One of the distros that I've used several times is Trinux [http://trinux.sourceforge.net]. It's an ISOLINUX based project that can both boot off floppies or off an ISO distributed on the website. It's your basic hacker's toolbox, with tools like netcat and nmap, ipchains and netfilter, openssh, links (a lynx clone), vi and vim (because emacs just won't cut it), samba, and much, much more. There's an offshoot of the project called LaBrea (named after the tarpits I suppose) which can be deployed as a "sticky honeypot" for Code Red - it sits on your network, intercepts Code Red probes and essentially ties up the machines.by
craft[ing] up a return packet with SYN/ACK set and perhaps an option to set the MSS to something small... say about 60 bytes. ...the attacking worm...after replying with an ACK, ...has completed a three-way handshake... it's connected....my program just answers SYN packets and ignores everything else. So now the worm has to sit around while the whole TCP connection times out. [http://www.threenorth.com/LaBrea/] Anyway, I used Trinux pretty extensively at work over the past few summers to diagnose network problems. We have a small class C block using only about 200 of the IPs, but nearly all of the machines are Windows 95a machines. The tools that come with Windows are woefully inadequate when it comes to mapping out a network, among other things. I could use nmap's ping scan to find active machines easily, resolve their dns names, etc. And, of course, if I didn't have a CD drive on the box, I could use the floppy distro. Okay, obviously I like this toy a little bit. Try it out sometime. -Bill