Anti-Hacker Tool Kit, Third Edition - page 42
|
|
||
PSTOOLS
The PsTools suite
Instead of describing the tools in alphabetical order, we'll start with the least
But first, here are some prerequisites for using these tools:
-
You must have proper user credentials. The greater functionality of these tools requires greater access. This isn't a problem for system administrators.
-
The "Server" service must be started on the target system. The "NetLogon" service helps pass credentials across the domain.
-
The "RemoteRegistry" service is used for certain functions such as PsInfo's
hotfix enumeration. -
The IPC$ share must be available.
In an environment where administration relies heavily on the GUI, the left mouse button, and Terminal Services, this suite
| Caution |
During remote administration, your username and password are flying across the network! If you're highly
|
Implementation
PsTools consists of several command-line utilities that truly simplify administration of large networks. Remote access using Terminal Services does help, but these tools can be an integral part of automated scripts that collect logfiles, list active users, or run arbitrary commands across dozens of systems.
PsFile
PsFile allows you to list files on one host that are in use by another host. It mirrors the functionality of the built-in
net file
command. This is useful for debugging file shares and tracking unauthorized file system access. The following output is
C:\>psfile.exe
Files opened remotely on GOBLYNSWOOD:
[
23
] D:\downloads\secretplans.txt
User: ORC
Locks: 0
Access: Read
C:\>net file
ID Path User name # Locks
--------------------------------------------------------------------
23
D:\downloads\secretplans.txt ORC 0
The command completed successfully.
We can tell that user ORC is viewing a text file called secretplans.txt. This tool doesn't reveal from where ORC is accessing the file, so it isn't very helpful as a forensic tool; that's a job for netstat. At first, the information appears redundant between the two commands. The
c
option works the same way as the
/close
option to
net file
. It
C:\>psfile.exe 23 -c Closed file D:\downloads\secretplans.txt on GOBLYN.
Again, there doesn't seem to be a real advantage over the net utility. However, every PSTool works over a remote connection. The usage is the same, with the addition of the user credentials on the command line.
C:\>psfile.exe \192.168.0.176 -u Administrator -p IM!secure
Files opened remotely on 192.168.0.176:
[32] \PIPE\srvsvc
User: ADMINISTRATOR
Locks: 0
Access: Read Write
If you run psfile against your localhost and specify its IP address, you'll see that it opens a connection to the server service.
| Note |
Just about every PsTool accepts the \\RemoteHost u UserName p password options, even if the tool's command-line help ( /h ) doesn't explicitly state it. |
PsLoggedOn
Don't accuse the PsTools of obscure naming conventions. PsLoggedOn displays the users who are logged onto a system, whether through the console, a file share, or another remote method:
C:\>psloggedon.exe
Users logged on locally:
<Unknown> NT AUTHORITY\LOCAL SERVICE
<Unknown> NT AUTHORITY\NETWORK SERVICE
3/10/2002 11:23:49 AM GOBLYNSWOOD\pyretta
<Unknown> NT AUTHORITY\SYSTEM
Users logged on via resource shares:
3/12/2002 12:04:12 AM (null)\ORC
From a defense perspective, the list of users logged on via resource shares can be
From an attacker's perspective, it may not be prudent to launch buffer overflow attacks or other exploits against systems that have users currently logged onto them.
PsGetSid
Renaming the Administrator account to "TeflonBilly" might be fun, but do not consider it a true security measure. With PsGetSid,
C:\>psgetsid.exe \192.168.0.176 -u Administrator -p IM!secure Orc SID for 192.168.0.176\Orc: S-1-5-21-1454471165-484763869-1708537768-501
| Tip |
When targeting the "Administrator," always verify that the account has a SID that ends in 500. Otherwise, you know that the account has been
|
A SID request does not have to target a user. PsGetSid can enumerate other objects such as the computer and user groups:
C:\>psgetsid.exe \192.168.0.176 -u Administrator -p IM!secure goblynswood SID for 192.168.0.176\goblynswood: S-1-5-21-1454471165-484763869-1708537768 C:\>psgetsid.exe \192.168.0.176 -u Administrator -p IM!secure "Power Users" SID for 192.168.0.176\goblynswood: S-1-5-32-547
Alone, this type of information is not particularly useful, but when cross-referenced with user RIDs from SAM files or other sources, it fills a large part of the domain's authentication structure.
PsInfo
Operating system, uptime (based on
PsInfo 1.6 - local and remote system information viewer Copyright (C) 2001-2004 Mark Russinovich Sysinternals -www.sysinternals.com System information for \ARRAKIS: Uptime: 0 days, 0 hours, 58 minutes, 9 seconds Kernel version: Microsoft Windows XP, Uniprocessor Free Product type: Professional Product version: 5.1 Service pack: 1 Kernel build number: 2600 Registered organization: Registered owner: Michael Shema Install date: 08/11/2002, 22:26:38 Activation status: Activated IE version: 6.0000 System root: C:\WINDOWS Processors: 1 Processor speed: 665 Mhz Processor type: x86 Family 6 Model 8 Stepping 4, ConnectixCPU Physical memory: 196 MB
As you can see, PsInfo provides a quick method for checking your servers for the latest hotfixes. If you're running IIS, you should be
A batch file makes this system enumeration easy:
C:\>for /L %i in (1,1,254) do psinfo \192.168.0.%i > systeminfo_192.168.0.%i.txt
Notice that we've left out the authentication credentials. If you're going to create a batch file that needs to access remote systems, don't place the username and password in the batch file. Instead, run the batch file in the context of a domain user with permissions to enumerate this information. The only problem you'll encounter is difficulty accessing systems that are not part of the domain.
PsService
This robust tool enables you to view and manipulate services remotely. The Windows net start and net stop commands tremble in the presence of PsService. With no command-line options, PsService returns a list of every service installed on the system. The following output has been shortened for brevity, but it includes complete descriptions for two services:
C:\>psservice.exe
SERVICE_NAME: inetd
DISPLAY_NAME: CYGWIN inetd
(null)
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME:
SharedAccess
DISPLAY_NAME: Internet Connection Firewall (ICF) / Internet Connection
Sharing (ICS)
Provides network address translation, addressing, name resolution
and/or intrusion prevention services for a home or small office network.
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Service information, regardless of whether or not the service is currently running, indicates the role of a system, security software installed, and possibly its relative importance on a network. A server that backs up the PDC will have a backup service running, and an e-mail server might have an anti-virus server running. Even so, PsService also provides control over the services. Specify one of the following commands to manipulate a service:
|
PsService "Cmd" Option |
Description |
|---|---|
|
query |
Queries the status of a service |
|
config |
Queries the configuration |
|
setconfig |
Sets the configuration |
|
start |
Starts a service |
|
stop |
Stops a service |
|
restart |
Stops and then restarts a service |
|
pause |
Pauses a service |
|
cont |
Continues a
|
|
depend |
Enumerates the services that depend on the one specified |
|
find |
Searches for an instance of a service on the network |
After the command, specify the service to be affected. For example, here's how to start IIS on a remote computer type (
C:\>psservice.exe \192.168.0.39 start w3svc
You could also stop, restart, pause, or continue the service. The
config
command
C:\>psservice.exe config inetd
SERVICE_NAME: inetd
(null)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : d:\cygwin\usr\sbin\inetd.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : CYGWIN inetd
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
Finally, the
find
command can be used to hunt down services running on a network. In a way, it can be a roundabout port scanner. For example, to find
C:\>psservice.exe find TermService Found termservice on: \ZIGGURAT \GOBLYNSWOOD
Use this in conjunction with a port scanner to identify rogue IIS installations on your network.
PsList
When your Unix
C:\>pslist.exe Process information for GOBLYNSWOOD: Name Pid Pri Thd Hnd Mem User Time Kernel Time Elapsed Time Idle 0 0 1 0 16 0:00:00.000 3:57:29.219 0:00:00.000 System 8 8 39 319 216 0:00:00.000 0:00:11.536 0:00:00.000 SMSS 152 11 6 33 560 0:00:00.210 0:00:00.741 4:27:11.031 CSRSS 180 13 10 494 3560 0:00:00.650 0:01:30.890 4:26:59.084 WINLOGON 200 13 17 364 3256 0:00:00.230 0:00:01.081 4:26:55.879 SERVICES 228 9 30 561 5640 0:00:01.542 0:00:03.535 4:26:48.058 LSASS 240 9 14 307 520 0:00:00.260 0:00:00.230 4:26:48.028 svchost 420 8 9 333 3748 0:00:00.150 0:00:00.150 4:26:41.839 spoolsv 452 8 12 166 3920 0:00:00.070 0:00:00.160 4:26:41.088
You can also gather information about a specific process name or process ID by calling it on the command line. For example, to see how much of your system resources Internet Explorer has chewed away, try this:
C:\>pslist.exe iexplore Process information for GOBLYNSWOOD: Name Pid Pri Thd Hnd Mem User Time Kernel Time Elapsed Time IEXPLORE 636 8 17 805 26884 0:00:14.711 0:00:17.154 4:38:27.694 IEXPLORE 1100 8 28 1054 27980 0:00:24.375 0:00:40.888 4:36:25.388
| Tip |
A handful of password-
|
The
s
and
r
options really come in handy for monitoring important servers or even debugging code. The
s
puts PsList into Task Manager mode. In other words, it
C:\>pslist.exe -s -r 10 inetinfo.exe
The t option displays each process and its threads in a tree format, making it easier to visualize the process relationships on the system. Here's an abbreviated output that shows the system threads:
C:\>pslist.exe -t
Process information for GOBLYNSWOOD:
Name Pid Pri Thd Hnd VM WS Priv
Idle 0 0 1 0 0 16 0
System 8 8 39 323 1668 216 24
SMSS 152 11 6 33 5248 560 1072
CSRSS 180 13 10 502 22700 3576 1512
WINLOGON 200 13 17 364 35812 3252 5596
SERVICES 228 9 31 563 33748 5652 2772
svchost 420 8 9 333 22624 3748 1528
MDM 1420 8 3 96 25996 2640 924
Avsynmgr 556 8 4 139 28024 2708 1460
VSStat 896 8 2 112 26376 2664 1376
vshwin32 956 8 7 219 54220 6468 3908
WebScanX 1036 8 3 194 40020 6052 4628
Avconsol 976 8 2 112 28500 2640 1484
svchost 592 8 33 449 43592 8084 3364
LSASS 240 9 14 307 28080 864 2344
explorer 1200 8 17 468 99580 4460 11912
PsKill and PsSuspend
As you can list a process, so you can kill it (or suspend it if you're feeling gracious). The PsKill tool takes either a process name or ID as an argument. If you rely on the PID, you'll need to use PsKill in conjunction with PsList. On the other hand, specifying the process by name might kill more processes than you intended. Both
C:\>pslist.exe findstr /i notepad notepad 1764 8 1 30 1728 0:00:00.020 0:00:00.020 0:00:07.400 notepad 1044 8 1 30 1724 0:00:00.020 0:00:00.020 0:00:05.077 notepad 1796 8 1 30 1724 0:00:00.010 0:00:00.020 0:00:03.835 C:\>pskill.exe 1764 process #1764 killed C:\>pskill.exe notepad 2 processes named notepad killed.
| Caution |
Be aware of killing processes by name. PsKill matches every process, not just the first one it encounters. It does not
|
PsSuspend works in the same manner. Specify a process name or ID after the command to suspend that process:
C:\>pssuspend.exe 1116 Process 1116 suspended.
Use the r option to resume a process:
C:\>pssuspend.exe -r 1116 Process 1116 resumed.
| Note |
Remember that these tools work remotely, but they require user authentication. An open NetBIOS port doesn't expose the entire system to compromise. However, there is a problem with an open NetBIOS port and a blank administrator password (we've seen plenty of these). Use the PsTools to tighten and audit your network. |
PsLogList
The event log contains a wealth of information about system health, service status, and security. Unfortunately, the awkwardness of the Event Log Viewer typically precluded administrators from running quick log
PsLogList v2.61 - local and remote event log viewer Copyright (C) 2000-2005 Mark Russinovich Sysinternals - www.sysinternals.com PsLogList dumps event logs on a local or remote NT system. Usage: psloglist [\computer[,computer2[,...] @file] [-u username [-p password]]] [-s [-t delimiter]] [-m #-n #-d #-h #-w][-c][-x] [-r][-a mm/dd/yy][-b mm/dd/yy] [-f filter] [-i ID,[ID,...]] -e ID, [ID,...]] [-o event source[,event source[,...]]] [-q event source[, event source[,...]]] [[-g-l] event log file] <event log>
The following table details the available options:
|
PsLogList Option |
Description |
|---|---|
|
@file |
File contains a list of hostnames against which PsLogList will dump event log information. This enables you to easily automate log management for many systems. |
|
-a <mm/dd/yy> |
Dumps records timestamped after specified date. |
|
-b <mm/dd/yy> |
Dumps records timestamped before specified date. |
|
-c |
Clears event log after displaying. |
|
-d <digit(s)> |
Displays only records from previous n days. |
|
-e |
Excludes events with the specified ID or IDs (up to 10). |
|
-f <eIw> |
Filters event types, using starting letter (for example, -f we to filter warnings and errors). |
|
-g |
Exports an event log as an evt file. This can only be used with the -C switch (clear log). |
|
-h <n> |
Only display records from previous n hours. |
|
-i <Event ID> |
Shows only events with the specified ID. |
|
-l |
Dumps the contents of the specified saved event logfile. |
|
-m <n> |
Only display records from previous n minutes. |
|
-n <digit(s)> |
Displays only n most recent records. |
|
-o <source> |
Shows only records from the specified event source (for example,
-o
|
|
-p |
Specifies password for username. |
|
-q |
Omits records from the specified event source or sources (for example, -q cdrom ). |
|
-r |
Dumps log from least recent to most recent. |
|
-s |
Lists records on one line each with delimited fields, which is
|
|
-t <character> |
Default delimiter for the -s option is a comma; can be overridden with the specified character. |
|
-u |
Specifies optional username for login to remote computer. |
|
-w |
Waits for new events, dumping them as they generate (local system only). |
|
-x |
Dumps extended data. |
|
<eventlog> |
Specifies event log to dump. Default is system. If the -l switch is present, then the event log name specifies how to interpret the event logfile. |
PsLogList displays the logfile contents in a long format or a consolidated, commadelimited manner. By default, PsLogList returns the long format of the system log:
C:\>psloglist PsLogList v2.61 - local and remote event log viewer Copyright (C) 2000-2005 Mark Russinovich Sysinternals - www.sysinternals.com System log on \ARRAKIS: [549] Service Control Manager Type: INFORMATION Computer: ARRAKIS Time: 25/07/2003 22:27:10 ID: 7036 The WMI Performance Adapter service entered the stopped state.
Output in a comma-delimited format is obtained by the s option. Once more, the example has been shortened for clarity:
C:\>psloglist -s
PsLogList v2.61 - local and remote event log viewer
Copyright (C) 2000-2005 Mark Russinovich
Sysinternals - www.sysinternals.com
System log on \ARRAKIS:
551,System,Tcpip,INFORMATION,ARRAKIS,Fri Jul 25 23:26:46 2003,4201,
None, The system detected that network adapter \DEVICE\TCPIP_{056213EA-
3E98-4CBB-8997-5145022A8FDC} was connected to the network, and has
initiated normal operation over the network adapter.
Any of the three event logsapplication, security, or systemcan be
C:\>psloglist -s security PsLogList v2.61 - local and remote event log viewer Copyright (C) 2000-2005 Mark Russinovich Sysinternals - www.sysinternals.com Security log on \ARRAKIS: 2017,Security,Security,AUDIT SUCCESS,ARRAKIS,Mon Jul 28 10:36:12 2003, 520,SYSTEM\NT AUTHORITY,The system time was changed. Process ID: 1176 Process Name: C:\WINDOWS\CNTX\VPCSRVC.EXE Primary User Name: ARRAKIS$ Primary Domain: WORKGROUP Primary Logon ID: (0x0,0x3E7) Client User Name: ARRAKIS$ Client Domain: WORKGROUP Client Logon ID: (0x0,0x3E7) Previous Time: 10:36:12 28/07/2003 New Time: 10:36:12 28/07/2003
The
f
option enables you to filter events based on one of five types: Warning (w), Information (i), Errors (e), Audit Success, and Audit Failure. (The
C:\>psloglist.exe -s -f "Audit Success" Security Security_successes.log
Use PsLogList to help maintain and follow your network's audit policy. Although this tool does not toggle event log settings, use it to coordinate logs and generate daily, weekly, or monthly
| Caution |
The
c
option will actually clear the logfile after it has been dumped. Use this option with care, as you may inadvertently erase logfiles that have not yet been
|
C:\>psloglist.exe -c Application ...output truncated... Application event log on GOBLYNSWOOD cleared. C:\>psloglist.exe Application Application log on \GOBLYNSWOOD: No records in Application event log on GOBLYNSWOOD.
| Note |
An attacker could use the c option to clear event logs to hide her tracks. |
The a and b options retrieve events after and before the supplied date in the "mm/dd/yy" format. For example, here's how to view the previous day's security events (using 02/09/02 as the current day):
C:\>psloglist.exe -a 02/08/02 -b 02/09/02 Security
Finally, PsLogList reads the binary event logfiles from any system. Supply the filename to the l option. In this instance, PsLogList deduces the log type (application, security, system):
C:\>psloglist.exe -l Security.evt
The latest version of PsLogList introduces two new options. The first option filters events with a specific event ID (
-i
). The second option filters events with a specific event source (
-o
). Thus, you can look for specific events with strong security implications such as failed logon/
C:\>psloglist -s security -i 529 Security log on \ARRAKIS: 1962,Security,Security,AUDIT FAILURE,ARRAKIS,Fri Jul 25 21:39:35 2003, 529,SYSTEM\NT AUTHORITY,Logon Failure: Reason: Unknown user name or bad password User Name: Muaddib Domain: ARRAKIS Logon Type: 2 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: ARRAKIS 1919,Security,Security,AUDIT FAILURE,ARRAKIS,Tue Jul 22 16:13:58 2003, 529,SYSTEM\NT AUTHORITY,Logon Failure: Reason: Unknown user name or bad password
Or you can check for errors from specific sources in the application or system logs:
C:\>psloglist -s system -o dhcp PsLogList v2.61 - local and remote event log viewer Copyright (C) 2000-2005 Mark Russinovich Sysinternals - www.sysinternals.com System log on \ARRAKIS: 469,System,Dhcp,WARNING,ARRAKIS,Mon Jul 21 13:47:24 2003,1007,None, Your computer has automatically configured the IP address for the Network Card with network address 0003FFABA4F6. The IP address being used is 169.254.235.60. 468,System,Dhcp,WARNING,ARRAKIS,Mon Jul 21 13:47:19 2003,1003,None, Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0003FFABA4F6. The following error occurred: The semaphore timeout period has expired. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
Sources are easily identified from the "Source" column when you launch the GUI-based Event Viewer (eventvwr.exe).
PsExec
PsExec ranks as the most useful of the PsTools suite. It executes commands on the remote system, even going as far as uploading a program if it does not exist on the target system. Unlike other remote tools such as the Windows clone of Unix's rexec command, with PsExec you do not need to install support DLLs or special server applications. However, you must have access to the ADMIN$ share and proper credentials for this tool to work.
PsExec assumes you want to execute the command on a remote server, so the ComputerName argument is mandatory (you can always specify the u and p options for the username and password):
C:\>psexec.exe \192.168.0.43 cmd /c dir
Be sure to keep track of your command paths. By default, PsExec works from the %SYSTEMROOT%\System32 directory. Here are some other examples:
C:\>psexec.exe \192.168.0.43 ipconfig /all C:\>psexec.exe \192.168.0.43 net use * \10.2.13.61\backups Rch!ve /u:backup C:\>psexec.exe \192.168.0.43 c:\cygwin\usr\sbin\sshd
If the program name or path contains spaces, wrap it with double quotes.
If the program doesn't exist on the target system, use the c option (or f ). This copies it from the system running PsExec to the \\ComputerName's \System32 directory. The f overwrites the file if it already exists. This example places fscan , a command-line port scanner, on the target, and then launches a port scan from that system against the class C network:
C:\>psexec.exe \192.168.0.43 -c fscan.exe -q --bp1-10001 -o targets.txt 192.168.0.1-192.168.0.255
Conceivably, you could use
c
to upload an entire tool kit to the target. If you suspect a file already exists and you want to overwrite it only with a
The final options control how the remote process runs. To detach the process and let it run in the background, use d (think daemon mode in Unix). Use s to have the command run in a System account. The i option enables interactive access, such as FTP or other commands that prompt for a password.
You can also control how the remote application executes by setting its priority ( -low , -belownormal , -abovenormal , -high , -realtime ) and processors on a multi-CPU machine with the a option. Specify the processors by number after the a option, such as a 1,2 to run on processors 1 and 2 of a four-CPU system.
PsShutdown
PsShutdown is the exception to the rule for PsTools expansion. It performs the same functions as the Resource Kit shutdown tool. Both work remotely. You can shut down a server or stop a pending shutdown. The PsShutdown usage is shown here and in the table that
C:\>psshutdown PsShutdown v2.50 - Shutdown, logoff and power manage local and remote systems Copyright (C) 1999-2005 Mark Russinovich Sysinternals - www.sysinternals.com usage: psshutdown -s-r-h-d-k-a-l-o [-f] [-c] [-t [nnh:m]] [-v nn] [-e [up]:xx:yy] [-m "message"] [-u Username [-p password]] [-n s] [\computer[,computer[,...]@file]
|
PsShutdown Option |
Description |
|---|---|
|
-a |
Aborts a shutdown (only possible while countdown is in progress). |
|
-c |
Allows the shutdown to be aborted by the interactive user. |
|
-d |
Suspends the computer. |
|
-e |
Shutdown reason code (available on Windows XP and higher). Specify ˜u for
|
|
-f |
Forces the running applications to close. |
|
-h |
Hibernates the computer. |
|
-k |
Powers off the computer (reboot if poweroff is not supported). |
|
-l |
Locks the computer. |
|
-m |
Displays message to logged-on users. |
|
-n |
Specifies timeout in seconds connecting to remote computers. |
|
-o |
Logs off the console user. |
|
-p |
Specifies optional password for username. If you omit this, you will be prompted to enter a hidden password. |
|
-r |
Reboots after shutdown. |
|
-s |
Shutdown without poweroff. |
|
-t |
Specifies countdown in seconds until shutdown (default is 20) or the time of shutdown (in 24-
|
|
-u |
Specifies optional username for login to remote computer. |
|
-v |
Displays message for the specified number of seconds before the shutdown. If you omit this parameter the shutdown notification dialog displays and specifying a value of 0 omits the dialog. |
|
\\computer |
Shuts down the remote computer specified. |
|
@file |
Shuts down the computers listed in the file specified. |
There are no catches to using this tool. To shut down a system somewhat ungracefully, use the
f
option; it works just like
shutdown c y
from the Resource Kit. Its benefit over the shutdown utility is that PsShutdown includes the
o
option to log off the console user
|
|
||
Similar products
CISA Certified Information Systems Auditor All-in-One Exam Guide
Hacking Exposed: Network Security Secrets and Solutions, Sixth Edition
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy (Syngress Basics Series)
Similar products
- Networking For Dummies
5 most common network bottleneck - Implementing Backup and Recovery(c) The Readiness Guide for the Enterprise
How to setup backup window on unix client - ActionScript 3. 0 Cookbook
Is a sprite a interactive displayobject - ActionScript Cookbook
Actionscript movieclip currentcolor - C(s)C++ Programmer's Reference
Storage class c++ - Hacking Exposed Cisco Networks
Managed switch port mapping tool 1.5 - 1.99.9.7 hacker tool