Matt's Web World presents...
Established November 1, 1995.
Last updated on May 1, 2018.
Welcome to my Unix security page! This page is not a complete listing of Unix security information and tools. What is hosted here is what I personally find useful and/or interesting. Hyperlinks to other sites are provided at the bottom of this page for those seeking something not listed here.
This page started out as a place to store Unix-related research papers I downloaded from FTP sites, back when I was really happy to be reading Usenet newsgroups at 9600bps. It's been almost 15 years since and the content here has grown a bit beyond Unix, to include Windows-based tools (I know, I know...), live CD distros, and another favorite topic of mine, lockpicking.
I have not done a great deal in the last decade other than link maintenance. But the page remains popular and I think it presents much of the core Unix lore and security knowledge. All of the links are current now, and the content is a bit more modern in its focus. There is so much more out there in the world since I started this in '95, but here lies an early signpost, and you would do well to master its content.
For those who might think it unwise to publicly disclose security holes and the techniques used to pass through them, I urge you to read Charles Tomlinson's Rudimentary Treatise on the Construction of Locks.
Everything here is provided for informational purposes only. The presence of any link on this page is not an endorsement of its content. And I certainly do not endorse unauthorized access to other people's computers! Property rights exist and should be respected. Think white hat.
If you wish to comment on this page please use the contact form to send me a message. If you are interested in advertising on this page please contact me to discuss terms.
Click any of the blue section separators to return to this table of contents.
Icons 
indicate a link which will take you away from this site. (In the same window! Shift-click on links if you want them in a new window.)
May 1, 2018
- External links have been validated and freshened.
- One new external site with crypto and network security info from ShoreTel.
The file archive uses various extensions, sometimes with multiple extensions in series. The extensions are summarized in the following table and links to the utility software needed to read these formats are provided.
| .c |
'C' language source file. Use gcc to compile to machine code. |
| .gz |
Gzip compressed file. Use gzip or IZArc to decompress these files. |
| .pdf |
Adobe Acrobat file. Use Acrobat Reader to view and print these files. |
| .ps |
Adobe Postscript file. Use Ghostview to view and print these files. Ghostscript also does Postscript-to-ASCII conversions. |
| .tar |
Unix Tape Archive file. Use your Unix's native tar command or on Windows try IZArc to handle these files. |
| .txt |
ASCII Text file. Use standard text editor or browser. |
| .zip |
PKZip compressed file archive. Use Info-Zip or IZArc to handle these files. |
Sorted alphabetically by author name.
The papers here were orignally in Adobe Postscript ( .ps) format. I have converted them all to Adobe Acrobat ( .pdf), since this is the successor format from Adobe, and has many advantages to Postscript. The Postscript .ps files are all gzip'd and therefore end in .ps.gz The .pdf PDF files are almost as small as their gzip'd counterparts and therefore have not been compressed; just click and read (or print).
- Unix Computer Security Checklist
AUSCERT, Australian Computer Emergency Response Team; 1995; ASCII Text; 89k
-
A comprehensive checklist for securing your Unix box.
- Packets Found on an Internet
Bellovin, Steven M.; 1993; Acrobat format; also available in Postscript format
-
A very interesting paper describing the various attacks, probes, and miscellaneous packets floating past AT&T Bell Labs' net connection.
- Security Problems in the TCP/IP Protocol Suite
Bellovin, Steven M.; 1989; Acrobat format; also available in Postscript format
-
A broad overview of problems within TCP/IP itself, as well as many common application layer protocols which rely on TCP/IP.
- There Be Dragons
Bellovin, Steven M.; 1992; Acrobat format; also available in Postscript format
-
Another Bellovin paper discussing the various attacks made on att.research.com. This paper is also the source for this page's title.
- An Advanced 4.3BSD IPC Tutorial
Berkeley CSRG; date unknown; Acrobat format; also available in Postscript format
-
This paper describes the IPC facilities new to 4.3BSD. It was written by the CSRG as a supplement to the manpages.
- NFS Tracing by Passive Network Monitoring
Blaze, Matt; 1992; ASCII Text
-
Blaze, now famous for cracking the Clipper chip while at Bell Labs, wrote this paper while he was a PhD candidate at Princeton.
- Generic Unix Security Information
CERT Advisory Team, 1993, ASCII Text
-
A good general commentary on Unix security, with specific places to look for suspicious files if you believe your machine's security may be compromised. It's a bit dated, so don't pay attention to the version numbers (Sendmail 8.6.4 is definitely not current anymore!)
- IP Spoofing
CERT Advisory Team, 1995, ASCII Text
-
Not too exciting, but useful for the uninitiated.
- Securing Anon FTP Servers
CERT Advisory Team, 1995, ASCII Text
-
This CERT advisory details the access permissions and server configuration which should be followed to prevent anonymous FTP security breaches.
- Network (In)Security Through IP Packet Filtering
Chapman, D. Brent; 1992; Acrobat format; also available in Postscript format
-
Why packet filtering is a difficult to use and not always secure method of securing a network.
- An Evening with Berferd
Cheswick, Bill; 1991; Acrobat format; also available in Postscript format
-
A cracker from the Netherlands is "lured, endured, and studied."
- Design of a Secure Internet Gateway
Cheswick, Bill; 1990; Acrobat format; also available in Postscript format
-
Details the history and design of AT&T's Internet gateway.
- Improving the Security of your Unix System
Curry, David, SRI International; 1990; Acrobat format; also available in Postscript format
-
This is the somewhat well known SRI Report on Unix Security. It's a good solid starting place for securing a Unix box.
- With Microscope & Tweezers
Eichin & Rochlis; 1989; Acrobat format; also available in Postscript format
-
An analysis of the Morris Internet Worm of 1988 from MIT's perspective.
- The COPS Security Checker System
Farmer & Spafford; 1994; Acrobat format; also available in Postscript format
-
The original Usenix paper from 1990 republished by CERT in 1994.
- COPS and Robbers
Farmer, Dan; 1991; ASCII Text
-
This paper discusses a bit of general security and then goes into detail regarding Unix system misconfigurations, specifically ones that COPS checks for.
- Improving The Security of Your System by Breaking Into It
Farmer & Venema; 1993; HTML
-
An excellent text by Dan Farmer and Wietse Venema. If you haven't read this before, here's your opportunity.
- A Unix Network Protocol Security Study: NIS
Hess, Safford, & Pooch; date unknown; Acrobat format; also available in Postscript format
-
Outlines NIS and its design faults regarding security.
- A Simple Active Attack Against TCP
Joncheray, Laurent; 1995; Acrobat format; also available in Postscript format
-
This paper describes an active attack against TCP which allows re-direction (hijacking) of the TCP stream.
- Foiling the Cracker
Klein, Daniel; 1990; Acrobat format; also available in Postscript format
-
A Survey of, and Improvements to, Password Security. Basically a treatise on how to select proper passwords.
- A Weakness in the 4.2BSD Unix TCP/IP Software
Morris, Robert T; 1985; Acrobat format; also available in Postscript format
-
This paper describes the much ballyhooed method by which one may forge packets with TCP/IP. Morris wrote this in 1985. It only took the media 10 years to make a stink about it!
- Covering Your Tracks
Phrack Vol. 4, Issue #43; Acrobat format; also available in Postscript format
-
A Phrack article describing the unix system logs and how it is possible to reduce the footprint and visibility of unauthorized access.
- Cracking Shadowed Password Files
Phrack Vol. 5, Issue #46; Acrobat format; also available in Postscript format
-
A Phrack article describing how to use the system call password function to bypass the shadow password file.
- TCP SYN Flood (Project Neptune)
Phrack Vol. 7, Issue #48; 1996; HTML
-
Includes explanation of this denial-of-service attack as well as Linux source implementation. Also of interest may be the CERT document warning that Phrack had published this vulnerability.
- Thinking About Firewalls
Ranum, Marcus; 1992; Acrobat format; also available in Postscript format
-
A general overview of firewalls, with tips on how to select one to meet your needs.
- Addressing Weaknesses in the Domain Name System Protocol
Schuba, Christoph L.; 1993; Acrobat format
-
Describes problems with the DNS and one of its implementations that allow the abuse of name based authentication.
- Public Key Certification & Secure File Transfer
Shuba & Sheth; approx. 1994; Acrobat format
-
This document describes secure file transfer between agents, providing confidentiality and integrity of transferred files, originator authentication, and non-repudiation.
- Source Routing Info
Usenet comp.security.unix; 1995; ASCII Text
-
An interesting discussion of TCP/IP source routing stuff.
- Countering Abuse of Name-based Authentication
Schuba & Spafford; approx. 1994; Acrobat format
-
Discusses conceptual design issues of naming systems, specifically DNS, and how to address the shortcomings.
- TCP Wrapper
Venema, Wietse; 1992; Acrobat format; also available in Postscript format
-
Wietse's paper describing his TCP Wrapper concept, the basis for the TCP Wrappers security and logging suite.
Sorted alphabetically by name
- arnudp.c
-
Source code demonstrates how to send a single UDP packet with the source/destination address/port set to arbitrary values.
- block.c
-
Prevents a user from logging in by monitoring utmp and closing down his tty port as soon as it appears in the system.
- esniff.c
-
Source for a basic ethernet sniffer. Originally came from an article in Phrack, I think.
- hide.c
-
Code to exploit a world-writeable /etc/utmp and allow the user to modify it interactively.
- identd.c
-
A modified identd that tests for the queue-file bug which is present in Sendmail versions earlier than 8.6.10 and possibly some versions of 5.x.
- listhosts.c
-
Requests a DNS name server to do a zone transfer and list the hosts it knows about.
- mnt
-
This program demonstrates how to exploit a security hole in the HP-UX 9 rpc.mountd program. Essentially, it shows how to steal NFS file handles which will allow access from clients which do not normally have privileges.
- NFS-Bug
-
Demonstrates a bug in NFS which allows non-clients to access any NFS served partition. AIX & HPUX patches included.
- NFS Shell
-
A shell which will access NFS disks. Very useful if you have located an insecure NFS server.
- RootKit
-
A suite of programs like ps, ls, & du which have been modified to prevent display of certain files & processes in order to hide an intruder. Modified Berkeley source code.
- rpc_chk.sh
-
Bourne shell script to get a list of hosts from a DNS nameserver for a given domain and return a list of hosts running rexd or ypserve.
- seq_number.c
-
Code to exploit the TCP Sequence Number Generator bug. An brief but clear explanation of the bug can be found in Steve Bellovin's sequence number comment. Note that this code won't compile as-is because it is missing a library that does some of the low-level work. This is how the source was released by Mike Neuman, the author.
- Socket Demon v1.3
-
Daemon to sit on a specified IP port and provide passworded shell access.
- Solaris Sniffer
-
A version of E-Sniff modified for Solaris 2.
- telnetd Exploit
-
This tarfile contains source code to the getpass() and openlog() library routines which /bin/login can be made to link at runtime due to a feature of telnetd's environment variable passing. Root anyone? The fix is to make sure your /bin/login is statically linked.
- ttysurf.c
-
A simple program to camp out on the /dev/tty of your choice and capture logins & passwords when users log into that tty.
- xcrowbar.c
-
Source code demonstrates how to get a pointer to an X Display Screen, allowing access to a display even after " xhost -" has disabled acess. Note that access must be present to read the pointer in the first place! (Originally posted to USENET's comp.unix.security.)
- xghostwriter-1.0b
-
xghostwriter takes a string, or message, and ensures that this string is "typed" from the keyboard, no matter what keys are actually pressed. Useful for injecting keypress commands into an X session. More info from the auther is here in his USENET post.
- xkey.c
-
Attach to any X server you have perms to and watch the user's keyboard.
- xspy-1.0c
-
xspy is mostly useful for spying on people; it was written on a challenge, to trick X into giving up passwords from the xdm login window or xterm secure-mode. More info from the auther is here in his USENET post.
- xwatchwin
-
If you have access permission to a host's X server, XWatchWin will connect via a network socket and display the window on your X server.
- YPX
-
YP/NIS is a horrible example of "security through obscurity." YPX attempts to guess NIS domain names, which is all that's needed to extract passwd maps from the NIS server. If you already know the domain name, ypx will extract the maps directly, without configuring a host to live in the target NIS domain. (GZip'd Bourne Shell Archive)
- ypsnarf.c
-
Exercise security holes in YP / NIS.
Sorted alphabetically by name
- COPS v1.04
-
COPS (Computer Oracle and Password System) checks for many common Unix system misconfigurations. I find this tool very valuable, as it is non-trivial to break a system which has passed a COPS check. I run it on all the systems I admin. It's getting a bit old, but it's still an excellent way to systematically check for file permission mistakes.
- Crack v4.1
-
Crack is a tool for insuring that your Unix system's users have not selected easily guessed passwords which appear in standard dictionaries. (Only a very small dictionary is included so grab the one below if you wish.)
- Crack Dictionary
-
A general 50,000 word dictionary for use with Crack.
- fping
-
Like Unix ping(1), but allows efficient pinging of a large list of hosts. V2.2.
- ICMPinfo v1.1
-
ICMPinfo is a tool for looking at the ICMP messages received on the running host.
- ISS v1.3
-
The Internet Security Scanner is used to automatically scan subnets and gather information about the hosts it finds, including the guessing of YP/NIS domainnames and the extraction of passwd maps via ypx. It also does things like check for verisons of sendmail which have known security holes.
- lsof v4.82
- List All Open Files. Displays a listing of all files open on a Unix system. Useful for nosing around as well as trying to locate stray open files when trying to unmount an NFS-served partition.
- netcat v1.1
-
Like Unix cat(1) but this one talks network packets (TCP or UDP). Very very flexible. Allows outbound connections with many options as well as life as a daemon, accepting inbound connections and allowing commands to be executed.
- RScan
-
An older tool for Heterogeneous Network Interrogation. Includes links to a Usenix paper as well.
- SATAN
-
Security Administrator Tool for Analyzing Networks. Dan Farmer's tool that caused a huge stir in the media back in '95 when he wrote it and released it. I believe he ended up leaving SGI over this thing. So silly. Where is SGI now? That's what I thought...
- Strobe v1.03
-
Strobe uses a bandwidth-efficient algorithm to scan TCP ports on the target machine and reveal which network server daemons are currently running. Version 1.03 is an update to 1.02.
- Tiger
-
Tiger is a security tool that can be use both as a security audit and intrusion detection system. It is similar to COPS or SATAN, but has system specific extensions for SunOS, IRIX, AIX, HPUX, Linux and a few others. The original TAMU project has been resurrected and is now being maintained as part of Savannah.
- Traceroute
-
Traceroute is an indispensable tool for troubleshooting and mapping your network.
Sorted alphabetically by name
- How to Encrypt Your Hard Drive
-
Good article covering the various options for whole disk encryption on Windows, Linux, and Mac.
- Kismet
-
Kismet is an 802.11 layer 2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11a, 802.11b, and 802.11g traffic.
- PuTTY
-
PuTTY is a free implementation of Telnet and SSH for Windows and Unix platforms, along with an xterm terminal emulator.
- TrueCrypt
-
TrueCrypt creates virtual encrypted file-systems which can be stored as a file or as a whole disk partition. Works on USB sticks too. Don't lose your data if your PC is stolen -- encrypt it!
- WireShark
-
The best network sniffer & protocol analyzer out there.
Sorted alphabetically by name
- NetStumbler 0.40
-
NetStumbler is a wireless LAN tool which scans for access points and reports back with a list which includes signal strengths and protocols in use. More details are available here in the NetStumbler Readme.
- Fiddler
-
Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. The application is Windows-only but it hooks very low level API's which allows it to work with any browser (IE, Firefox, Opera, etc.) and also decrypt SSL traffic without setting up the required private cert keys (as in WireShark).
- netcat NT v1.1
-
Like Unix cat(1) but this one talks network packets (TCP or UDP). Very very flexible. Allows outbound connections with many options as well as life as a daemon, accepting inbound connections and allowing commands to be executed.
- Password Safe
-
Password Safe allows you to safely and easily create a secured and encrypted user name/password list. With Password Safe all you have to do is create and remember a single "Master Password" of your choice in order to unlock and access your entire user name/password list. Much safer than re-using passwords between sites!
- Sam Spade 1.14
-
Sam Spade is an integrated network query tool for Windows. Most of what it does can be had elsewhere, but it has the ability to parse email headers and determine where forgeries have been made in the headers and forwarding chain. Very useful for well forged spam, reduces analysis time a lot to have Sam take a crack at it first.
- Secunia PSI
-
This is a great tool which scans your system for old and unpatched application software which has security vulnerabilities. Does for applications what Windows Update does for the Windows OS.
- Security Essentials
-
Security Essentials is Microsoft's new real-time anti-virus and malware protection solution. It's reported to be better than most anti-virus compeitors and it's free.
- WinDirStat
-
Scans NTFS filesystems and represents them as a colored, graphical heat map based on size. Great for seeing what is taking up the most space on your system. Think of it as graphical du for Windows.
- WinSCP
-
Free SFTP, FTP and SCP client for Windows. This is a great Windows file transfer client which also supports SCP, which most ISP's are moving to now for secure file transfer.
Sorted alphabetically by name
- BackTrack
-
BackTrack is the #1 Linux LiveCD focused on penetration testing.
- BartPE
-
BartPE is a preinstalled environment builder for Windows. It uses your original Windows media to create a Live CD bootable CDROM OS image.
- GNUStep/OpenStep
-
Remember the NeXT cube running NeXTStep? Well I do, and this LiveCD brings it all back. No other reason to include it other than it's Unix, and I miss my cube.
- Helix
-
Helix is focused on incident response, forensics, and e-discovery. Free CD with option to buy support and access to the member community.
- Knoppix
-
This is not a security distro, but it's the best general Linux Live CD going, so it gets included for general usefulness.
- Knoppix-STD
- Security Tools Distribution of the Knoppix LiveCD. Zillions of things here, for all aspects of security work.
- Trinity Rescue Kit
-
Trinity Rescue Kit or TRK is a free live Linux distribution that aims specifically at recovery and repair operations on Windows machines, but is equally usable for Linux recovery issues.
-
-
These links aren't Unix related, but they are security related, and you may find them interesting. Ultimately, the integrity of your computer's electronic security rests on the integrity of its physical security. So you need to know how locks work because your whole security world is premised on them. Perhaps a section on alarm systems will be next... 
Links last verified July 13 th, 2015. All of these external links leave this site.
People
Places & Organizations
Tools & Download Sites
Zines & Publications
