Security: selected readings for paranoid sysadmins

Articles

• Internet Security Working draft by Richard Pethia
  (Written in Oct 1990, but still valid today.)
• CERT Advisory about ISS (the Internet Security Scanner)
• Packets Found on the Internet by Steven Bellovin postscript and pdf formats
• Horses and Barn Doors in postscript and pdf formats
• I Only Replaced index.html - The admin's side of cracking
• SUBVERSION: THE NEGLECTED ASPECT OF COMPUTER SECURITY - in html and pdf formats
• Microsoft White Paper: Single Sign-On in Windows 2000 Networks in html and Word formats

top of page

Source Code, Tutorials, and Warnings

• The Art of Port Scanning - in text or html
• ICMP444V.c Bomb a host with ICMP packets.
• Class B subnetter Look at the headers in this source code. Guess what this'll be used for.
• IP firewall, session viewer, and session hijacker - All in this short piece of C code.
• Detect traceroute probes from other machines
• wu-ftpd crack
• CERT Advisory about ISS (the Internet Security Scanner)
• Smurfing - Description and Information to minimize effects
• The Administrator's Guide to Cracking
• HP JetDirect Denial-of-Service attacks - ISS Advisory
• Keen Veracity - Legions of the Underground volume 7 - misc hacks, cracks, etc.
• Quick Hacks - "These are all quick and simple hacks.... The topics covered are vax/vms/windows/dos/macros/bios/etc in no particular order... This is all pretty common knowledge and it can come in useful sometimes ." (author's blurb)
• There is a bug in Netscape Communicator 4.5 for Windows 95 and 4.05 for WinNT 4.0 (probably others) which allows reading files from the user's computer.
• Downloading Y2K fixes to Internet Explorer leads to clock problem
• THE MACRO VIRUS * * WRITING TUTORIAL * * PART 1 and PART 2
• - or: How to port scan

top of page

unix & network

• The Step Sensor and Analysis System for intrusion detection
• Unix System Security Checklist
• Securing X windows
• Slackware Linux (Dillon) crond exploit (source code)

Windows NT

• Securing Windows NT Microsoft Technet ©1998
• Securing a Windows NT Installation Microsoft ©1997
• CERT/CC Windows NT Configuration Guidelines
• IISHACK.ASM - IIS buffer overflow exploit
• Windows Backdoors - ISS Vulnerability Alert
• IIS 4.0 Metabase Passwords
• NT Explorer Denial-of-Service attacks
• How to build an NT Bastion Host
• CIFS: Common Insecurities Fail Scrutiny by *Hobbit*
• Inherent weaknesses in NT system policies - post to BugTraq
• ActiveX Hard Disk Explorer - web and eMail vulnerability
• Windows NT Deconsctruction Tatics - Step by Step NT Explotation Techniques (their spelling)
• GetadmforSops.exe - Default permissions on Registry key creates a getadmin hole
• sharepw.c - This program takes an 'encrypted' Windows 95 share password and decrypts it.
• sid.exe - This utility displays the Sid for the specified user or group.

top of page

NT Security Tools

• NAT.EXE - NetBios Security Auditing Tool. From the folks at the Samba project
• dumpfs.exe - locate alternate data streams in NTFS files
• fatalerr.exe - trojan password prompt. See how gullible (uninformed) your users are.
• grant.exe - grant or revoke user priveleges from the command line. not sure whether this is a tool or a potential exploit...
• grp.exe - list local and global groups
• ipccrack.exe - exploit (or find a vulnerability, if you wear the white hat) an accessible IPC$ share
• logger.exe - send system events to a syslog daemon running on a remote host
• nc.exe - netcat *hobbit*'s network hacking tool. Ported to NT by Weld Pond. lots and lots of uses- for offense and defense. here's the original (much longer) write-up by *hobbit*
• Nessus - security scanner (links to nessus.org)
• NTinfoScan - just how much info is your NT box giving out to anonymous users?
• NTlast - limited, but similar to the un*x command
• NTsyslog - log to a central monitoring host
• passwd utility allows the user to change his/her password on either the local system, or the Domain Controller. Administrators may change anyone's password.
• Port Dumper is written to be a port listener with a function of sending back data to the connected box
• Porter is an internet utility to scan a host for ports open for public connection or a range of IPs for connections. It can be used to find servers not listed with InterNIC or just to scan a host for the services it provides.
• pwgen - Generate (hopefully) pronounceable random passwords. These can often be remembered more easily than completely random passwords, and are immune to dictionary searches, etc.
• SendFile is a 32 bit console application for sending ASCII text files via SMTP. (handy for mailing alerts to the admin.)
• systime - displays the current time, the elapsed time and the system start time for the local system. (so you know that someone didn't reboot the machine from floppy, for instance...)
• Test for Guest tests for an enabled guest account with no password set on it, on a number of (NT or Linux) machines in a given range of IP addresses.
• Ultrascan - scan every host in a Class C subnet for any number of ports. You may also scan every host in that range on a particular port.
• unsecure - brute force password attacker
• The upriv utility allows the addition or removal of privileges from user accounts.

Related Resources

• Details about problems in the IIS web server and related things are up for grabs at www.omna.com.
• www.ntresearch.com From Tom Sheldon, author of "Windows NT Security Handbook" Several papers, articles, and checklists are available there.
• NT *tools* [notably NTFSDOS] available at www.ntinternals.com, run by Mark Russinovich and Bryce Cogswell.
• The archive of the NT-security mailing list lives at ftp.iss.net:/pub/lists/ntsecurity-digest.archive/.
• pointers to other NT security resources: www.it.kth.se/~rom/ntsec.html.