LibMix v1.05 is a library that provides an API for various useful functions, including an AES encryption interface, various network front-ends and low level datagram functions, as well as functions for string manipulations and other miscellaneous utility functions. It also includes functions to transmit encrypted data via stateless spoofed datagrams (tfntransmit/tfnread).
a43c83e60f1526ed38138346b9102a4cb27bc1531e235eb0bd78c583dea8a013
Coding in C - a summary of some popular mistakes. Most of them are not detected at compile time with all warnings enabled, which makes them very nasty and hard to detect.
737d50616c03d55f8e032bb3348892b062e5ced53d2c378786dbda33ef725c28
shlog.c is a small program that will do getpeername on its input descriptor, and log a remote host, if it is invoked via a remote session, along with uid/gid to syslog. can be used as additional logging tool for login shells (by putting it into the system profile).
bd42d52088d6edf926cf9b9ece53c386df3616f092ad9588f1a8757e43cc353f
TFN3k is a paper about the future of DDOS tools, how they can be used, and the dangerous features that can and probably will be implemented in the future. Also has information on establishing Network Intrusion Detection (NIDS) Rules for DDOS attacks.
81f6b4c0bc45d0a32a93a7d9053beb1a229a36193e7cbb36d1a180bcf41cc5f6
pcfs.c is a tool that creates a fake CFS (cryptographic file system) encrypted directory tree, which is reasonable indistinguishable from a real CFS directory. It proves that just having a CFS styled directory doesn't prove it actually contains real encrypted data.
cb278ff823f8b81b672492dcb35960e85ed6420efa14288465dab6f4d48d20ae
Mixters guide to defending against DDOS - 10 Proposed 'first-aid' security measures which should be implemented by anyone at risk.
a45bc9efc6b77fa911f41e367dd8ef7a0a6a867f5d47435a7fe799d7074c2ae5
webscan.c is a fast multithreaded CGI and HTTP version scanner that is based off cgichk and can easily be updated. the cgi scanning y2k problem has been fixed in this version.
372b8f130488d7e78531ef9c5af3f4d89272bf0bea639a363479d76074b96827
virii.tgz is a collection of files that are supposedly infected by a linux/elf virus that could be out and spreading in the wild. it also contains a detailed description of the suspicious actions the virus performs and the patterns that can be found in the files.
691df8cc678c2caba81db01501a7fea033cd8923437ce4c457b094a89f4c0b82
trojans.txt is a paper that deals with methods of analyzing, debugging and disassembling unix binaries, looking for viruses, trojans and other malicious code.
2f61e64d50b8c2d733f5e9c50f4c109ea0f3666891cdbb2f2f1d557a1acfded7
rawpowr.c can access a block device containing an EXT2 file system in raw mode, changing all executables into suid executables. this demonstrates that security can easily be breached as soon as block devices are directly writable by the attacker.
f5afd86837980a670a4ef1348fba298322ae697efa523ae82d8a9196380a98bf
Stasis is a tool to fool atime/mtime timestamp checking. It records the timestamp of files, then periodically finds atime/mtime changes and restores the old timestamps, as if the files were never accessed / changed.
eb63609efc1350e5ecc18faffda1b59339dc10d5a460127fa971feb32673d225
Intrusion Detection Evasion System is a daemon that monitors connections, and forges additional packets to hide from and disturb network monitoring processes of IDS and sniffers. It does this by inserting rst/fin and ack packets with bogus payloads and invalid sequence numbers that only affect network monitors. It also sends a custom amount of SYN requests from arbitrary sources on every real connection attempt it sees, which can for example be used to simulate coordinated scans.
70928c72e9594e3b31e86cabaaf959e292ac9e456f7add9f9d4fb015debc78bc
Winning Packet Storm Contest Entry - Protecting Against the Unknown - A guide to improving network security to protect the Internet against future forms of security hazards.
0e6222b8be5665deed5eefcf97e95600e15395e70fc048b75e1a1963cb6c8da9
Q 1.0 is a client / server backdoor which features remote shell access with strong encryption for root and normal users, and a encrypted on-demand tcp relay/bouncer that supports encrypted sessions with normal clients using the included tunneling daemon. Also has stealth features like activation via raw packets, syslog spoofing, and single on-demand sessions with variable ports. This version is downward compatible and includes a few bugfixes that make the remote access daemon work reliably.
35ffdfbefeac850bb2ce4ff8a3613dbf68aaa7ef7147b5b4a9a14bcbff725692
webdecoy.tgz is a small script that can find, remove and replace vulnerable CGI scripts on the local webserver with "decoy" CGIs, which log exploit attempts.
853f3f8326f0656b1f9c046c35b006d4d37ff9fd19357e3909da8eb0e31eb4f8
Nsat is a fast bulk security scanner designed for long-range scans written in C++ which scans and audits about 60 different services and 170 cgis with different scan intensity.
3ab2a97528f2860fe8da6c53e97c0b30414f7de6150a4d2fb4dfed024c39a521
"solinger" Denial Of Service - bind 8.1.*, 8.2, 8.2.1 - causes a bind8 server to stop responding to requests for up to 120 seconds. Quick proof of concept of the bug pointed out by ISC.
c00f49a4683589b7cdfeab5c617c94f4a65bf5320693b205eae0c9f7ca5745e1
Echelon for Dummies is a distributed sniffer which tries to show how the "echelon" network could be designed. It uses sniffer servers that can be installed and run on remote hosts, and will dig through local network traffic, useing custom pattern/keyword matching to find packets with interesting content, which are then forwarded to a central loghost on which the logging daemon is run that gathers and logs the data. For stealth purposes, Sniffers and the logger communicate via random protocols and encryption, and are compatible to many Unix systems and NT.
70592b2730b49a0cb5f11ce7b3258462d9a60e8f4b8feb94b9d5590f6af2438c
Nsat is a fast bulk security scanner designed for long-range scans written in C++ which scans and audits about 60 different services and 170 cgis with different scan intensity. Updates in this version include detection of sendmail 8.9 remote exploitability, more CGI scripts that can be used in MDAC IIS attack, improved rpc service and -backdoor scanning, all latest solaris RPC vulnerabilities added, and detection of trinoo distributed DoS masters with default ports.
6f56824e13f9d05aa0eb1eef2be048cfcf35fd35354da8cabd0ade5d70de5df4
Tribe Flood Network 2000. Using distributed client/server functionality, stealth and encryption techniques and a variety of functions, TFN can be used to control any number of remote machines to generate on-demand, anonymous Denial Of Service attacks and remote shell access. The new and improved features in this version include Remote one-way command execution for distributed execution control, Mix attack aimed at weak routers, Targa3 attack aimed at systems with IP stack vulnerabilities, Compatibility to many UNIX systems and Windows NT, spoofed source addresses, strong CAST encryption of all client/server traffic, one-way communication protocol, messaging via random IP protocol, decoy packets, and extensive documentation. Currently no IDS software will recognise tfn2k.
07f94c742546e490bd6c8ab103c0ffa31399129812380e0bece242fcdf7a4cba
Paper on exploiting security issues in client and other non-server software. Includes a sample exploit against tar.
67a289316796316f40e67df6386dfe291a4eba9fce5c20763db7bc76da920954
spidernet uses a network of host-based IDS and a logging monitor that allows to watch a large amount of remote systems for file changes of a defined list of files and for promisc network interfaces. Sessions are strongly encrypted with cast, and checksums are generated using the reliable md5 algorithm.
baf7f2637c9eb566884edd1a273592dc130ba3738d83a677d39d9c9321a2624e
Commonly overlooked audit trails on intrusions. This is my attempt of compiling a 'top list' of audit trails that are being left after intrusions where the intruders try to cover their tracks but don't do a good job. To put it short, there are actually a lot of audit trails on a normal UNIX system, which can almost all be overcome, but with some effort, that most intruders evade.
62983ffce65d3105e159e3fe5efb6acaa712499108530acd484c96b44d5f628b
Exo is a handy little tool that 'sweeps' a range of ports on a list of hosts. It works by sending out raw packets and waiting for replies with two separate threads. This method makes exo able to find open ports without any delay, i.e. effectively at the rate that your bandwidth allows. A 56k dialup connection can scan for one open port on 65280 hosts in 160 seconds.
a60c48f440035e2d53ede947853d80e3f98e95622144113c2ad58eb2cf57a539
Yet another wu-ftpd 2.5.0 exploit, which finds world writable directories automatically. Tested on Redhat5, Redhat6, and Debian linux.
070dcb17b0983c82941c323daaf00a487f9924adb8255f6edc18b6260baabac8