Good Bad Attitude
jvoss@altsci.com
jvoss@myuw.net
May 26 - June 2, 2006
This program grabs a list of good processes from /proc, then it monitors /proc and kills any new process. It is meant to be used in extremely hostile environments. It is a general use tool, but it can and should be modified as necessary. Obviously it should be modified to allow the user to re-login in case s/he loses shell.
It's original use is for Defcon 14 ACTF. If a vulnerable server gives non-root access (quite likely), attackers that re-attack the server will be able to kill the original attacker. This means that the original attacker should put up defenses quickly to ensure that attackers are ejected. One way is to fix the vulnerability in the server. If this is not possible, this script is a simple solution.
Read more »
by Javantea aka. Joel R. Voss
Sept 8, 2006
Botnets
Spam Server Analysis
Spam Server Passive/Active Analysis 0.4
[sig]
50 MB of Test Spam
[sig]
At the above Neg9 Seattle meeting (Sept 8, 2006), a group of four Neg9 security researchers gathered to discuss botnets and various other ideas. I, Javantea, led the discussion of botnets, but as expected, the three other participants were far more knowledgeable than I on the topic of botnets. Quite a lot of research, development, and interest is going into botnets currently. This is a very positive note because everyone benefits from better knowledge and control of botnets.
It begs to be said that nothing illegal was done at the Neg9 meeting. Nothing unethical was done at the Neg9 meeting. Polite portscans are legitimate techniques of security researchers and criminals alike. I limited the output of my box to a maximum of 6 packets per second at maximum and 2 packets per second at nominal. Connecting to any machine on the internet is legitimate because open ports are public information. Anyone who disagrees is a complete idiot and should go straight to /dev/null.
Read more »Ident Protocol Scan
jvoss@altsci.com
jvoss@myuw.net
Oct 28, 2005
This program connects to an identd server and asks for the information. This is an unintended consequence of the design of the server.
Identd is an interesting program. It searches /proc/net/tcp for a matching entry. The input is easy enough for a human to input into telnet if they have the localport and the remoteport. We get the localport from getsockname() and the remote port is the port that we are connected to. This will give us the user that is running the command.
Read more »MD5 Collision Parser
jvoss@altsci.com
jvoss@myuw.net
Nov 17, 2005
MD5 Collision Parser 0.1 Source
[sig]
MD5 Collision Data Example
[sig]
MD5 Collision Generation Homepage
This program parses the output of an MD5 Collision Generation program. It creates two binaries with the same md5sum. Hopefully this will allow people to put MD5 into a deep grave with a dozen nails in the coffin.
I went for quick and dirty. This python program is not secure. In fact, a person should not use this until after looking at both the source and the data. The program uses an eval() call on the data.
Read more »
