Matt's Web World presents...

Unix Security
Established November 1, 1995.
Last updated on May 1, 2018.

Click this seperator to return to the Table of Contents.

Welcome to my Unix security page! This page is not a complete listing of Unix security information and tools. What is hosted here is what I personally find useful and/or interesting. Hyperlinks to other sites are provided at the bottom of this page for those seeking something not listed here.

This page started out as a place to store Unix-related research papers I downloaded from FTP sites, back when I was really happy to be reading Usenet newsgroups at 9600bps. It's been almost 15 years since and the content here has grown a bit beyond Unix, to include Windows-based tools (I know, I know...), live CD distros, and another favorite topic of mine, lockpicking.

I have not done a great deal in the last decade other than link maintenance. But the page remains popular and I think it presents much of the core Unix lore and security knowledge. All of the links are current now, and the content is a bit more modern in its focus. There is so much more out there in the world since I started this in '95, but here lies an early signpost, and you would do well to master its content.

For those who might think it unwise to publicly disclose security holes and the techniques used to pass through them, I urge you to read Charles Tomlinson's Rudimentary Treatise on the Construction of Locks.

Everything here is provided for informational purposes only. The presence of any link on this page is not an endorsement of its content. And I certainly do not endorse unauthorized access to other people's computers! Property rights exist and should be respected. Think white hat.

If you wish to comment on this page please use the contact form to send me a message. If you are interested in advertising on this page please contact me to discuss terms.

Click this seperator to return to the Table of Contents.

Table of Contents

Click any of the blue section separators to return to this table of contents.

Icons external link icon indicate a link which will take you away from this site. (In the same window! Shift-click on links if you want them in a new window.)

Dragon

There Be Dragons...

Valid XHTML 1.0 Transitional   Valid CSS!

Click this seperator to return to the Table of Contents.

What's New?

May 1, 2018

Click this seperator to return to the Table of Contents.

Click this seperator to return to the Table of Contents.

File Formats & Extensions

The file archive uses various extensions, sometimes with multiple extensions in series. The extensions are summarized in the following table and links to the utility software needed to read these formats are provided.

Extension File Format Info
.c 'C' language source file. Use gcc to compile to machine code.
.gz Gzip compressed file. Use gzip or IZArc to decompress these files.
.pdf Adobe Acrobat file. Use Acrobat Reader to view and print these files.
.ps Adobe Postscript file. Use Ghostview to view and print these files. Ghostscript also does Postscript-to-ASCII conversions.
.tar Unix Tape Archive file. Use your Unix's native tar command or on Windows try IZArc to handle these files.
.txt ASCII Text file. Use standard text editor or browser.
.zip PKZip compressed file archive. Use Info-Zip or IZArc to handle these files.

Click this seperator to return to the Table of Contents.

Published Security Papers

Sorted alphabetically by author name.

The papers here were orignally in Adobe Postscript ( .ps) format. I have converted them all to Adobe Acrobat ( .pdf), since this is the successor format from Adobe, and has many advantages to Postscript. The Postscript .ps files are all gzip'd and therefore end in .ps.gz The .pdf PDF files are almost as small as their gzip'd counterparts and therefore have not been compressed; just click and read (or print).

Unix Computer Security Checklist
AUSCERT, Australian Computer Emergency Response Team; 1995; ASCII Text; 89k
A comprehensive checklist for securing your Unix box.
Packets Found on an Internet
Bellovin, Steven M.; 1993; Acrobat format; also available in Postscript format
A very interesting paper describing the various attacks, probes, and miscellaneous packets floating past AT&T Bell Labs' net connection.
Security Problems in the TCP/IP Protocol Suite
Bellovin, Steven M.; 1989; Acrobat format; also available in Postscript format
A broad overview of problems within TCP/IP itself, as well as many common application layer protocols which rely on TCP/IP.
There Be Dragons
Bellovin, Steven M.; 1992; Acrobat format; also available in Postscript format
Another Bellovin paper discussing the various attacks made on att.research.com. This paper is also the source for this page's title.
An Advanced 4.3BSD IPC Tutorial
Berkeley CSRG; date unknown; Acrobat format; also available in Postscript format
This paper describes the IPC facilities new to 4.3BSD. It was written by the CSRG as a supplement to the manpages.
NFS Tracing by Passive Network Monitoring
Blaze, Matt; 1992; ASCII Text
Blaze, now famous for cracking the Clipper chip while at Bell Labs, wrote this paper while he was a PhD candidate at Princeton.
Generic Unix Security Information
CERT Advisory Team, 1993, ASCII Text
A good general commentary on Unix security, with specific places to look for suspicious files if you believe your machine's security may be compromised. It's a bit dated, so don't pay attention to the version numbers (Sendmail 8.6.4 is definitely not current anymore!)
IP Spoofing
CERT Advisory Team, 1995, ASCII Text
Not too exciting, but useful for the uninitiated.
Securing Anon FTP Servers
CERT Advisory Team, 1995, ASCII Text
This CERT advisory details the access permissions and server configuration which should be followed to prevent anonymous FTP security breaches.
Network (In)Security Through IP Packet Filtering
Chapman, D. Brent; 1992; Acrobat format; also available in Postscript format
Why packet filtering is a difficult to use and not always secure method of securing a network.
An Evening with Berferd
Cheswick, Bill; 1991; Acrobat format; also available in Postscript format
A cracker from the Netherlands is "lured, endured, and studied."
Design of a Secure Internet Gateway
Cheswick, Bill; 1990; Acrobat format; also available in Postscript format
Details the history and design of AT&T's Internet gateway.
Improving the Security of your Unix System
Curry, David, SRI International; 1990; Acrobat format; also available in Postscript format
This is the somewhat well known SRI Report on Unix Security. It's a good solid starting place for securing a Unix box.
With Microscope & Tweezers
Eichin & Rochlis; 1989; Acrobat format; also available in Postscript format
An analysis of the Morris Internet Worm of 1988 from MIT's perspective.
The COPS Security Checker System
Farmer & Spafford; 1994; Acrobat format; also available in Postscript format
The original Usenix paper from 1990 republished by CERT in 1994.
COPS and Robbers
Farmer, Dan; 1991; ASCII Text
This paper discusses a bit of general security and then goes into detail regarding Unix system misconfigurations, specifically ones that COPS checks for.
Improving The Security of Your System by Breaking Into It
Farmer & Venema; 1993; HTML
An excellent text by Dan Farmer and Wietse Venema. If you haven't read this before, here's your opportunity.
A Unix Network Protocol Security Study: NIS
Hess, Safford, & Pooch; date unknown; Acrobat format; also available in Postscript format
Outlines NIS and its design faults regarding security.
A Simple Active Attack Against TCP
Joncheray, Laurent; 1995; Acrobat format; also available in Postscript format
This paper describes an active attack against TCP which allows re-direction (hijacking) of the TCP stream.
Foiling the Cracker
Klein, Daniel; 1990; Acrobat format; also available in Postscript format
A Survey of, and Improvements to, Password Security. Basically a treatise on how to select proper passwords.
A Weakness in the 4.2BSD Unix TCP/IP Software
Morris, Robert T; 1985; Acrobat format; also available in Postscript format
This paper describes the much ballyhooed method by which one may forge packets with TCP/IP. Morris wrote this in 1985. It only took the media 10 years to make a stink about it!
Covering Your Tracks
Phrack Vol. 4, Issue #43; Acrobat format; also available in Postscript format
A Phrack article describing the unix system logs and how it is possible to reduce the footprint and visibility of unauthorized access.
Cracking Shadowed Password Files
Phrack Vol. 5, Issue #46; Acrobat format; also available in Postscript format
A Phrack article describing how to use the system call password function to bypass the shadow password file.
TCP SYN Flood (Project Neptune)
Phrack Vol. 7, Issue #48; 1996; HTML
Includes explanation of this denial-of-service attack as well as Linux source implementation. Also of interest may be the CERT document warning that Phrack had published this vulnerability.
Thinking About Firewalls
Ranum, Marcus; 1992; Acrobat format; also available in Postscript format
A general overview of firewalls, with tips on how to select one to meet your needs.
Addressing Weaknesses in the Domain Name System Protocol
Schuba, Christoph L.; 1993; Acrobat format
Describes problems with the DNS and one of its implementations that allow the abuse of name based authentication.
Public Key Certification & Secure File Transfer
Shuba & Sheth; approx. 1994; Acrobat format
This document describes secure file transfer between agents, providing confidentiality and integrity of transferred files, originator authentication, and non-repudiation.
Source Routing Info
Usenet comp.security.unix; 1995; ASCII Text
An interesting discussion of TCP/IP source routing stuff.
Countering Abuse of Name-based Authentication
Schuba & Spafford; approx. 1994; Acrobat format
Discusses conceptual design issues of naming systems, specifically DNS, and how to address the shortcomings.
TCP Wrapper
Venema, Wietse; 1992; Acrobat format; also available in Postscript format
Wietse's paper describing his TCP Wrapper concept, the basis for the TCP Wrappers security and logging suite.

Click this seperator to return to the Table of Contents.

Click this seperator to return to the Table of Contents.

Unix Source Code Hacks

Sorted alphabetically by name

arnudp.c
Source code demonstrates how to send a single UDP packet with the source/destination address/port set to arbitrary values.
block.c
Prevents a user from logging in by monitoring utmp and closing down his tty port as soon as it appears in the system.
esniff.c
Source for a basic ethernet sniffer. Originally came from an article in Phrack, I think.
hide.c
Code to exploit a world-writeable /etc/utmp and allow the user to modify it interactively.
identd.c
A modified identd that tests for the queue-file bug which is present in Sendmail versions earlier than 8.6.10 and possibly some versions of 5.x.
listhosts.c
Requests a DNS name server to do a zone transfer and list the hosts it knows about.
mnt
This program demonstrates how to exploit a security hole in the HP-UX 9 rpc.mountd program. Essentially, it shows how to steal NFS file handles which will allow access from clients which do not normally have privileges.
NFS-Bug
Demonstrates a bug in NFS which allows non-clients to access any NFS served partition. AIX & HPUX patches included.
NFS Shell
A shell which will access NFS disks. Very useful if you have located an insecure NFS server.
RootKit
A suite of programs like ps, ls, & du which have been modified to prevent display of certain files & processes in order to hide an intruder. Modified Berkeley source code.
rpc_chk.sh
Bourne shell script to get a list of hosts from a DNS nameserver for a given domain and return a list of hosts running rexd or ypserve.
seq_number.c
Code to exploit the TCP Sequence Number Generator bug. An brief but clear explanation of the bug can be found in Steve Bellovin's sequence number comment. Note that this code won't compile as-is because it is missing a library that does some of the low-level work. This is how the source was released by Mike Neuman, the author.
Socket Demon v1.3
Daemon to sit on a specified IP port and provide passworded shell access.
Solaris Sniffer
A version of E-Sniff modified for Solaris 2.
telnetd Exploit
This tarfile contains source code to the getpass() and openlog() library routines which /bin/login can be made to link at runtime due to a feature of telnetd's environment variable passing. Root anyone? The fix is to make sure your /bin/login is statically linked.
ttysurf.c
A simple program to camp out on the /dev/tty of your choice and capture logins & passwords when users log into that tty.
xcrowbar.c
Source code demonstrates how to get a pointer to an X Display Screen, allowing access to a display even after " xhost -" has disabled acess. Note that access must be present to read the pointer in the first place! (Originally posted to USENET's comp.unix.security.)
xghostwriter-1.0b
xghostwriter takes a string, or message, and ensures that this string is "typed" from the keyboard, no matter what keys are actually pressed. Useful for injecting keypress commands into an X session. More info from the auther is here in his USENET post.
xkey.c
Attach to any X server you have perms to and watch the user's keyboard.
xspy-1.0c
xspy is mostly useful for spying on people; it was written on a challenge, to trick X into giving up passwords from the xdm login window or xterm secure-mode. More info from the auther is here in his USENET post.
xwatchwin
If you have access permission to a host's X server, XWatchWin will connect via a network socket and display the window on your X server.
YPX
YP/NIS is a horrible example of "security through obscurity." YPX attempts to guess NIS domain names, which is all that's needed to extract passwd maps from the NIS server. If you already know the domain name, ypx will extract the maps directly, without configuring a host to live in the target NIS domain. (GZip'd Bourne Shell Archive)
ypsnarf.c
Exercise security holes in YP / NIS.

Click this seperator to return to the Table of Contents.

Unix Security Tools

Sorted alphabetically by name

COPS v1.04
COPS (Computer Oracle and Password System) checks for many common Unix system misconfigurations. I find this tool very valuable, as it is non-trivial to break a system which has passed a COPS check. I run it on all the systems I admin. It's getting a bit old, but it's still an excellent way to systematically check for file permission mistakes.
Crack v4.1
Crack is a tool for insuring that your Unix system's users have not selected easily guessed passwords which appear in standard dictionaries. (Only a very small dictionary is included so grab the one below if you wish.)
Crack Dictionary
A general 50,000 word dictionary for use with Crack.
fping
Like Unix ping(1), but allows efficient pinging of a large list of hosts. V2.2.
ICMPinfo v1.1
ICMPinfo is a tool for looking at the ICMP messages received on the running host.
ISS v1.3
The Internet Security Scanner is used to automatically scan subnets and gather information about the hosts it finds, including the guessing of YP/NIS domainnames and the extraction of passwd maps via ypx. It also does things like check for verisons of sendmail which have known security holes.
lsof v4.82
List All Open Files. Displays a listing of all files open on a Unix system. Useful for nosing around as well as trying to locate stray open files when trying to unmount an NFS-served partition.
netcat v1.1
Like Unix cat(1) but this one talks network packets (TCP or UDP). Very very flexible. Allows outbound connections with many options as well as life as a daemon, accepting inbound connections and allowing commands to be executed.
RScan
An older tool for Heterogeneous Network Interrogation. Includes links to a Usenix paper as well.
SATAN
Security Administrator Tool for Analyzing Networks. Dan Farmer's tool that caused a huge stir in the media back in '95 when he wrote it and released it. I believe he ended up leaving SGI over this thing. So silly. Where is SGI now? That's what I thought...
Strobe v1.03
Strobe uses a bandwidth-efficient algorithm to scan TCP ports on the target machine and reveal which network server daemons are currently running. Version 1.03 is an update to 1.02.
Tiger
Tiger is a security tool that can be use both as a security audit and intrusion detection system. It is similar to COPS or SATAN, but has system specific extensions for SunOS, IRIX, AIX, HPUX, Linux and a few others. The original TAMU project has been resurrected and is now being maintained as part of Savannah.
Traceroute
Traceroute is an indispensable tool for troubleshooting and mapping your network.

Click this seperator to return to the Table of Contents.

Multi-platform Security Tools

Sorted alphabetically by name

How to Encrypt Your Hard Drive
Good article covering the various options for whole disk encryption on Windows, Linux, and Mac.
Kismet
Kismet is an 802.11 layer 2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11a, 802.11b, and 802.11g traffic.
PuTTY
PuTTY is a free implementation of Telnet and SSH for Windows and Unix platforms, along with an xterm terminal emulator.
TrueCrypt
TrueCrypt creates virtual encrypted file-systems which can be stored as a file or as a whole disk partition. Works on USB sticks too. Don't lose your data if your PC is stolen -- encrypt it!
WireShark
The best network sniffer & protocol analyzer out there.

Click this seperator to return to the Table of Contents.

Windows Security Tools

Sorted alphabetically by name

NetStumbler 0.40
NetStumbler is a wireless LAN tool which scans for access points and reports back with a list which includes signal strengths and protocols in use. More details are available here in the NetStumbler Readme.
Fiddler
Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. The application is Windows-only but it hooks very low level API's which allows it to work with any browser (IE, Firefox, Opera, etc.) and also decrypt SSL traffic without setting up the required private cert keys (as in WireShark).
netcat NT v1.1
Like Unix cat(1) but this one talks network packets (TCP or UDP). Very very flexible. Allows outbound connections with many options as well as life as a daemon, accepting inbound connections and allowing commands to be executed.
Password Safe
Password Safe allows you to safely and easily create a secured and encrypted user name/password list. With Password Safe all you have to do is create and remember a single "Master Password" of your choice in order to unlock and access your entire user name/password list. Much safer than re-using passwords between sites!
Sam Spade 1.14
Sam Spade is an integrated network query tool for Windows. Most of what it does can be had elsewhere, but it has the ability to parse email headers and determine where forgeries have been made in the headers and forwarding chain. Very useful for well forged spam, reduces analysis time a lot to have Sam take a crack at it first.
Secunia PSI
This is a great tool which scans your system for old and unpatched application software which has security vulnerabilities. Does for applications what Windows Update does for the Windows OS.
Security Essentials
Security Essentials is Microsoft's new real-time anti-virus and malware protection solution. It's reported to be better than most anti-virus compeitors and it's free.
WinDirStat
Scans NTFS filesystems and represents them as a colored, graphical heat map based on size. Great for seeing what is taking up the most space on your system. Think of it as graphical du for Windows.
WinSCP
Free SFTP, FTP and SCP client for Windows. This is a great Windows file transfer client which also supports SCP, which most ISP's are moving to now for secure file transfer.

Click this seperator to return to the Table of Contents.

Live CDs

Sorted alphabetically by name

BackTrack
BackTrack is the #1 Linux LiveCD focused on penetration testing.
BartPE
BartPE is a preinstalled environment builder for Windows. It uses your original Windows media to create a Live CD bootable CDROM OS image.
GNUStep/OpenStep
Remember the NeXT cube running NeXTStep? Well I do, and this LiveCD brings it all back. No other reason to include it other than it's Unix, and I miss my cube.
Helix
Helix is focused on incident response, forensics, and e-discovery. Free CD with option to buy support and access to the member community.
Knoppix
This is not a security distro, but it's the best general Linux Live CD going, so it gets included for general usefulness.
Knoppix-STD
Security Tools Distribution of the Knoppix LiveCD. Zillions of things here, for all aspects of security work.
Trinity Rescue Kit
Trinity Rescue Kit or TRK is a free live Linux distribution that aims specifically at recovery and repair operations on Windows machines, but is equally usable for Linux recovery issues.

Click this seperator to return to the Table of Contents.

Click this seperator to return to the Table of Contents.

Lockpicking

These links aren't Unix related, but they are security related, and you may find them interesting. Ultimately, the integrity of your computer's electronic security rests on the integrity of its physical security. So you need to know how locks work because your whole security world is premised on them. Perhaps a section on alarm systems will be next... smile

Click this seperator to return to the Table of Contents.

Hyperlinks

Links last verified July 13 th, 2015. All of these external links leave this site.

People

Places & Organizations

Tools & Download Sites

Zines & Publications

Click this seperator to return to the Table of Contents.

Web World Button Bar Home E-Mail Contact