[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#414534: ITP: sucrack -- multithreaded su bruteforcer

> Nope since he that did not go to d-d. Maybe you can outline professional
> uses in the description like done in the previous answers?

As to previous answers, verbatim:

I'm packaging a bunch of security tools that I use in my job pen testing.  
There are already a number of people both internally and at other security 
companies using my packages, so I figured they'd be useful to the community.  
I actually have a mentor for these packages already, so it seems there are 
Debian developers that agree.


It's built statically.  Normally what happens, is that during an assessment, 
if a local account is compromised, then sucrack is copied across and an 
attack against root occurs.  Additionally, because this tool doesn't rely on 
having access to the hashes, but actually drives su (or other tools), it can 
be used against for example "custom" encryption schemes that may be used by 
3rd parties.  I've also had it drive ssh-agent to audit key phrases too.

Why package it?  Other than the practical uses outlined above, because having 
binaries on a system outside of the package management system is a PITA to 
keep track of / update and it makes building a new system very quick.

I can see this tool isn't for everyone, but then that probably goes for a 
large number of tools packaged by Debian (depending on what you use your 
systems for).

> IANAL but there may be countries where distributing such a tool, with it's
> main/only purpose to break access restrictions, may not be legal (there was
> some discussion about this in Germany but I did not follow it closely).

The upstream developer is German, I will discuss with him any due diligence he 
may have performed and report back (he's AFK for next week or so).  
Personally, I am English.  Through my day job, I have clarification regarding 
changes to UK law that might affect this tool and we have had assurances that 
legitimate security researchers and the tools they develop will not be 
targetted here in the UK.

Tim Brown

Reply to: