NTRootkit

2003-06-20 Thread zero 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi all,
  I was wondering, if NTRootkit hooks syscalls, many of the current
programs used to detect running procs and hidden keys in register will
fail. So, how could you actually detect if syscalls have been hooked? I
belive you could see if new native calls have been added, but how can you
detect hooked and modified native calls?

Thxs in advance

www.citfi.org
www.podergeek.com
**
"The further backward you look, the further forward you can see" Winston 
Churchill
"Access is GOD..."

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use 

iQA/AwUBPvHnQw0R8jZM93x8EQIW+gCcCQc/N5j4wq6yjAiZi0bQsKYVMegAoI90
F2Zp7FOM8O0q3EeZHFLj7Rv6
=r6/w
-END PGP SIGNATURE-


---
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
 
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
  
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm

Re: CSS Question [CSS Explained /some Detail]

2002-01-21 Thread zero 


>
>
> > B - I've seen literaure which says servers should
> > block " < > " ' ; ( ) + - " characters. If one has not
> > blocked all these types what are the implications
> > (i.e., if only <> types are blocked) ?
>
>while "<" and ">" are the first nessasary step... those
>other special characters can sometimes used to
>modify HTML in other instances. All in all they are
>just a good idea to filter so users arent messed with.


Not only HTML tags but also unix redirections: >> , >, << , <

Alex


mailto:[EMAIL PROTECTED]
http://www.podergeek.com/
http://www.citfi.org
--
"The further backward you look, the further forward you can see" Winston 
Churchill
"Access is GOD..."

Re: Detecting snort running in a remote machine

2001-12-01 Thread Zero 



Well, all you said was correct, but maybe I explained badly. I was talking 
about remote detection. Normally, tools as antisniff use special crafted 
ethernet frames to detect promiscuous NICs. The problem appears when you 
are not on the same segment as your target or even you aren't on the same 
network.

You could not detect snort with those tools of you aren't on the same 
network segment.
I don't know if sniffer.pl is capable of detecting that library over IP?
This method is an aproximation, but you still have some error margin cause 
you could have false alarms.
Any ideas?



>Well, rather than thinking about information or
>
>memory leaks, perhaps you could look at what
>
>really goes on when snort (or any sniffer) is running.
>
>
>
>Since you didn't mention any particular target
>
>platform, perhaps the way to start is to look at
>
>promiscuous mode detection.  SecurityFriday has a
>
>tool at:
>
>
>
>http://www.securityfriday.com/ToolDownload/PromiScan/promiscan_doc.html
>
>
>
>Of course, there is also @Stake's AntiSniff.
>
>
>
>Now, if you're on an NT/2K network, there are
>
>other things you can do.  As an admin, you can
>
>connect remotely and get a process listing using
>
>SysInternal's pslist.exe.  Yes, the snort
>
>executable can be renamed.
>
>
>
>Another method of detecting sniffers on NT/2K can
>
>be found in a tool called 'sniffer.pl' at
>
>http://patriot.net/~carvdawg/perl.html.  This
>
>tools works by detecting the winpcap packet device
>
>driver running on the system.  This device driver
>
>is used by snort, Ethereal, and even L0phtcrack3.
>
>  And yes, many folks have said, "but the name of
>
>the driver can be changed", and this is true...but
>
>unless the user completely recompiles not only the
>
>tool itself, but the DLL used by the device
>
>driver, as well, everything will break and no
>
>longer work.
>
>
>
>Hope this helps...

mailto:[EMAIL PROTECTED]
http://www.podergeek.com
http://www.citfi.org

**
"The further backward you look, the further forward you can see"   Winston 
Churchill
"Para ganar, hay gente que debe perder"

Detecting snort running in a remote machine

2001-11-27 Thread Zero 

Hi all,
 I was just wondering if there is any tool that detects snort 
running in a remote machine. Could it be possible? Does snort has 
information leaks that could lead to its detection from an external 
machine?. If such a tool exists, has anyone any info?
 Thxs in advance.




mailto:[EMAIL PROTECTED]
http://www.podergeek.com
http://www.citfi.org

**
"The further backward you look, the further forward you can see"   Winston 
Churchill
"Para ganar, hay gente que debe perder"