A large list of papers at gomor.org. A huge array of papers from wireless to programming languages to writing buffer overflows to hardware...

OpenWRT is a Linux firmware for the Linksys WRT54G wireless Router/AP. Not sure I have available hardware that I want to try putting this on, but maybe someday I will have a spare AP to see how this works out. Still, a really cool idea.

I've known this for some time, but finally have a good post to link. Tom's Hardware has a review of a Black Hat dat talk about the dangers and uses of Google in hacking.

I firmly believe that famed Adrian Lamo, the "drifter" hacker who performed his hacks using only a web browser and open cybercafe computers, utilized search engines in smart ways to find vulnerable sites.

You can easily do a search for the title of a web admin interface page and come up with potentially unprotected hits. For instance, I once found an open Linksys WRT54G web interface by typing in some combination of text that is found on the admin web interface. Limit a search for "admin" to a particular domain or company, and you might just find pages that some admin thought were hidden because no pages linked to them and they weren't know...i.e. they thought obscurity was enough security.

Just think, using Google to look up default and running VNC installs open to the public...just connect and 0wn.

I've not had a chance to fully appreciate and check through this series of papers about pen testing wireless networks, but I didn't want to lose the link. Reminder to view the printable version to print.

Part 1
Part 2
Part 3

Just placing some links here for some wireless lan tools articles.

part 1
part 2
part 3
part 4

TGS has a nice list of tutorials that I should check out at some point.

I did not know this, but it turns out Mircrosoft keeps a list of all the ports that various MS services use. This list is available for download as an Excel spreadsheet from the Microsoft site.

The list is kinda long, so I'll just link to it at packstorm.

Universal Plug-n-Play has been a nightmare of a vulnerable and useless service running by default on Windows XP systems. Patches have come and gone, but still, this service, coupled with SSDP, are simply useless and volunteer far too much information for prying eyes as they readily display the OS of a target machine to a hostile probe. Turning off the SSDP service in Windows XP also turns off the UPnP service as well, and should be part of a base install configuration set. NIST standards include this disabling of SSDP as part of their XP procedures.

A translation for The Art of War online. Another book that I should get, but I just don't know which version to pick up... I may just read this one, formulate my own conclusions and gain my own insight from it before picking up a book that expounds on the principles for me.

Two papers popped up as mentioned on another site I visit. First a paper discussing a number of insider security incidents over the past 8 years involving about 26 insiders at financial institutions. Second, a 4 year old paper from the DoD outlining means of mitigating insider threats.

Snippets shamelessly snagged from the other site in regards to the first paper:

"- Most of the incidents in the banking and finance sector were not technically sophisticated or complex. They typically involved the exploitation of non-technical vulnerabilities such as business rules or organization policies (rather than vulnerabilities in an information system or network) by individuals who had little or no technical expertise. In 87% of the cases the insiders employed simple, legitimate user commands to carry out the incidents, and in 78% of the incidents, the insiders were authorized users with active computer accounts.

- The majority of the incidents (81%) were devised and planned in advance. Furthermore, in most cases, others had knowledge of the insider's intentions, plans, and/or activities. Those who knew were often directly involved in the planning or stood to benefit from the activity.

- Most insiders (81%) were motivated by financial gain, rather than a desire to harm the company or information system.

- Insiders in this report fit no common profile. Only 23% held a technical position, 13% had a demonstrated interest in hacking and 27% had come to the attention of a supervisor or co-worker prior to the incident.

- Most of the incidents (83%) were executed physically from within the insider's organization and took place during normal business hours."

Weplab is a tool that tests the strength of WEP encryption on a wireless network by breaking the encryption. I've not played with it, but can be useful down the road.

The online book TCP/IP Illustrated Vol 1 is available online. Note that this is an older book dating from 1994, and is also not for the faint of heart as it skips past the high-level view of TCP/IP and actually digs right down into the nuts and bolts that make it work, in conjunction with real-world illustrative examples (hence the book name!). I should read this volume at some point, but maybe not quite yet until I get some more sniffing experience under my belt.

Joat posted this, so I'm going to copy it over:

Just keep in mind the general rules of thumb for security:

• It's not "if" someone is going to break in, it's "when"...
  
• in the real world the best you can hope for is fifteen minutes of fame, in the virtual world, the best you can hope for is fifteen minutes of obscurity... (quote mine)
  
• there's no such thing as a secure online system...
  
• and adding technology rarely adds security.
  

The general rules of thumb for countering attacks:

• Log as much as practical
  
• review your logs automatically AND manually
  
• employ a consistent backup schedule
  
• use your metrics, be able to recognize what's normal and what isn't
  
• the most expensive investment in security is also the one you'll get the best return on: knowledge
  

Regardless of what personnel and what cool toys you have guarding your network, someone, somewhere, sometime will break into your network.

This site has basically a paper tackling an Introduction to Security...but it has so many links that it is just a very nice little page to link to and keep around and explore the links off of it, even if they're known sites and topis. A very nice intro-compilation.

This article is a very quick-shot laundry list of many network terms and items. The whole presentation makes my head spin because the author goes through each one in bambambambam rhythm, but still a nice little bit to read through in pieces.

Stole a bunch of links from another site describing some new spyware that adds some network traffic and unwanted ads on users' desktops and networks. 180Solutions might just hit someone I know at work someday soon.

180Solutions Analysis
Full disclosure at Seclists
Securiteam analysis of 180Solutions trojan
180Solutions : nCase

The Role of Computer Forensics in Stopping Executive Fraud is a very interesting case study article illustrating various forensic concepts and techniques based around what the author says is a very real case study involving corporate fraud.

I found especially interesting some of the actual Linux command lines they used to both wipe and image data.

# > dd if=/dev/urandom of=/dev/hda
This fills a harddrive with random numbers; can and should be repeated a number of times to sanitize a drive. DD is native to Linux.

# > dd if=/dev/hda of=/mnt/image.dd
This command copies an image of one drive to another.

# > md5sum /dev/hd
Calculates a checksum for the drive. Md5sum is native to Linux.

# > md5sum /mnt/image.dd
Calculates a checksum for the image to verify that it is the same as the drive.

Scott,

I read the "Scott's 10 Steps for Becoming a CCIE" article (Sept. 14, 2004), but what about getting into security? I want to get into security, but I don't know where to start. Do you have a list of 10 ways to accomplish the five more marketable security certifications in IT?

-- Alex

Alex,

Getting into security is a rewarding experience, but like other IT fields, it requires a lot of work!

First, I'm not sure which you consider the "five more marketable" of the various security certifications out there. I suppose that would all depend on which specific area of security you want to do work in. Here are a couple certifications to consider:

- CISSP/SSCP -- From ISC2, http://www.isc2.org
- SCNA/SCNP -- From Security Certified Program, http://www.securitycertified.net
- CISA/CISM -- From ISACA, http://www.isaca.org
- GIAC/GSEC Series -- From SANS, http://www.sans.org
- Security+ -- From CompTIA, http://www.comptia.org
- CCSA/CCSA -- From CheckPoint, http://www.checkpoint.com
- CCSP/CCIE Security -- From Cisco Systems, http://www.cisco.com/go/certification
- JNCIA-FWV/JNCIS-FWV -- From Juniper networks (formerly NetScreen's
NCSA/NCSP certifications), http://www.juniper.net/training/certification/netscreen

There are others, but the certs above are the primary ones that I can think of. The marketability of any of them certainly depends on your location and surrounding market environment.

Similar to what we, at my company, tell our clients regarding Internet security, it really isn't a matter of "if" you will be attacked but rather a matter of "when." As a security professional, you need to be thinking in this way, but you also need to balance it with a healthy dose of business sense. Being completely paranoid does make for good security, but it also leads to some decisions that make no sense, business-wise, or do not offer sufficient economic incentive. Therefore, consulting in security is concerned with costs as much as performance.

The things I recommend to keep in mind when approaching security certifications are similar to steps in previous guides I've provided in my regular column. Here's how to become a security consultant in 10 simple steps:

1. Give up your social life -- really. If you had one before, you will soon not have one, unless all of your friends like to talk about really esoteric topics and argue on the best way to protect against Internet attacks. But if you have friends like these, ask yourself serious questions about the quality of your social life.

2. Read, read, read, read and read some more! There are plenty of security books and magazines out there, but if you're relying on these for your sole sources of security information, then you're already behind the times. Don't get me wrong -- not that magazines are bad, but you need to stay more up-to-date than that!

Read things other than security magazines. Become familiar with your market and the businesses in your market. Get a sense of how they think and why. The better you can relate network security to any particular business and demonstrate your business sense (rather than technical paranoia), the more accepted you will be.

3. Learn about the bad people that keep security professionals busy. Don't idolize them, but try to think like they do. Attacks that can be anticipated are easier to defend against. You need to know the latest attacks as well as the latest strategies against them.

4. Set up your own network at home, preferably over a broadband connection from a popular provider. Do not a place a firewall at the outer edge of your network. Try to defend against various attacks with your computer alone. Don't keep anything critical on this machine, as it may frequently need to be trashed and recreated. Despite the agony, you will learn a lot from these exercises.

5. Invest in equipment. Since money may be an issue, however, what to get and where to get it is a different story. Check out eBay and used equipment resellers. Depending on which of the certifications you go after, equipment may or may not be necessary, but at some point, you'll need hands-on experience playing with actual equipment to see how things work. No matter how meticulous you are and know your books inside-out, implementing any security product for the first time in real life when a client is watching you, or in response to a security breach, is a really bad idea.

6. Realize that any of the certifications listed above are merely starting points. Each of them is different in focus and detail. Some are technical and some are managerial. Some are vendor-specific and others are broad in scope. Each of them may highlight different areas of your experience or specialties, so one is not necessarily better than the other.

I know people with only the Security+ certification, which keeps them plenty busy at work. On the other hand, I know others with a CISSP as well as some of the more technical certifications who are doing a less-than-stellar job, in my opinion. It largely comes down to your market and how well you can convey your understanding of security to your customer base.

7. Learn to be anal-retentive. Perhaps dating a librarian would help here. Whatever method you use (and believe me, being meticulous in security design and concepts does not have to translate into how you live or organize your personal life), the more structured your approach to security is, the better. The best security design is one of "no more, no less," which gives users the abilities they need to do their jobs without granting them too much access. The more separated things are in your network, the easier it will be to quarantine any bad elements that may invade your system. But don't forget that the best security arrangement is transparent to your users.

8. Depending on which certifications you are working on, purchase as much varied equipment as you can. Performing firewall designs and integration exercises requires a completely different mindset from deploying VPN integrations. Both of these are completely different thinking processes from intrusion detection or prevention implementations.

Remember that home network I told you about? Install an IDS/IPS device or software facing your broadband connection. Watch all the entertaining things people will try to do to you, and to think you aren't even a "popular" target! But research the attacks that come in and be familiar with them. Just when you think you know enough, go back and look again! Things change! Conceptually, there aren't a lot of truly new attacks out there, but every once in a while, something will strike you as being original or creative, at which point, you should take notes. But be careful that you don't emulate these attackers!

9. Keep a journal. You may need three or four of these. Note your progress: your good points and your bad points. Keep separate notes organized on different technologies. Add to them as you learn something new. There are many evolving technologies, and many different areas of theory and technical configuration. The more repetition in writing, analyzing, rewriting, compiling and configuring you do, the better the information will stick in your long-term memory.

10. Attend a class, if possible. After you have been doing this all on your own for a while and are cruising through things, try to attend a class. There are many offered throughout the world with some better than others. Make sure to take the time to evaluate the class and its instructor. There is a huge variance in the quality of instructors out there, and the knowledge learned or not learned is often due to factors like this.

The more technical the certification you pursue, the more important taking a class is. There are different classes for the myriad of different certifications out there. A training course, however, should not be the first time you are subjected to a particular set of technologies or concepts. The first time you learn something, you won't know enough to ask questions or assimilate the information yet. After you've been working with a concept for a while, you'll have developed a basic grasp to be able to handle more advanced information. Of course, the quality of instructor you learn under will determine the quality of additional information you will add to your knowledge.

Becoming a security professional is a stimulating experience, and like with many things, the more you know, the more you realize you don't know. Security is a never-ending learning experience. As long as you realize that no matter how bright you are, there is always someone out there who is smarter than you, you'll do just fine.

Enjoy the educational journey and try not to lose yourself too much in the fray. Decide what aspect of security you want to accomplish first, and then narrow your choices from there!

-- Scott

Scott Morris, quadruple CCIE and Uber-Geek can often be seen traveling around the world consulting and delivering CCIE training. For more information on him check out http://www.uber-geek.net or for CCIE training check out http://www.ipexpert.com.

TechBooksForFree has a small list of free e-books online.

A beginner's article on explaining and performing some SQL Injections on web apps.

This site has a large program that contains a small CISSP quiz set and some really cool entry/intermediate-level video tutorials on using some populat and not-as-popular scanning and penetration tools. The videos are free, some tools are linked off the site. The videos use a "tscc" TechSmith Camtasia codec, so that might need to be downloaded.

Shon Harris is featured in a full series of CISSP training webcasts on SearchSecurity.com. These are free, although you have to supply information to start the link, there is no requirement to supply legit information. Seems to work better on IE than Firefox. Webcasts are about 60 minutes each.

A SecurityFocus article on cracking WEP and other inherent issues with wireless. Includes a lot of nice tools and the links to those tools at the bottom.

Now the 50-year-old Seemayer is once again on the cutting edge: Sick of spam clogging his in-box and spyware and viruses crashing his system, Seemayer yanked out his high-speed connection.

"I'm not going to pay for something that I can't use," he said.

A small but growing number of frustrated computer owners are coming to the same conclusion. They're giving up or cutting back their use of the Internet, especially at home, where no corporate tech support team will ride to their rescue.

Article is here

About 4 years ago the IT community hit a glut of new IT folk, many of whom didn't know what they were doing, as exponentially proliferating computers and broadband made a "computer expert" out of thousands and thousands of casual computer users every month. Now, the point of this article rings a very true note as I know people personally who are online less and their taste for things Internet related has soured, all due to Spam and Spyware. As people have hit the net in droves, so too have the vultures and the advertisers followed. Unfortunately, Microsoft's products (namely IE) were not engineered for such scales of economy...the holes were too big, and it only took time and a large enough marketplace for those holes to become so big and pervasively exploited that it is starting to backlash and drive people out of the niche.

I guess on the one hand it is good to see this trend, because it just means people like me are that much more practical today. Where once was a geek that could help out now and then, people like me will soon become as necessary as white blood cells protecting a biological body. Fallout like this also scrapes off the chafe of the IT sector, leaving a heartier and overly better-skilled workforce to forge ahead into this maturing medium.

This backlash can only be temporary. The Internet is far too powerful a tool and even an integral component of life, especially for younger people. This won't last, but is just part of the growing phases... The Internet as a means of communicating, expression, information gathering and sharing, expanding marketplaces... There are times when people take a step back from consumerism and all the gadgets and toys of life, and some of them get back to being simpler, being happy in simplifying. But sometimes, some tools are just too life-changing, world-altering, that they can't just be dropped in the name of simplification...much like the steam engine, cars, airplanes, telephones.

...
There is a group at Best Buy called the Geek Squad who are available to help consumers with their computers questions and problems. However, I think there is still a very strong market for someone much more specialized: security persons. I think people can work their way into putting together printers and home networks by utilizing corporate support through vendors. However, there are few ways to "learn" how to deal with spam, spyware, adware, viruses, and malicious users/worms bouncing digital flak at their always-on broadband connections. There are few ways for people to pull themselves up out of the clutches of all this garbage and still be productive and efficient with theit time and investments online. Getting a printer online is one thing, but confidently securing a home network and family is another.

Thought this article detailing tools and conclusions made based on an intrusion to a system the author administers. Just nice to see tools and analysis in action.

Sed quis custodiet ipsos custodies?

Read an amazing artcle about defeating DDoS attacks. The main subject of the story went on to found Prolexic, a DDoS protection company which hosts a nice page of information about zombies and DDoS found here.

Ignore this post. I made the mistake of taking some old bloxsom postings and losing their publish date. So here is the data posted at an arbitrary date of Jan 1, 2006.

apprecon

AppRecon is a little Java tool that sends out discovery broadcast packets and then listens for any returns, which indicate those apps are present. Of note, currently returns back SQL Server, Symantec pcAnywhere, and Symantec Corporate Antivirus apps. Really pretty cool.

application protocol sniffing tools (msn, icq, aim...)

NextSecurity has a bunch of small tools (some freeware, most trial) to sniff various passwords and conversations on IM programs and other specialized stuff.

binary to text exe scanner

This really small and simple tool will take any .exe (installation or executable file I think), and convert the binary into words that make some sense. Again, not sure what this might do for me, but might be useful in forensics when analyzing what an unknown executable file is trying to do, or maybe better identify it. Still..might be useful to play with.

dns: bind leading the bind

This is an excellent online resource for links to BIND, which is the #1 tool on the Internet for DNS services.

chaos and clustering?

CHAOS is a tool to simplify creating a processing cluster. And a nice tutorial for using this cluster to work on password cracking. The tool sounds bootable and quite automatic, which could be pretty cool and a nice option instead of rainbow tables or just plain brute forcing or guessing passwords.

crowbar - web site brute forcer

Crowbar sounds like a web site brute forcer that should be worth a shot. This was supposedly either presented or at least mentioned at Defcon this year.

cygwin

I can't believe I don't have a link to it yet, but here is my entry for Cygwin, a more powerful shell alternative to the cmd prompt in Windows.

darwinports

Darwinports is an opensource project mostly for Mac OS X that, well, I'm not sure what it does without seeing it in action, but I had a strong recommendation for it that I didn't want to lose.

default password list link

This site has an updated list of default passwords for a variety of devices.

dsniff

Dsniff is a collection of network auditing tools: "dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI."

eagleeyeos: lock and log removable storage devices

EagleEyeOS will lock and log removable storage devices. The logging sounds like the really cool part to me...

eeye resources and tools

eEye Digital Security has a number of useful tools and scanners on their site, for free use. They include a lot of tools to scan smaller networks for specific worm or exploit vulnerabilities. Most notably, though, is nmapNT, an NT port for the *nix nmap tool.

etherpeek

Need to check out Etherpeek at some point too. Saw it mentioned on a mailing list as a recommended means to monitoring network traffic of some sort. I suspect it is similar to etherape and ethereal.

health check tool for exchange implementations

This tool for checking the health of an Exchange setup might be useful in the not-so-distant future.

firewalking: testing firewalls

There are a number of tools to test a firewall, also called "firewalking."

isic

hping / hping2

Update: And here is a tutorial on hping2.

fuzzing tools

If I ever want to get into fuzzing, that site is one of the places I'd start.

getting started with snort

This might be getting dated, but may help me someday when I get off my oinker and start looking into implementing snort full-time on my networks.

harpy - http constructor

Web site has an online HTTP constructor called HArPy. With it you can construct and send your own HTTP strings. Kinda fun to play with this and understand how web servers reply and how they log and/or block requests.

honeytrap and nepenthes

Honeytrap is a cool tool that will open a port(s) on your system and capture whatever attempts to come into it. It will do some low-level emulation of services, but mainly it is around to capture unknown vulnerabilities.

This is in contrast to nepenthes which will trigger on and capture only known vulnerabilities and exploits.

Now, neither of these tools runs natively on Windows, although one can attempt to compiled them. But there is an older post I made here for Windows port listeners which really is much the same thing, especially if I can find one that emulates known ports as opposed to just opening an port and listening for anything.

host integrity checkers

There are really not that many truly gifted host integrity checkers out there. I remember at my last job we actually had no real digital integrity processes and got minorly dinged on that whole section on a security assessment review. I looked into the topic a bit back then and realized there's just really not that much out there. Sure you can make cases for rootkit sniffers and even anti-virus and filemon, but if you want to remain honest with yourself, these don't really count.

Here is a round-up of a bunch of integrity scanners (written and conducted by the author of one of the scanners). It might be a bit biased and dated (~2002) but still gives good info.

Samhain and Osiris are two very popular host integrity checkers (after, of course, Tripwire). They are so note-worthy that Syngress has a book out just for them: Host Integrity Monitoring Using Osiris and Samhain. AIDE is another tool I've heard good things about, but have not tried. Osiris can run on Windows as can Samhain when coupled with Cygwin.

update: an AIDE article - File Alteration Monitor (FAM) for nix - diff commands for Windows scripting

incident response tools

Just like a security or hacking event, incident response is something that *will* happen someday. This is just a pointer for me to a quick rundown of some kickass IR tools that I should become familiar with at some point.

inctrl5

Inctrl5 is an older tool developed by persons at or for PC Magazine to review software. A lot of people like me are curious about binaries they receive and how to see if they can be trusted (or to reverse engineer protections, limitations, etc) by using tools like Filemon and Regmon to see what changes the program is making. This can be time-consuming and error-prone as these tools capture a lot of stuff. Inctrl5 gets around most of the issues by taking snapshots of the registry and file system before and after an executable is run. This gives you a delta of your system and the ability to see what really changed and where. Pretty darn cool for a magazine tool!

installwatch and installrite

I'm not sure if I'll ever get a chance to drive these tools around, but InstallWatch will watch and report everything that a particular file does when installing. InstallRite is InstallWatch plus the ability to clone applications to distribute them, as an alternative to disk imaging. Not sure what that all entails, but might be useful.

networking monitoring with intellimonitor

Intellimonitor is an agentless network monitoring solution. This is a commercial app, but might just be worth the trial and purchase in a corporate environment.

leak prevention test tool

I have not tested it yet, but this open source Leak Prevention Test tool supposedly tests for information leaks on a system. Not even sure how it does that, but wanted to record this link down.

tips to securing linux-based ssh

I've done a lot on here about Windows SSH, but not a whole lot with a purely Linux SSH build. Here are some tips to securing SSH on Linux.

lsof

Lists open files, lsof, is a wonderful little tool for *nix systems.

mosquito framework

Mosquito looks like another exploit framework.

nbaudit - netbios (share) enumeration

The nbaudit tool is a security tool used to scan computers using NetBIOS, i.e. sharing files on the network. The tool will attempt to enumerate properties of those shares on the network. Usually associated with enumerating open shares on an NT network. The tool itself is a *nix/*BSD tool.

nessj - nessus client

Nessj looks like an awesome little Nessus client. This could be highly useful for cronies and managers who only want to run Windows and still utilize Nessus reports. I've known far too many of these types of people...

netbios auditing tool

Have not tested it, but the NetBIOS Auditing tool sounds interesting.

offline nt password and registry editor boot disk

The Offline NT Password and Registry Editor is an awesome little tool for recovering NT passwords by booting to a floppy or cd to begin editing passwords and registries, all without needing to boot into full-blown Windows.

From a security standpoint, this makes me nervous as all heck. I need to make a point to enable BIOS Setup password protection and to disable boot-from-cd and boot-from-floppy on all my systems someday. I will just play with this idea for now, just in case there is some reason to keep those settings. I don't want to make such a work-intensive reactionary decision without fully contemplating the consequences of it. I will note though, that I can make all the passwords the same because, honestly, how often do you see the BIOS Setup password exploited, cracked, or in the clear? You don't... :-)

omnipeek personal network analyzer

I had no idea WildPackets' OmniPeek Personal was a free tool until I saw it mentioned on a mailing list. Current version is 4.0 and it looks like a fully features network anlyzer suite. No registration or email is required to download the free version. Hopefully I can try this out and find it to not have any realistic limitations compared to their full-priced professional version.

openvpn

We use OpenVPN at work, so I thought this article on OpenVPN might be helpful and somewhat useful, since I am not the brightest on setting up something like OpenVPN.

paros 3.2.13

Paros 3.2.13 has been released. This is a really good scanner which works on Windows or nix.

pasco2

Pasco2 is an enhanced version of the first tool which analyzes IE history and cache files, a particularly nice tool for any forensics work.

windows permissions identifier

Like the desc says, the Windows Permissions Identifier is a nice tool to audit permissions quickly on a server, especially for a penetration test or security audit. However, this is free and as such is not a fully robust management and reporting tool like you might get from ScriptLogic or Quest or BitVise, I believe.

pfprintd

pfprintd is another passive probing tool. This tool sniffs the wire and determines OS based on the packets gathered. It is limited and only analyzes some packets and determines some OS's.

port look-up page

This page allows you to look up port numbers and return back services on those ports. Arguably more useful than a flatfile list.

proactive security auditor aka l0phtcrack

Proactive Security Auditor is a password auditor for Windows. Basically if one cannot find a cracked L0phtcrack 5 (widely available such as at Insecure.org.) where it attempts to crack passwords and if the password is cracked too quick, it is deemed insecure. An interesting baselining tool, perhaps.

promqryui.exe

A promiscuous mode querying tool to find Windows computers with their NICs in promiscuous mode. I don't think I or anyone would have guessed this tool actually comes from Microsoft! And amazingly, I had yet to try it out or test it! PromqryUI.exe sounds pretty fun.

putty - step-by-step

This is a quite little step-by-step tutorial on using Putty, an SSh client with port forwarding.

pwdump6 and fgdump updated

A few tools have been updated: pwdump6 (love that page!) and fgdump.

keyloggers - sc-keylog and homekeylogger

HomeKeyLogger is a nice keylogger for an always-on, one-user computer as you can hide it quite nicely and it always runs. FamilyKeyLogger is a commercial product useful for a computer that needs to be booted or has multiple users. The price is amazingly low too, so it is mostly worth it.

However, to step up to the bigs, there is SoftCentral's SC-KeyLog 2.4 app. This tool can obfuscate almost every part of a keylogger other than actually creating it as a service. It can also be packaged into an executable file to be deployed remotely and then email back the log file at specified times. The log file is encrypted and you can't do much about it without the password. A very nice and well-featured tool that can be a part of a penetration toolbox...all one needs is to copy it over and execute with prviledges, much like netcat.

Now, if I could only find a free, safe keylogger that installs as a customizably-named service...

reverse dns lookup site

This site will perform a reverse dns lookup for you, i.e. resolving an IP into a domain name (DNS). While this might not be very useful since even Windows includes nslookup which will perform both forward and reverse dns lookups, but it might be useful someday in a locked-down environment or if an OS does not have an easily-found nslookup tool.

rootkit detection tools

Two tools for detecting rootkits, one free another not as free:

Rootkit Revealer from Sysinternals

Blacklight from F-Secure

Helios (in-action videos too)

rootkit hunter project

This is a quick blurb for rootkit hunter which basically runs a number of digital integrity checks to verify that a system has not been the victim of a rootkit infection. Pretty nice tool in theory, although I have yet to try it out.

rt on windows

RT is an excellent open source (free) tool for any IT shop to track resources and requests. Even better for those not comfortable relying on a Linux solution: it can be installed on Windows.

sam spade on the web

Basically a pointer to Sam Spade.org, a site that hosts hardcore DNS online querying tools.

browser isolation: sandboxie

Application, browser, and even OS virtualization and isolation are becoming the big trends this year. In this vein, SandboxIE is an app that will sit between the OS and Internet Explorer and isolate software from messing with the OS. While this is an interesting concept, I have no clue if this will still work in IE7 and I'll stick with Firefox anyway.

sentinix

Seintinix is a Linux distro that packages all sorts of security-related tools into one package, making for an easy install. I think this may just rock. I need to try it out at work on a spare machine that I want to do basically this same thing with anyway.

windows server service buffer overrun scanner

In the past week, Microsoft release a bunch of new patches, one of which patches a critical vulnerability (buffer overrun) in the Server service.

Not a day later, an exploit was unleashed and the vulnerability itself is wormable. eEye released a scanner to scan small ranges of IPs for vulnerable servers. Nice scanner, and I hope Metasploit incorporates this exploit very soon.

snort 2.2.0 released

Snort 2.2.0 has been released.

Also, here is a Sguil installation guide. Sguil is a GUI interface for Snort to provide alerts and other functionality.

spamassassin

SpammAssassin actually can work on a win32 platform and with any email clients that I use, which means I don't have much excuse for not trying this out at some point on my home network.

speeding up a nessus scan

Nessus can take a while to scan a range of hosts, especially if that range involves a lot of down or unused IPs. This link goes into some detail on how to perform an nmap scan to populate what Nessus will scan, and since nmap does this scan much faster, the overall scan from Nessus takes far less time.

ssh server on windows 2003

Appears to be a paper on installing an SSH server on Windows 2003. There are other tools that don't require Cygwin, but I think this will be a good exercise to go through. I've long wanted my own SSH server here at home for...various reasons.

protected storage passview tool

Protected Storage PassView allows one to see a number of passwords in Windows: Outlook passwords, AutoComplete passwords in IE, Password protected sites in IE, and MSN Explorer passwords. Pretty nice for one of those "other" password revealing tools.

tcpreplay

Tcpreplay is one of those tools I've heard referenced a hell of a lot of times, but still have yet to really utilize it. I need to someday, hence this pointer.

This TCP Tunnel tool forces traffic from an application to a specified proxy server. Looks like just someone's little self-made tool, but worth checking out at some point.

the hacker's choice - hydra, amap tools, more

The Hacker's Choice, aka THC, is a top source for original security tools such as Hydra and Amap and many more. Nice site to browse and try a few things out from. They also have plenty of nice papers too.

firewall probing with ttlscan

This little tool called ttlscan sends a series of TCP SYN packets to ports on a particular server. It then returns a report of those packets. By reading the TTL flag on the packets, one can tell if the device is forwarding the packet to another server (the TTL will be one less because it hit one extra server). There is also limited OS fingerprinting available with it.

txdns digger for windows

Windows gets a tool here, in infant form, for DNS digging. DNS digging is always good to automate, and this looks like it does a nice job of it.

vmware appliance contest winners

VMware recently held a competition to create awesome virtual appliances. Some of the entries look like solid, useful things, especially the winner which looks like a network packet capture analyzer appliance which I'd love to run. Familiarizing myself with VMware player and the ability to slap in an appliance like this could be highly useful.

wapiti

Wapiti is an OS-independent web app vulnerability assessor and fuzzer tool written in python. Whew! I swear, the names of these tools have done from the vulgar and dark voodo magic arts (BackOrifice, AOHell...) into the just plain odd. Anyway, looks like a tool worth checking out for doing some web app fuzzing. Definitely does not replace Nikto or something, but can definitely take web app scanning to a new, deep level.

wget for windows

How can one complain about a wget for windows app?

wholockme?

WhoLockMe is a Windows tool to determine what process is locking a file.

winalysis

Winalysis is a tool that just might make life much simpler for the desktop support team, at least in tracking things on our network....and maybe on a few of the more accessible servers in our network. According to the marketing, Winalysis can gather event log files from multiple machines and archive them centrally, can generate alerts based on events, and analyze changes and security vulnerabilities. One thing I am looking for a way to verify the integrity of system files, basically to ensure the files have not been tampered with, but also a tool that can gather event logs for 100 or so machines, and basically put them all together and flag or send alerts on just a few specific issues such as new user creations, multiple logon failures, admin account logons, etc.

And the tool is amazingly cheap too! And a fully functional trial version! And no client installs! I might just have to try this out and see how it might fit into our whole network management scheme.

windows bootable cd

Linux CDs are nothing new to me, and they're great little tools. I found a few links to a site describing how to create a Windows bootable cd. This would be amazingly useful, and basically totally one-ups the Windows 98 boot cd that I keep in my possession. Of interest, the person who hosts this page is also the one I have bookmarked for anytime I need to create a network-enabled boot disk for Windows when I do imaging.

winpooch

Winpooch is one of those tools for Windows that you never really expect to see. Tools like this tend to be *nix only. Winpooch feels a lot like a mix between a heurhistic antivirus app and Tripwire and a host-based firewall. It monitors and can take action based on what programs do against the OS, file system, and network. If a program wants to access the Internet, Winpooch watches it and can block it. If the program wants to write a registry file or drop a file on your computer somewhere, Winpooch can log or block it as well. For those people curious about things like this, or just plain paranoid, this seems like a nice, lightweight tool for monitoring one's system. Best of all, it is open source and fully free (although I truly expect this to be bought up in the future). Has extended integration into ClamWin antivirus too, which I use!

PolarCove has a number of nice papers on their site, but of particular interest is a paper on wireless LAN discovery tools and wireless MAC spoofing detection. Both papers include exact Ethereal/Wireshark filters to use.

This post is an interesting viewpoint on myths about security and passwords. Must "out-there" is the opinion that changing passwords regularly is now dead and does not enhance security at all.

I've long kind of had an idea that makers would put backdoor passwords into BIOS implementations, but never really looked into it. Then I happened upon this posting one day which lists a lot of backdoor passwords for various BIOS platforms and versions. Pay particular attention to the mention that some BIOS lock themselves after a few incorrect attempts, so be cautious. I've not tested any of these, but it would be very fun to play with.

Not many people realize there is a component to Windows XP called the Prefetcher. Even fewer desktop/system support people realize the significance of it. This prefetcher for Windows keeps a cache of a lot of programs downloaded by Windows, and acts independently of IE. So if you clear your cache in IE, your downloaded files might still be found in the prefetcher. Most people are tipped off to this location only after a piece of malware has been downloaded (automatically or by accident) and a copy was saved in the prefetch area of Windows, generating an AV alert pointing to this location. This short link is a start to managing the prefetcher cache.

Creating services in Windows is one of those frustratingly annoying things that many people would love to do, but is typically difficult to find information on how to do it. In fact, you can't really do it unless you're a programmer or you have some extra tools from Microsoft. I guess this prevents every John Doe Idiot from completely screwing up their computers with crappy service lists. I am happy to have found this quick post on how to create your own services.

This is an awesome article on how to use RRDTool to monitor a wireless network.

This is a monster article on external attacks, largely from the point of view of Linux since this was in a Linux magazine. Many books cover this entire spectrum in hundreds of pages, but this article condenses it down nicely, albeit it is really packed with info.

Malware is an amazing little hobby to have, and these two paper cover malware analysis brilliantly.

part one
part two

RogueScanner is a rogue wireless access point detection tool. Pretty cool...and it's free! Also peek at the other free tools available here, Packtyzer (Ethereal front-end, as if there needs to be another one...) and BlueScanner which scans for BlueTooth devices. To be honest, both of the scanner tools are pretty nice for being free tools!

Wow, just wow! This is one of the hottest and best links I've seen in a long time. I HAVE to try this out. I've worked on cracking WEP before on my neighbors, but I always had to resort to using a livecd Linux install (since I don't have a permanent Linux box around). Cracking WEP with Windows XP is a huge, detailed, complete article which I am tempted to actually copy/print just to make sure I always have it.

This was found whilst checking out a site I'd not seen before: wardriving.com.

NetBIOS Null Sessions are elementary and a first stop for anyone performing system recon. They should always be turned off, and this link is a nice reminder of the issues, the dangers, and the fixes.

The paper, Insertion, Evasion, and Denial of Service: Eluding Intrusion Detection, is the definitive guide to beating IDS and has been the foundation of IDS attacks ever since. I must read this sometime, for historical reasons and more.

Having just watched Dan Kaminsky's Black Ops of TCP/IP 2005 presentation that he gave at the 22nd Chaos Communications Congress, I have a couple links on dns snooping, which he (in typical Kaminsky fashion) utilized in creative fashions. First, a paper on dns cache snooping. And second, a site on how dns snooping actually works.

I should get the Log Parser book sometime, as it goes over things on this site about the Microsoft logparser tool. This should be useful to use to perform adhoc and maybe some scripted queries against single or groups of logs.

Sans has a bit on defeating a DOS attack. They also have a webcast I'd like to check out on the same topic.

There is a fairly new blog out called Checkmate that deals with forensics and other things security. Here are some choice pieces to check out so I can catch up:

rainbow tables
timestompe
xp's built-in spyware
userassist
apache and squid logs