I'm trying to test our HIDS implementation and want to see intrusion detection system (IDS) responses to a server compromise and a rootkit install. Is there somewhere I can download one of the latest rootkits such as t0rn, tuxkit, etc. so I can install it on a lab server for testing purposes? I also want to test chkrootkit scripts to verify effectiveness.
Testing any IDS is always difficult. I would use products such as ISS Scanner or Nessus. Nessus is freeware and does a fine job or better than ISS. There are also many other tools located at Altavista and malicious sites that can do the same, but most don't have all the tools that Nessus provides.
Depending on the HIDS product and your settings, you can do both manual attempts on the device as well as Nessus. You can also do simple things using tools like SamSpade, Ping, netuse, netcat, netbus and many others. IF you are good at perl scripting, you could create many scripts that attempt logins or guess passwords.
To prove your point, you may need NIDS to record your attempts or a sniffer if the packets slip by the NIDS, which in the case most will.
This was first published in September 2002