A rootkit can replace important components of an operating system with new software . the new software disguise itself as the original files , including the same file size , creation date , and so on , making it extremely difficult to detect .
A rootkit install a backdoor daemon , or automatic program . this backdoor opens a hole in the system , allowing the rootkit creator to crawl in and take control of the PC whenever he wants .

Many rootkit also install keyloggers or sniffers that record all the keystrokes you make and send that to a hacker .

A rootkit can modify a computer’s systems log that tracks all the activity on a PC . The systems log normally includes all activity , including malicious activity . so the rootkit modifies the log to hide all traces of itself .

Achilles. Used to edit http sessions .

Adore. Kernel level rootkit .

Back Orifice 2000. Back-door program for Windows.

Cheops. Network mapping tool .

Covert TCP. Hides data in the TCP protocol.

CPU Hog. DOS attack .

Crack. Password cracker for UNIX .

Dsniff. Advanced sniffer program .

Dumpsec. Extracts information from NT null sessions:

Enum. Extracts information from NT null sessions .

Firewalk. Determines a firewall ruleset:

Fragrouter. Used to fragment packets .

Getadmin. Privilege escalation for NT.

Hunt. Session hijacking tool .

IIS Unicode Exploit. Exploits an IIS server .

Imap Buffer Overflow. Buffer overflow for UNIX .

IP Watcher. Commercial session hijacking tool .

ITS4. Security reviewer .

Jizz. DNS cache poisoning tool .

John the Ripper. Password cracker .

Jolt2. Denial of Service tool .

Juggernaut. Session hijacking tool: http://www.rootshell.com

Knark. Kernel level rootkit .

Land. Denial of Service attack .

Loki. Covert channel for creating a back door .

L0phtcrack. Password cracker .

Lrk5. Rootkit .

Nessus. Free vulnerability scanner.

NetBus. Back-door program for Windows .

Netcat. Swiss army knife of security tools .

NetMeeting Buffer Overflow. Buffer overflow .

Nmap. Port scanner.

NT Rootkit. Rootkit for NT .

Ping of Death. Denial of Service attack .

Queso. Operating system fingerprinting tool .

RDS Exploit. IIS exploit .

RedButton. NT exploit .

Redir. Packet redirector.

Reverse WWW shell. Back-door program .

Rstatd exploit. Buffer overflow .

Rootkits. Rootkits for UNIX .

Sam Spade. General tool for Windows .

Sechole. Privilege escalation exploit .

Smurf. Denial of Service exploit .

Sniffit. Sniffer .

Snort. Sniffer IDS .

Solaris LKM Rootkit. Back-door program .

SSPing. Denial of Service exploit .

SYN Flood. Denial of Service exploit .

Targa. Tool for running multiple Denial of Service exploits .

TBA. War dialer for Palm Pilots .

THC Scan. War dialer .

Tini. Backdoor for NT .

ToolTalk Buffer Overflow. Buffer overflow .

TFN2K. Distributed Denial of Service attack tool .

Trinoo. Distributed denial of service attack tool .

TTY Watcher. Session hijacking tool:

Whisker. CGI vulnerability scanner.

WinDump. Sniffer for Windows .

WinNuke. Denial of Service exploit .

WinZapper. Log cleaner for NT .

Previously we discussed the way Firewalls works. Now lets discuss the Firewall Tools that are available on the Internet. There are many tools available, each having its own set of features. You can choose whatever is appropriate for your network.

• Using Freeware and Shareware Products
• TCP Wrappers
• The TISFirewall Toolkit
• SOCKS
• SQUID
• Drawbridge
• SATAN
• Other Handy Security Software

Using Freeware and Shareware Products

There are new firewall vendors springing up almost daily. When you begin to think about how you want to implement a firewall, one of the things you have to do is to evaluate the available products and determine how they can fit into the architecture you design for the firewall. Some vendors offer a one-stop service and can provide you with everything, including packet filtering, application proxies, other security software, and even training and full-time support around the clock. If you do not have the skilled in-house resources to maintain a firewall, you might want to choose this route.

Before you decide on any specific solutions, though, you should read through this Post to learn about some of the firewall-related products available for download from the Internet. Most of these are either free or available for a small charge. Some, such as the TIS Firewall Toolkit, can be downloaded for free, yet have a “cousin” —a commercial version containing more features than the free version—that you can purchase.

Even though you might not decide to use any of these products in your firewall, simply understanding how they work can make you a better purchaser when it comes to evaluating the products you do have to pay for. In this Post, you will examine a few of the more popular products. In the Post that follow, you will look at some of them in more detail.

TCP Wrappers

This set of programs was created by Wietse Venema to help protect the network at the Eindhoven University of Technology, where he was employed at the time. The purpose of the wrapper program is to insert a layer of access control and logging into the client/server-based TCP/IP network services model.
TCP Wrappers uses a daemon process named tcpd that is started in place of the actual network services defined in the inted.conf file. In the usual configuration, the Internet Daemon (inetd) listens for incoming network service requests. It determines which service is needed by matching the request’s port number with the service as defined in the file /etc/services. Using the service name, inetd then uses the configuration information found in inetd.conf to determine which protocol to use and how to start the needed daemon process.
The TCP Wrapper daemon uses the syslogd daemon for logging purposes and sends its log data to the same place as the sendmail daemon. You can configure how syslogd operates by editing the syslogd.conf file.

The TIS Firewall Toolkit

The Trusted Information Systems Internet Firewall Toolkit— usually just called FWTK or The Toolkit—has been around for quite some time. When Trusted Information Systems (TIS) merged with Network Associates, this new company was also the vendor responsible for the Gauntlet firewall. Although Gauntlet was originally developed as a commercial version of The Toolkit, it has since been developed and enhanced and for the most part does not share the same code as The Toolkit.

Since FWTK was developed for the Defense Advanced Research Projects Agency (DARPA), the code was placed into public domain. You can download it from the Internet, but you must first agree to the license. This is done by sending an email request to TIS. In response, you receive an automated email message, usually a few minutes later, that tells you the name of a temporary directory (available for only 12 hours) from which you can FTP the software.
Major components of The Toolkit are proxies that are used for the most popular TCP/IP utilities. The software tools that are included are the following:

• netacl To provide for Telnet, Finger, and network access control lists.
• smap and smapd To provide for a secure SMTP service.
• ftp-gw To provide a proxy server for FTP.
• tn-gw To provide a proxy server for Telnet.
• rlogin-gw To provide a proxy server for Rlogin.
• plug-gw To provide a general-purpose proxy service.
• authd To provide an authentication service to enhance “strong authentication” practices.
• telnetd A Telnet server that can be used to manage the firewall.
• login-sh An enhanced login program that provides support for secure logins using token authenticators, such as a smart card.
• syslogd A replacement of the traditional UNIX logging daemon.

The netacl component is usually configured to provide service access to the firewall itself, whereas the other proxies—such as tn-gw and ftp-gw—are used to provide pass-through proxies. They enable external users to access services that reside on hosts in the internal LAN, and vice versa.

SOCKS

SOCKS is a protocol designed to work in a client/server environment. A SOCKS server runs on the firewall host and provides a proxy service. When a client outside the protected LAN wants to connect to a particular service, it does so directly if a direct connection is available. If not, it then tries to contact the SOCKS proxy server and, by exchanging messages defined by the SOCKS protocol, negotiates a proxy connection. When a connection is established, the client communicates with the SOCKS server using the SOCKS protocol. The application server communicates with the SOCKS server as if it were the actual client.

There are two versions of the SOCKS protocol at this time. Version 4 is in wide distribution and supports TCP-based applications. Version 5, which is described in several Request For Comments documents, adds support for UDP applications and authentication.
Unlike the proxy services provided by the TIS Firewall Toolkit, clients that use the SOCKS proxy protocol must first be “SOCKSified.” This means that they usually need to be recompiled to add the SOCKS client functions to the code. There are some exceptions to this. Vendors have developed libraries for Windows clients that can SOCKS-enable existing client software. The SOCKS protocol has also been adopted by a large number of software manufacturers who have enabled their clients with SOCKS functions. In addition, the SOCKS Version 4 implementation, available from NEC, includes clients for Telnet, FTP, Finger, and WHOIS. Their SOCKS Version 5 package adds clients for Archie, PING, and traceroute.

SQUID

SQUID, as the FAQ for this application states, is usually available at sushi bars. It is also the name of a proxy caching server available on the Internet. Like the TIS Firewall toolkit and several other products I have discussed in this chapter, SQUID comes in source-code format and compiles on many of the popular UNIX variants.
A proxy server, as I have discussed, works by intercepting the flow of IP traffic between and client and server. The proxy server communicates with each of these systems and acts as a man-in-the-middle so that no actual IP packets are ever exchanged between the client and server. Proxy servers can hide the identity of clients sitting behind the firewall. A caching server, however, performs a different function. Caching is the process of holding copies of “hot objects—”those that are frequently requested—so that when another object request is received, it can be retrieved quickly from the cache. By servicing requests from the cache, the response to the client is usually faster than actually querying the source of the object directly.
Objects that the caching server buffers in memory (or in disk files) include data that comes in response to requests by FTP, HTTP, and other network clients. In addition to caching these objects, SQUID also supports caching DNS lookups. SQUID is composed of several programs, including the proxy caching server (called squid), a DNS lookup program called dnsserver, and other optional applications.

Drawbridge

So far in this Post, I have covered products that work basically as proxy servers. Remember, however, that for a proxy server to work optimally, you should place it behind a packet filter instead of connecting the proxy server host directly to the Internet. You can use a screening router as a packet filter, or you can use a software solution that also runs on a host computer.

Drawbridge is a free, high-speed packet filter that, although it originally ran on a DOS platform, now runs on the FreeBSD UNIX platform. Like Drawbridge, FreeBSD is also available at no charge—hence its name! This packet-filtering application was developed at Texas A&M and was designed specifically with the academic environment in mind.

SATAN

With such an infamous name, you might think that the SATAN utility is a hacker’s tool designed to destroy your network. Actually, the term is an acronym, standing for System Administrator’s Tool for Analyzing Networks. If the name offends you, there is an option in the utility you can use to change its display name to SANTA. Regardless, this tool uses passive probing techniques to search out possible security problems in your network. SATAN is not really a proxy server or a packet filter or a firewall component at all. It is mentioned in this chapter because it is one of the more important tools that, if used correctly, can be valuable in helping you determine whether your firewall will do what you expect.

Other Handy Security Software

This post briefly covered some of the tools you can download from the Internet and use to construct a firewall. You also took a quick look at the SATAN security reporting tool. Although the main topic of this Post is firewalls, it is important for you to also be able to monitor your network so that you can be sure that the firewall is really protecting you against known methods of attack.

Whisker, written by Rain Forest Puppy (http://www.wiretrip.net/rfp)—one of the first complete Web checking tools.

Brutus, written by the folks at HooBie Inc. (http://www.hoobie.net/brutus/)—one of the most robust Web authentication brute forcers.

Achilles, written by Roberto Cardona (http://www.digizen-security.com)—one of the first usable HTTP proxy servers to insert commands in the HTTP stream dynamically.

Cookie Pal, written by Kookaburra Software (http://www.kburra.com/)—one of the best programs for monitoring the cookies being created/deleted on a system.

Teleport Pro, written by Tennyson Maxwell Information Systems, Inc. (http://www.tenmax.com)—performs automated and scheduled crawling and inventorying of Web servers.

Netstat (network statistics) is a command-line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface statistics. It is available on Unix, Unix-like, and Windows NT-based operating systems.

Netstat provides statistics for the following:

Proto – The name of the protocol (TCP or UDP).

Local Address – The IP address of the local computer and the port number being used. The name of the local computer that corresponds to the IP address and the name of the port is shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*).

Foreign Address – The IP address and port number of the remote computer to which the socket is connected. The names that corresponds to the IP address and the port are shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*).

State – Indicates the state of a TCP connection. The possible states are as follows: CLOSE_WAIT, CLOSED, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, LISTEN, SYN_RECEIVED, SYN_SEND, and TIME_WAIT.