Honeypot and Internet Background Noise - Lesson Learned. HITB 04 presentation by Kamal Hilmi Othman. Recently, honeypots have been one of the hottest issues around network security discussions. This presentation discussed highlights of the honeypot - from its earliest incarnation to the current state of the technology. It also addresses some of the mechanisms that can be deployed in order to capture intruder activity. This also discusses other mechanisms that can be easily deployed without much risk - detecting "Internet Background Noise". The results of implementations were discussed.
2b95f386971778dfaef94a27131502b819f2c998bb0da751cfa7e935a1cbbe24
Ethereal is a GTK+-based network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and to give Ethereal features that are missing from closed-source sniffers. Screenshot available here.
b868b1a2b9084e94ba9dea03ef1f0a0012379404a799e7acbd660e732cd3c026
Port Scan Attack Detector (psad) is a collection of four lightweight daemons written in Perl and C that are designed to work with Linux firewalling code (iptables and ipchains) to detect port scans. It features a set of highly configurable danger thresholds (with sensible defaults provided), verbose alert messages that include the source, destination, scanned port range, begin and end times, TCP flags and corresponding nmap options, email alerting, and automatic blocking of offending IP addresses via dynamic configuration of ipchains/iptables firewall rulesets. In addition, for the 2.4.x kernels psad incorporates many of the TCP, UDP, and ICMP signatures included in Snort to detect highly suspect scans for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft), and advanced port scans (syn, fin, Xmas) which are easily leveraged against a machine via nmap. Psad also uses packet TTL, IP id, TOS, and TCP window sizes to passively fingerprint the remote operating system from which scans originate. Changelog available here.
96e1ead482e69e22a39490f5d454dfa076d36080ed0e7a5e3b15ebdd0e322e89
Lsof is an extremely powerful unix diagnostic tool. Its name stands for LiSt Open Files, and it does just that. It lists information about any files that are open by processes currently running on the system. It is useful for pinpointing which process is using each network socket. FAQ available here.
af5668d65400f98140ecb859054a38f477a4baf7dddbc3ac3980b92bdb91fa70
Nmap is a utility for port scanning large networks, although it works fine for single hosts. Sometimes you need speed, other times you may need stealth. In some cases, bypassing firewalls may be required. Not to mention the fact that you may want to scan different protocols (UDP, TCP, ICMP, etc.). Nmap supports Vanilla TCP connect() scanning, TCP SYN (half open) scanning, TCP FIN, Xmas, or NULL (stealth) scanning, TCP ftp proxy (bounce attack) scanning, SYN/FIN scanning using IP fragments (bypasses some packet filters), TCP ACK and Window scanning, UDP raw ICMP port unreachable scanning, ICMP scanning (ping-sweep), TCP Ping scanning, Direct (non portmapper) RPC scanning, Remote OS Identification by TCP/IP Fingerprinting, and Reverse-ident scanning. Nmap also supports a number of performance and reliability features such as dynamic delay time calculations, packet timeout and retransmission, parallel port scanning, detection of down hosts via parallel pings. Full changelog available here.
b8f89abdb09e13e916cfa6ad03e7cd8b2418e476927dbc9ea558490af58ddf1a
Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a commandline scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use in your own software.
7e974ef718f08ede23a3fc3797aac05b84973e5372c678c1f0cc628e5cb85d18
alph implements and analyzes historical and traditional ciphers and codes, such as polyalphabetic, substitutional, and mixed employing human-reconstructable algorithms. It provides a pipe filter interface in order to encrypt and decrypt block text to achieve transparency. The program is meant to be used in conjunction with external programs that transfer data, resulting in transparent encryption or decryption of information. The program can thus be used as a mail filter, IRC filter, IM filter, and so on.
c6d2b2f9ea4e35b36ad14590bbcc8832dbcbee1dc78cc417503b9bdb478fb653
BASE is the Basic Analysis and Security Engine. It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a Web frontend to query and analyze the alerts coming from a Snort IDS.
a715621564524c48753d530f47e87674d1aeb6f9476ad608f5cbbed746e1d251
Proof of concept exploit for the mod_include module in Apache 1.3.31 that is susceptible to a buffer overflow.
a7d67b6ae598462fcf1311fa7182534dd474a28ce7c057c3264a690b66f04628
The mod_include module in Apache 1.3.31 is susceptible to a buffer overflow that allows for arbitrary code execution.
055d7f5955acdb2a54ae5d8fe0303663f38e57ee7640eff8edfe63a8e6520ded
Secunia Security Advisory - Zero X has discovered a vulnerability in Anaconda Foundation Directory, which can be exploited by malicious people to disclose sensitive information.
a0ef54041ecd40b594594451a9f47586ee72cb9b5e627aac0c5b818874730b9d
Secunia Security Advisory - A vulnerability has been reported in cabextract, which potentially can be exploited to overwrite arbitrary files on a vulnerable system.
7f5bdbb6f9617ddce32f0cc8102893ce32e02bff274fb769e7bb9ab35e988032
Secunia Security Advisory - Some vulnerabilities with an unknown impact have been reported in PBLang 4.x.
1aa89cbcc4ff2cdd1ea76b7e6302a2dec0202a3e0846863ca9e31c777fa4157e
Secunia Security Advisory - A weakness has been reported in Windows XP, which can be exploited to bypass certain rules in the Internet Connection Firewall (ICF). The problem is caused due to the firewall by default accepting incoming connections to ports listened on by the "sessmgr.exe" process.
e5962b504f3c20958450194746491a476cc2bbfa287a9717900f3ffb75ce0384
Rkdscan is a scanner designed to detect whether or not an NT based computer is infected with the Hacker Defender root kit. To do this, it makes use of a design flaw.
fb9cf84d81fd7fd2614c962389c68e8ab96259991c2e6cda0003ae94c0aab8e4
Sun Security Advisory - A vulnerability has been reported in Sun Solaris, which can be exploited by malicious, local users to escalate their privileges. The vulnerability is caused by an unspecified problem when LDAP and RBAC (Role Based Access Control) is used together. This can be exploited to execute certain commands with root privileges.
d8107da6eaef0edb6088236b4f57984ff0c9fbff6dcf5bf35a59bee26c3f5de2
Gentoo Linux Security Advisory GLSA 200410-16 - The make_oidjoins_check script, part of the PostgreSQL package, is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files with the rights of the user running the utility.
2961095dd120f133faa907f59c957e950e366ddc2cfbe07e149a3f52fe415917
Example code of using shellcode to bypass stackguard.
a3833f3f4b753ac7331f34d2f941431266e966ed6b605e9858d1f68e92d4fd84
Gentoo Linux Security Advisory GLSA 200410-14 - Squid contains a vulnerability in the SNMP module which may lead to a denial of service.
f15bd0c23293fb103141cd6651afc8a9c261757e238fca1ef9e069eb9d07f93d
Local root exploit for /usr/sbin/iwconfig.
10b71b48cb5e4b165f212352a02ef424f83595d0dcaf1c2619779a0133ef61f9
Local root exploit for /sbin/ifenslave.
8fbd7a93da6b7b610698f7b15ec38201522ff308b0dee9883544408815519bfc
IIS 5 null pointer proof of concept exploit.
80e021ee49bc8b8c86efd67d2904ce71e04ef0648b422b39cee57bf1dfef4527
iDEFENSE Security Advisory 10.18.04: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability. Multiple anti-virus vendors including McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV are affected. The problem specifically exists in the parsing of .zip archive headers. It is possible to modify the uncompressed size of archived files in both the local and global header without affecting functionality. An attacker can compress a malicious payload and evade detection by some anti-virus software by modifying the uncompressed size within the local and global headers to zero.
9e1955876761267e6f0d00cd7477263281b313c1febd690795708c4ecf029042
SaleLogix Server and Web Client suffer from bypass authentication, privilege escalation, SQL injection, information leak, arbitrary file creation, and directory traversal flaws.
cf52df7a7caebca0796139424646c88526767a6d48c7e79e1dfe9288dfa48f9e
Secunia Security Advisory - A vulnerability has been reported in Gnofract 4D, which potentially can be exploited by malicious people to compromise a user's system.
71f8614128153fe3bd2feacfff8f4799295c04b98a7506fa927b96b601cda848