Security Tools Digest
2000/08/21 to 2000/08/27

DRAFT 

By Seán Boran (sean at boran.com) for SecurityPortal

Here, we present an overview of changes to free security tools over the past week. There is not enough time or resources to test all these tools, those which earn most confidence are listed in the "favorites" section.


Favourite tools

OpenCA v0.6 pre-release available.

tocsin is a "featherweight" intrusion detection system. Development has been restarted to create Solaris packages, better documentation, new options and Solaris Intel support. This new tocsin will also be bundled with Yassp at a later stage. We'll keep you up to date.

Snort is a lightweight Network Intrusion Detection System
Snort binaries in Solaris package format are now available.

The Coroner's Toolkit (TCT)
An Introduction to TCT is a brief documentation of TCT.

Yassp (the Solaris hardening tool): License approval issues are holding up the next beta. Despite this, the drafts of the post install doc and faq have been updated. Work on reviewing, improving and documenting "tocsin" for inclusion in Yassp has started.


Tools announced on SecurityFocus

RSE by Ralf Senderek,  < http://senderek.de/RSE   >
Platforms: Linux
RSE will provide a reliably secure working environment running entirely in the main memory of your local computer system. This environment comprises everything to use pgp-2.6.3i transparently integrated into a mail software, so you can safely enter your passphrase without the risc of its compromitation. RSE also makes available some tools to backup and store your data locally which make use of strong cryptography as well.

pflap (Packet Filter Logs Ain't Pretty) 0.001 by Bill Triplett, < http://www.ifelse.org/pflap-doc.html   > Platforms: FreeBSD, Linux, NetBSD and OpenBSD
pflap reads logfile for input matching raw data from ipchains and formats the output according to outputformat. If no logfile is given, pflap reads standard input. New page headers are generated whenever the page length reaches pagelength. pflap is particularly useful for extracting only the information you want from the packetlog.

Windump 2.03 by NT Objectives Inc < http://www.ntobjectives.com/   >
Platforms: Windows 2000, Windows 95/98 and Windows NT
Windump 2.03 is a dynamically loadable version of the excellent Windump 2.02 port. This modified app consist of only 2 parts, the .exe and the .sys.

Scan4Virus 0.92 by Jason Haar,  < http://www.geocities.com/jhaar/scan4virus/   >
Platforms: UNIX
Qmail-Scanner (also known as Scan4Virus) is an addon that enables a Qmail e-mail server to scan all gatewayed e-mail for certain characteristics. It is typically used for its anti-virus protection functions, in which case it is used in conjunction with commercial virus scanners. But it also enables a site to react to e-mail that contains specific strings in particular headers, or particular attachment filenames or types. Qmail-Scanner is integrated into the mail server at a lower level than some other Unix-based virus scanners, resulting in better performance. It is capable of scanning not only locally sent/received e-mail, but also e-mail that crosses the server in a relay capacity.

OpenCA-SV 0.6.81
by The OpenCA Project,  < http://www.openca.org/ >
Platforms: FreeBSD, Linux, NetBSD, OpenBSD and Solaris

The OpenCA Project is a collaborative effort to develop a robust, full-featured and Open Source out-of-the-box Certification Authority that implements the most used protocols, with full-strength cryptography world-wide. OpenCA is based on many Open-Source Projects. Among the supported software is OpenLDAP, OpenSSL, Apache Project, Apache mod_ssl. A memory allocation bugfix.

Knetfilter 1.1.2, http://expansa.sns.it/knetfilter
Knetfilter is a KDE frontend to iptables, used with Linux kernels 2.4.0 and up to manage the netfilter functions. It is possible to perform all standard and most "exceptional" system management of a complex firewall within the program. Knetfilter saves fully your work on firewall, iptables rules, nat rules, and chain general policies (but not masquerade, which should be enabled by the sysadmin and not automatically). It is possible to insert a rule in a certain position or to remove a rule just writing the position

eXpert-BSM by SRI's EMERALD team < http://www.sdl.sri.com/emerald/releases/eXpert-BSM >
Platforms: Solaris
EMERALD's eXpert-BSM Monitor is a host-based intrusion detection system that provides an unprecedented degree of realtime security monitoring for critical application servers and workstations. eXpert-BSM provides the most comprehensive knowledge-base for detecting insider misuse, policy violations, privilege misuse or subversion, illegal resource manipulation, and other site policy violations for Sun Solaris operating systems. This component is packaged and distributed as a full intrusion detection solution, providing data collection, intrusion detection analysis, an alert management interface, and detailed response directives.

tini by Arne Vidstrom < http://ntsecurity.nu/toolbox/tini/ >
Platforms: Windows 2000, Windows 95/98 and Windows NT

"tini" is a simple and very small (only 3kb) backdoor for Windows, coded in assembler. It listens at TCP port 7777 and gives anybody who connects a remote Command Prompt.

THC-Parasite 0.5 by van Hauser, < http://www.infowar.co.uk >
Platforms: Linux

THC-Parasite allows you to sniff traffic on a switched network by using either ARP Spoofing or MAC Flooding. THC-Parasite's algorithms are designed to bypass basic switch security.

dupl.pl 0.45 by zas, < http://www.norz.org/software/dupl.html >
Platforms: Linux and Perl (any system supporting perl)

dupl.pl is a snort rules beautifier. It aims to remove duplicate rules from *-lib, vision.conf, and xxxx-rules files. It ignores non-determining elements as msg, and makes some choices about msg fields, like choosing msg with IDS number or with longer text. Source and destination net variables (like $EXTERNAL from vision.conf) are changed to $HOME_NET when necessary.

Fwipe 0.10 by Len Budney, < http://www.pobox.com/~lbudney/linux/software/fwipe.html >
Platforms: Linux

fwipe overwrites your file a specified number of times (default: 5) and then deletes it. It is extremely secure; it will not be confused by filenames containing special characters, and is suitable for use in cleanup scripts by system admins.

Winfingerprint 2.2.7 by Kirby Kuehl, < http://www.technotronic.com/winfingerprint/ >
Platforms: Netware, Windows 95/98 and Windows NT
Advanced remote windows OS detection. Current Features: Determine OS using SMB Queries, PDC (Primary Domain Controller), BDC (Backup Domain Controller), NT MEMBER SERVER, NT WORKSTATION, SQLSERVER, NOVELL NETWARE SERVER, WINDOWS FOR WORKGROUPS, WINDOWS 9X, Enumerate Servers, Enumerate Shares including Administrative ($), Enumerate Global Groups, Enumerate Users, Displays Active Services, Ability to Scan Network Neighborhood, Ability to establish NULL IPC$ session with host, Ability to Query Registry (currently determines Service Pack Level & Applied Hotfixes. Changes: Enumerates Transports, Retrieves Date & Time .

Remote Nmap 0.2 by Tuomo Makinen, < http://sourceforge.net/projects/rnmap/ >
Platforms: Windows 2000, Windows 95/98 and Windows NT
Remote Nmap is a python client/server package which allows many clients to connect to a centralized nmap server to do their port scanning. This could be useful for security companies who want to have all thier scans come from a dedicated machine.

FPIPE 2.01, by Foundstone, Inc.< http://www.foundstone.com/ >
Platforms: Windows 2000 and Windows NT

FPipe is a TCP source port forwarder/redirector. It can create a TCP stream with a source port of your choice. This is useful for getting past firewalls that allow traffic with source ports of say 23, to connect with internal servers.

XploiterStat Pro 2.6.1.63, by Simon Steed, < http://www.xploiter.com/xploiterstat/ >
Platforms: Windows 2000, Windows 95/98 and Windows NT

XploiterStat Pro is a shareware network management tool in a similar vein to the dos program 'Netstat.exe' - i.e. shows all the connections to your machine, listening ports (identifying trojans) etc. allowing you the user to see TCP/UDP & ICMP connections are present on your machine. This is the latest release of the program formerly known as Totostat Enhanced.
It can be used by networking professionals to determine what connections are on the machine at any time along with all the ports that may be listening (i.e. services, trojan horses etc.).

Passwords by Mask 1.3 by Segobit, < http://segobit.virtualave.net >
Platforms: Windows 95/98 and Windows NT

Passwords by Mask is an application designed to generate passwords of any character content. It allows users to choose the type of password symbols. You can fix random or specified alphabetic, random or specified numeric, random or specified alphanumeric, random or specified special, or random or specified all keyboard characters for every password symbol. This feature allows users to generate a User ID and Password at random and at the same time. Passwords by Mask use the Windows clipboard for transferring passwords between the program and other applications.

anomy sanitizer 1.25 , by Bjarni R. Einarsson, < http://mailtools.anomy.net/ >
Platforms: Linux and Solaris

The Anomy mail sanitizer is a filter designed to block email-based attacks such as trojans and viruses. It reads an RFC822 or MIME message and removes or renames attachments, truncate unusually long MIME header fields and sanitizes HTML by disabling Javascript and Java. It uses a single-pass pure Perl MIME parser, which can make it both more efficient and more precise than other similar programs and has built-in support for third-party virus scanners. Bugs were fixed. Experimental support for scanning forwarded messages as if they were proper message/ rfc822 parts was added. Bug fixes and more informative exit codes.

SL4NT, by Franz Krainer, < http://www.netal.com/sl4nt.htm >
Platforms: Windows 2000 and Windows NT

SL4NT is an application which implements a syslog daemon. The purpose of a syslog daemon is to listen for incoming syslog messages on UDP port 514 and then decode and process the messages for logging and notification purposes.

Medusa DS9 Security System 0.7.12, by Marek Zelem, < http://medusa.fornax.sk >
Platforms: Linux

(Update) Medusa is a package, which improves overall security of Linux by extending standard Linux (Unix) security architecture, but preserving backward compatibility. Briefly, it's a support of user-space authorization server on the kernel level, thus fully transparent to any user space applications, plus authorization server itself. Before execution of the certain operations, the kernel asks the authorization server for the confirmation. Authorization server then permits, forbids or changes the operation. This method allows to implement almost any security architecture. When the authorization server is properly configured, it can very verbosely determine access rights within system (this solves also the old problem of uid 0 with unlimited privileges) and it also can do very good auditing.


ShadowSecurityScanner 1.00.019, by RedShadow, < http://www.rsh.kiev.ua >
Platforms: Windows 2000, Windows 95/98 and Windows NT

New version of ShadowSecurityScaner, update:
1. The nucleus of the scanner was completely rewritten
2. The format of bases was changed
3. The possibility of homing of new bases has become better
4. The interface has changed
5. The options are rather widened
6. The NetBios control can work even under Win9x
7. The possibility of checking of list of hosts has appeared
8. All of defects in previous versions were fixed

Pdump 0.778. by Samy Kamkar, < http://pdump.lucidx.com/ >
Platforms: Linux and SunOS

pdump is a highly configurable packet sniffer written in Perl, that dumps, greps, monitors, creates, and modifies traffic on a network. It combines many of the features found in tcpdump, ngrep, tcptrace, dsniff (and its webspy and urlsnarf), pfilt, macof, and xpy. It also allows users to simply add their modifications via a plug-in system.


References and Resources

Hardening:
Solaris Hardening: Yassp, titan
Linux Hardening: Bastille

Auditing:
Network Scanners:  Nmap, Nessus, saint, sara.

Intrusion Detection:
Network IDS: snort, tcpdump, tocsin.
Host based IDS: tripwire, Aide, tcpd, rdist, tara (i.e. tiger),   lsof
Log Analysis: Logcheck (see also Sean's improved logcheck.sh)
Forensics: TCT

General:
UNIX login and simple VPNs: SSH1 and OpenSSH
Crypto library: OpenSSL
Firewall proxies:  fwtk/smap, squid
Firewall packet filter engines: IP Filter
PKI & Directories: OpenLDAP, OpenCA
SSL/TLS for Apache: Mod_ssl


© Copyright 2000, Seán Boran, All Rights Reserved, Last Update: 07 mars, 2003