unix security page! This page is in no way a complete listing of Unix security information and tools. What is hosted here is what I personally find useful and/or interesting. Hyperlinks to other sites are provided at the bottom of this page for those seeking something not listed here.

For those who might think it unwise to publicly disclose security holes and the techniques used to pass through them, I urge you to read Charles Tomlinson's Rudimentary Treatise on the Construction of Locks.

If anyone has published papers, software tools (for attack as well as defense), or cool security sites that aren't listed on this page, I would be interesting in adding them to the page. Just send me some email (MIME attach software programs).

The icon indicates a recent addition to this page.

What's New
File Formats & Extensions
Published Papers
Miscellaneous Information
Unix-based Software
DOS & Windows-based Software
Hyperlinks

What's New

I've been busy. So there's only one new thing here: The Ping o' Death Page. This one is huge. Want to crash an off the shelf Unix box with a single ping packet? No lie. This one's right up there with that old AIX froot bug. Lots of hosts are vulnerable to this one.

File Formats & Extensions

The file archive uses various extensions, sometimes with multiple extensions in series. The extensions are summarized in the following table and links to the utility software needed to read these formats are provided.

Extension	File Format Info
`.txt`	ASCII Text file. Use standard text editor or browser.
`.ps`	Postscript file. Use Ghostview to view and print these files. Ghostscript also does Postscript-to-ASCII conversions.
`.gz`	Gzip compressed file. Use gzip or Winzip to decompress these files.
`.tar`	Unix Tape Archive file. Use GNU tar or Winzip to handle these files.
`.zip`	PKZip compressed file archive. Use unzip or Winzip to handle these files.

Published Papers

Alpha Sorted by Author

To save disk and bandwidth, all Postscript files have been gzip'd!

Unix Computer Security Checklist AUSCERT, Australian Computer Emergency Response Team; 1995; ASCII Text; 89k: A comprehensive checklist for securing your Unix box.
Packets Found on an Internet Bellovin, Steven M.; 1993; GZip'd Postscript; 32k: A very interesting paper describing the various attacks, probes, and miscellaneous packets floating past AT&T Bell Labs' net connection.
Security Problems in the TCP/IP Protocol Suite Bellovin, Steven M.; 1989; GZip'd Postscript; 10k: A broad overview of problems within TCP/IP itself, as well as many common application layer protocols which rely on TCP/IP.
There Be Dragons Bellovin, Steven M.; 1992; GZip'd Postscript; 58k: Another Bellovin paper discussing the various attacks made on att.research.com. This paper is also the source for this page's title.
An Advanced 4.3BSD IPC Tutorial Berkeley CSRG; date unknown; GZip'd Postscript; 60k: This paper describes the IPC facilities new to 4.3BSD. It was written by the CSRG as a supplement to the manpages.
NFS Tracing by Passive Network Monitoring Blaze, Matt; 1992; ASCII Text: Blaze, now famous for cracking the Clipper chip while at Bell Labs, wrote this paper while he was a PhD candidate at Princeton.
Network (In)Security Through IP Packet Filtering Chapman, D. Brent; 1992; GZip'd Postscript; 46k: Why packet filtering is a difficult to use and not always secure method of securing a network.
An Evening with Berferd Cheswick, Bill; 1991; GZip'd Postscript; 32k: A cracker from Norway is "lured, endured, and studied." (But not caught!)
Design of a Secure Internet Gateway Cheswick, Bill; 1990; GZip'd Postscript; 17k: Details the history and design of AT&T's Internet gateway.
Improving the Security of your Unix System Curry, David, SRI International; 1990; GZip'd Postscript; 99k: This is the somewhat well known SRI Report on Unix Security. It's a good solid starting place for securing a Unix box.
With Microscope & Tweezers Eichin & Rochlis; 1989; GZip'd Postscript.gz; 99k: An analysis of the Morris Internet Worm of 1988 from MIT's perspective.
The COPS Security Checker System Farmer & Spafford; 1994; GZip'd Postscript; 45k: The original Usenix paper from 1990 republished by CERT in 1994.
COPS and Robbers Farmer, Dan; 1991; ASCII Text: This paper discusses a bit of general security and then goes into detail regarding Unix system misconfigurations, specifically ones that COPS checks for.
Improving The Security of Your System by Breaking Into It Farmer & Venema; date unknown; HTML: An excellent text by Dan Farmer and Wietse Venema. If you haven't read this before, here's your opportunity.
A Unix Network Protocol Security Study: NIS Hess, Safford, & Pooch; date unknown; GZip'd Postscipt; 20k: Outlines NIS and its design faults regarding security.
A Simple Active Attack Against TCP Joncheray, Laurent; 1995; GZip'd Postscript; 90k: This paper describes an active attack against TCP which allows re-direction (hijacking) of the TCP stream.
Foiling the Cracker Klein, Daniel; GZip'd Postscript; 38k: A Survey of, and Improvements to, Password Security. Basically a treatise on how to select proper passwords.
A Weakness in the 4.2BSD Unix TCP/IP Software Morris, Robert T; 1985; GZip'd Postscript; 10k: This paper describes the much ballyhooed method by which one may forge packets with TCP/IP. Morris wrote this in 1985. It only took the media 10 years to make a stink about it!
Covering Your Tracks Phrack Vol. 4, Issue #43; GZip'd Postscript; 16k: A Phrack article describing the unix system logs and how it is possible to reduce the footprint and visibility of unauthorized access.
Cracking Shadowed Password Files Phrack Vol. 5 Issue #46 GZip'd Postscript; 19k: A Phrack article describing how to use the system call password function to bypass the shadow password file.
Thinking About Firewalls Ranum, Marcus; Gzip'd Postscript; 30k: A general overview of firewalls, with tips on how to select one to meet your needs.
An Introduction to Internet Firewalls Wack & Carnahan for NIST; Gzip'd Postscript; 600k: This is a special publication of the National Institute of Standards and Technology which provides a solid introduction to firewalls concepts and uses.
TCP Wrapper Venema, Wietse; Gzip'd Postscript; 13k: Wietse's paper describing his TCP Wrapper concept, the basis for the TCP Wrappers security and logging suite.

Miscellaneous Information

U.S. Department of Injustice Home Page: This is a mirror of the cracked version of the U.S. Department of Justice's web page. For those not in the know, this is what an unknown cracker did to the Fed's web page on August 16, 1996. Note that the page is offensive and contains nudity. Note also that I don't condone this sort of action, but what's done is done. Maybe the Feds should be securing their unix boxes a bit better...
Generic Unix Security Information CERT Advisory Team, 1993, ASCII: A good general commentary on Unix security, with specific places to look for suspicious files if you believe your machine's security may be compromised. It's a bit dated, so don't pay attention to the version numbers (Sendmail 8.6.4 is definitely not current anymore!)
HP-UX Boot Single User: The magic incantation for booting an HP-700 series machine into single user mode.
IP Spoofing CERT Advisory Team, 1995, ASCII: Not too exciting, but useful for the uninitiated.
Securing Anon FTP Servers CERT Advisory Team, 1995, ASCII: This CERT advisory details the access permissions and server configuration which should be followed to prevent anonymous FTP security breaches.
Source Routing Info: An interesting discussion of TCP/IP stuff from comp.security.unix.

Unix-based Software

Sorted by Name

arnudp.c: Source code demonstrates how to send a single UDP packet with the source/destination address/port set to arbitrary values.
block.c: Prevents a user from logging in by monitoring utmp and closing down his tty port as soon as it appears in the system.
COPS (V1.04): COPS (Computer Oracle and Password System) checks for many common Unix system misconfigurations. I find this tool very valuable, as it is non-trivial to break a system which has passed a COPS check. I run it on all the systems I admin. It's getting a bit old, but it's still an excellent way to systematically check for file permission mistakes.
Crack (V4.1): Crack is a tool for insuring that your Unix system's users have not selected easily guessed passwords which appear in standard dictionaries. (Only a very small dictionary is included so grab the one below if you wish.)
Crack Dictionary: A general 50,000 word dictionary for use with Crack.
esniff.c: Source for a basic ethernet sniffer. Originally came from an article in Phrack, I think.
fping: Like Unix ping(1), but allows efficient pinging of a large list of hosts.
hide.c: Code to exploit a world-writeable /etc/utmp and allow the user to modify it interactively.
ICMPinfo (V1.10): ICMPinfo is a tool for looking at the ICMP messages received on the running host.
ISS (V1.3): The Internet Security Scanner is used to automatically scan subnets and gather information about the hosts it finds, including the guessing of YP/NIS domainnames and the extraction of passwd maps via ypx. It also does things like check for verisons of sendmail which have known security holes.
LSOF (V3.50): List All Open Files. Displays a listing of all files open on a Unix system. Useful for nosing around as well as trying to locate stray open files when trying to unmount an NFS-served partition.
mnt: This program demonstrates how to exploit a security hole in the HP-UX 9 rpc.mountd program. Essentially, it shows how to steal NFS file handles which will allow access from clients which do not normally have privileges.
netcat (V1.10): Like Unix cat(1) but this one talks network packets (TCP or UDP). Very very flexible. Allows outbound connections with many options as well as life as a daemon, accepting inbound connections and allowing commands to be executed. Now at version 1.1!
NFS-Bug: Demonstrates a bug in NFS which allows non-clients to access any NFS served partition. AIX & HPUX patches included.
NFS Shell: A shell which will access NFS disks. Very useful if you have located an insecure NFS server.
RootKit: A suite of programs like ps, ls, & du which have been modified to prevent display of certain files & processes in order to hide an intruder. Modified Berkeley source code.
rpc_chk.sh: Bourne shell script to get a list of hosts from a DNS nameserver for a given domain and return a list of hosts running rexd or ypserve.
seq_number.c: Code to exploit the TCP Sequence Number Generator bug. An brief but clear explanation of the bug can be found in Steve Bellovin's sequence number comment. Note that this code won't compile as-is because it is missing a library that does some of the low-level work. This is how the source was released by Mike Neuman, the author. See his Bugtraq post for more info.
Socket Demon (V1.3): Daemon to sit on a specified IP port and provide passworded shell access.
Solaris Sniffer: A version of E-Sniff modified for Solaris 2.
Strobe (V1.03): Strobe uses a bandwidth-efficient algorithm to scan TCP ports on the target machine and reveal which network server daemons are currently running. Version 1.03 is an update to 1.02.
Telnetd Exploit: This tarfile contains source code to the getpass() and openlog() library routines which /bin/login can be made to link at runtime due to a feature of telnetd's environment variable passing. Root anyone? The fix is to make sure your /bin/login is statically linked.
Tiger (V2.2.3): Tiger attempts to exploit known bugs, holes, and misconfigurations in order to attain root. It is similar to COPS, but has system specific extensions for SunOS, IRIX, AIX, HPUX, Linux and a few others.
Traceroute: Traceroute is an indispensable tool for troubleshooting and mapping your network.
xcrowbar.c: Source code demonstrates how to get a pointer to an X Display Screen, allowing access to a display even after "xhost -" has disabled acess. Note that access must be present to read the pointer in the first place! (Originally posted to USENET's comp.unix.security.)
xkey.c: Attach to any X server you have perms to and watch the user's keyboard.
X Watch Window: If you have access permission to a host's X server, XWatchWin will connect via a network socket and display the window on your X server.
YPX: YP/NIS is a horrible example of "security through obscurity." YPX attempts to guess NIS domain names, which is all that's needed to extract passwd maps from the NIS server. If you already know the domain name, ypx will extract the maps directly, without configuring a host to live in the target NIS domain. (GZip'd Bourne Shell Archive)

DOS & Windows-based Software

Etherdump: Etherdump is a vanilla DOS Ethernet sniffer. Dumps all frames to a file. Filtering is not supported, unfortunately. If anyone has a DOS or Windows sniffer that does filtering, send me email!
Etherload: Etherload is a utility for measuring performance and other characteristics of Ethernets, such as packet origination via the MAC address.

Cool Hyperlinks

Alpha Sorted by Title

2600, The Hacker Quarterly
Bugtraq Mailing List Web Archive -- Exploits, good discussion, searchable.
COAST -- Computer Operations, Audit, and Security Technology.
CuD Home Page -- Computer Underground Digest. Excellent Mag.
DEF CON Convention -- The ultimate hackercon.
Hacks & Cracks
L0pht Heavy Industries -- Interesting underground site.
Network/Computer Security Technology -- A well organized collection of hyperlinks.
Network Security (CNS) -- Papers, tools, lots of good stuff.
Network Security Page (Johnson) -- Hyperlinks.
NIH's Unix Security -- Excellent resource!
Phrack Magazine Home Page -- The infamous hacker zine.
Ping o' Death Page -- Just one (big) ping packet and crash!
Rscan Homepage - Heterogeneous Network Interrogation.
Silicon Toad's Hacking Resources -- The Toad has a very slick page!
SUNET FTP Security Archive -- Large, organized archive of files.
Security Garage -- Rich source of well organized material on all platforms, topics.
Security & Hackerscene
Spaf's Hotlist -- Gene Spafford's killer hotlist.
squirrel.com home page -- Lots of security links.
To Catch a Hacker -- C|Net page of recent hacker/cracker news stories.
unix / net / hack page -- Original tools and interesting links.
World of Hacking -- A number of "underground" hacker links.
Wietse's collection of tools and papers -- Excellent, but it's a slow link.

Misc junk I haven't sorted & filtered through yet...