Re: NKADM rootkit - Something new?

[InfoSec () seba com]

Instead of Knoppix you may want to look at "Knoppix Security Tools Disto" 
at
http://www.knoppix-std.org


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This message and any files transmitted with it are 
proprietary and confidential.  They are intended solely 
for the use of the individual or entity to whom they are 
addressed. If the reader of this message is not the 
intended recipient, please notify the sender immediately 
and delete this message.  Distribution or copying of this
message is prohibited.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 




Paul Schmehl <pauls () utdallas edu>
05/26/2004 06:50 PM
 
        To:     <incidents () securityfocus com>
        cc: 
        Subject:        Re: NKADM rootkit - Something new?


Since I posted my response in this thread, I've gotten several requests 
for 
my "tool list".  There's really nothing magical about it.

Foundstone has a number of useful tools - Forensic Toolkit (good for 
examing files), Vision (shows open TCP and UDP ports and what process owns 

them), BinText (strings for Windows).

Go to http://www.foundstone.com/ and click on Resources/Free Tools.

Systinternals has a number of tools that you'll probably find in the 
hackers' toolkits as well, particularly pslist and pskill.  But look at 
their whole set.  ListDLLs is very useful, as is Handle, PMon, Process 
Explorer (find function is *very* helpful), PSTools (pskill, pslist, 
psservice and several others.)

Go to http://www.sysinternals.com/ and click on Utilities.
All these tools are very useful.  Particularly when you're dealing with a 
process or service that's been renamed and/or is elusive, something that 
can tie processes to PIDs and files with complete paths is a necessity.

Another good tool is Active Ports, which will show you the process, PID, 
IP 
address (local and remote), ports (local and remote), state (listen, 
established) and path to the executable is extremely useful.

Go to http://www.snapfiles.com/get/activeports.html

More good tools may be found at http://www.ntutility.com/ (including 
Active 
Ports.)

Of course Microsoft also has a useful set of utilities that few seem to 
know about.  Among them is sc,tskill, tasklist, eventquery.vbs, pstat.exe 
(part of the SDK).  These are handy in a pinch, but not as informative as 
the tools mentioned above.

Another tool that I've found invaluable is F.I.R.E.  It's a bootable, 
networkable CD ROM running Linux.  I've been able to mount ntfs hard 
drives 
and scp the entire contents to a server, saving all the data from a 
crashed 
machine before formatting it and reinstalling the OS.  (Saved the 
President's laptop once, becoming a hero in the process.)  I've done 
forensics on a Win2K box, mounting the ntfs drives and making copies of 
all 
the logs and binaries I found without disturbing the contents of the drive 

or changing any of the file access information.

Go to http://biatchux.dmzs.com/ to get a copy.

The most recent update is dated 5/14/2003, so I don't know if it's being 
maintained or updated.

You might want to consider Knoppix instead.  It comes with a boatload of 
extra stuff you won't use for forensics, but it's a good way to get 
familiar with unix, if you're not already.  It even has a working version 
of snort with ACID!

Go to http:www.knoppix.net/ for more information.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/