-P R E S E N T-
Phrack Magazine; the longest running electronic computer security journal in recorded history. We'll swallow your soul.
Phrack 53 is now available.
Similar to the Linux security patches that went out in Phrack 52, now for OpenBSD. Included is a trusted path execution patch with a userland agent to add or delete `trusted` UIDs.
A library of commonly used raw/low-level network routines. NOW GAINING FAME AND ACCEPTANCE!
Juggernaut is a robust TCP-based network tool. The original version went out in Phrack 50 (see below). This version in a complete and total rework from the ground up. Currently the program is portable to Linux and BSD, with Solaris support planned.
The future distribution of this program is undecided.
-P E N D I N G-
More OpenBSD security patches. Elimination of suser() throughout the kernel. Replace it with multiple credential checks. I think asriel did something like this. I should probably check before I get too involved in it.
-P A S T-
A paper detailing the T/TCP protocol including implementation and vulnerabilities. Went out in Phrack 53.
Ripped out ICMP_ECHO / ICMP_ECHOREPLY support from the kernel entirely and moved it into a userland daemon. Asriel wrote the 4.4BSD version. Newest version supports sending of ICMP_HOST_UNREACH packets and skewing of RTTs. You need libwrap and libnet (libnet is above).
Slightly less gay than that way old pident hack thing.
Tips and patches to harden your 2.0.x linux kernel and protect it from attack.
SYN -> RST sniper rewritten for portability. Uses libnet.
A simple tcl/tk interface onto some old code which was rewritten. So I suppose it isn't really old. *shrug* It's rewritten SYN flooding code, rewritten to be cleaner, simpler and it uses netlib.
IP fragmentation woes for Linux, Windows 95/NT, and a few others.
Covert channel implementation. The companion source to go with the article from Phrack 49 (see below). LOKI2 is an information tunneling program. It is a proof of concept work intending to draw attention to the insecurity that is present in so many network protocols. In this implementation, we tunnel simple shell commands inside of ICMP_ECHO / ICMP_ECHOREPLY and DNS namelookup query / reply traffic. To the network protocol analyzer, this traffic seems like ordinary benign packets of the corresponding protocol. To the correct listener (the LOKI2 daemon) however, the packets are recognized for what they really are. Some of the features offered are: three different cryptography options and on-the-fly protocol swapping (which is a beta feature and may not be available in your area).
Robust network tool for Linux. This early version includes: Connection spying, reseting, hijacking, automated reseting, packet assembly, and TCP circuit isolation and logging (glorified sniffing).
Loki illustrates the fact that many network devices do poor sanity checking on the traffic they pass. It covers a covert channel that exists inside of ICMP_ECHO <-> ICMP_ECHOREPLY traffic. Project Loki (paper only) went out with Phrack 49.
Hades delves into more TCP DOS attacks. The attacks explored are SYN -> RST sniping, TCP window starvation, and inetd SYN->RST killing (which we now know to be Linux specific handling of accept(2) returning a defunct socket, which generates a SIGPIPE when written to, which, by default, will terminate the program). Hades went out with Phrack 49.
TCP SYN flooding is denial of service attack where an attacker sends a series of spoofed connection establishment requests to a target host. The attack can range from mildly annoying, where there is a slight hiccup in a TCP-based service, to devastating where all TCP-based network connectivity is lost. The distribution version, Project Neptune, went out with Phrack 48. This is very poor code. Keep that in mind. The full version Poseidon, was released later (see above).
This is a comprehensive paper I wrote on trust relationship exploitation. It covers the attack in detail and includes all the relevant background info necessary to firmly understand IP-spoofing. It assumes little more than a working knowledge of TCP/IP and UNIX. It was originally published in Phrack 48.
Microsoft Network Monitor is a packet sniffer that runs under Windows NT. It is a very robust and versitile network monitor, delivered as part of the SMS package. To restrict access, NetMon implements a password authentication scheme. Fellow Guild member AON and I broke this weak password authentication scheme. We wrote up a whitepaper and exploit code for Unix and for NT. There are two versions of the code, one written for Windows NT, and the other for Unix. Given the required DLL file to parse, the programs both basically do the same thing: look for a header that flags the encrypted string, extract the encrypted string, and decrypt it. I wrote the Unix version, AON wrote the NT version. Phrack 48.
The PGP Attack FAQ is a paper I did on the feasibility of breaking PGP. It should answer most questions you may have on the strength of the system. However, it is sorely in need of an update.
My netcom .plan. Something I use to do.
This is an abandoned project. It's actually a failed project (sorta). It was once going to be a robust password checking engine that could be seemlessly integrated into passwd(1). C3eval was supposed to evaluate the strength of Unix passwords based upon two kinds of tests: statistcal heuristic and information theoretic. The statistical testing was done by throwing the password through a seris of heuristics of my own devise. The other part of the evaluation was to be done according to conventional Information Theory by evaluating the entropy of the password. The heuristics needed alot of work. Alot. But that's not the major problem. As it turns out, it is quite infeasible to evaluate entropy algorithmically. SO, here the code sits. Mocking me in its futility. Oh well. If anyone wants to work on the heuristics with me, let me know. Otherwise I will prolly let it die a natural death...
A rootkit for 1.2.x Linux. Some of the code will work on 2.0.x.