Security Tools Digest
2000/08/27 to 2000/09/04

DRAFT

Security Tools Digest Archive
http://www.securityportal.com/research/XXXXXXXXXXXXXX

By Seán Boran (sean at boran.com) for SecurityPortal

Here, we present an overview of changes to free security tools over the past week.Only Linux/unix tools are presented this week.
CONCLUSIONS: we can easily make an interesting list, the only question is how to organise it.


Tools for Windows

mersypop3.zip 29662 Aug 30 17:29:09 2000
MersyPop3.exe is a tool that can be used by network administrators to test the strength of pop3 passwords. A "Guessing" utility. By snake and rootshell

Tools for UNX/Linux/BSD & Cross platform

Well known tools (directly from the tool's sites)

Snort
08292k.rules released. This file has been broken out into sections for each rule type, rather than the way it use to ship.
Snort Survey Database Online. If you use snort, take a moment to fill this out.
snortrpt.pl generates an IDS report for those using the Win32 port of snort. It extracts alerts from the EventLog, and then performs a quick stealth scan and os ID scan of the 'offending' IP addresses, using eEye Security's nmapNT.

Nmap
Intrusion Detection Level Analysis of Nmap and Queso, by Toby Miller

SSH
Secure FTP 0.9.6 by Brian Wellington, implements a file transfer protocol using ssh/rsh as the transport mechanism.
Commercial SSH2 has been upgraded to 2.30

Talisker's Intrusion Detection Systems is an interesting site with a well laid out list of IDS tools and links to reviews, coupled with advice and amusing cartoons.

Packet storm

saint-2.2.beta1p1.tar.gz 698428 Aug 31 18:44:08 2000
SAINT (Security Administrator's Integrated Network Tool) is a security assessment tool based on SATAN. Features include scanning through a firewall, updated security checks from CERT & CIAC bulletins, 4 levels of severity (red, yellow, brown, & green) and a feature rich HTML interface. Changes: This version features a new check for smurf and fraggle amplifiers based on NMAP, a check for the Specialized Header (Translate: f) vulnerability in Microsoft web servers, a check for vulnerable ntop daemons, and a fix for the compilation problem in Red Hat 6.2 (thanks to Allan Clark). Developed by WWDSI

sscan2k-pre5.HWA.tar.gz 346207 Aug 30 17:57:48 2000
sscan2k-pre5, Remote Auditing Tool that scans for more than 200 known vulnerabilities that are able to be found remotely, It depends on the operating system that the target host is running on to check for the vulnerabilities to prevent unecessary bandwidth to be used. Now comes with an easy to use configuration program much like xf86config, it also brings the option to use NMAP to guess operating system or to use sscan2k's scripted modules which are very updatable by the user. Multiple host scanning was improved. Homepage: http://www.hwa-security.net. By eth0

npulse-0.2.tar.gz 90205 Aug 30 17:32:11 2000
nPULSE is a web-based network monitoring package for Unix-like operating systems. It can quickly monitor tens, hundreds, even thousands of sites/device s at a time on multiple ports. nPULSE is written in Perl and comes with its own mini web server for extra security. Homepage: http://www.horsburgh.com/h_npulse.html. By Dr. Steven Horsburgh

sscan2k-pre4.HWA.tar.gz 336183 Aug 30 17:01:45 2000
sscan was given to buffer0verfl0w security by jsbach for the project to be continued for jsbach. From now on sscan will go as sscan2k. sscan2k now has updated vulnerability checks and the code has also been cleaned up. This scanner is now a release of HWA. Homepage: http://hwa-security.net. By eth0

Advanced Socket Bouncer (ASB) is another kind of network tool. It supports IPv6 (detects automatically IPv6 hostnames/addresses), SQUID (connect method and SQUID with SSL support but no SSL proxy), SOCKS4, SOCKS5, and WINGATE. Homepage: http://wildandi.void.at. By wild andi

malice4.pl 18063 Aug 30 00:41:00 2000
Malice v2 scans for over 150 cgi vulnerabilities and uses anti-IDS tactics as discussed in RFP's famous whitepaper. Written in perl. Changes: Lots and lots of new cgi to scan for,directory scanning thanks to Toby Deshane,fixed apache bug,fixed logging feature. Homepage: http://kickme.to/security666. By Natas
sf-0.1b.tgz 3645 Aug 28 19:19:23 2000

Secure Files 0.1b is a security tool that checks system integrity by comparing the MD5 checksums of flagged files against their earlier recorded checksums. Homepage: http://www.rdcrew.com.ar. By vENOMOUS

floppyfw-1.1.1.img 1474560 Aug 28 14:39:50 2000
floppyfw is a router and simple firewall on one single floppy. It uses Linux basic firewall capabilities and have a very simple packaging system. It is perfect for masquerading and securing networks on ADSL and cable lines using both static IP and DHCP. It has a simple installation, mostly only needed to edit one file on the floppy. Changes: Optimized libraries, LRP replaced with busybox, glibc 2.0.7 has been replaced with 2.1.3, All binaries updated to glibc 2.1.3 compiled versions. Homepage here. By Thomas Lundquist

rnmap_0.3-beta.tar.gz 14723 Aug 28 13:53:32 2000
Remote Nmap is a python client/server package which allows many clients to connect to a centralized nmap server to do their port scanning. This could be useful for security companies who want to have all thier scans come from a dedicated machine. Changes: rnmap_server.py: Added signal handling, when server catch SIGHUP it reloads configuration files, and other minor optimizations. Homepage: http://sourceforge.net/projects/rnmap/. By Tuomo Makinen

FreeVeracity is a general-purpose data integrity tool that uses cryptographic hashes to detect changes in files. This is the GNU/linux version, FreeBSD, NetBSD, and OpenBSD versions available here. Homepage: http://www.freeveracity.org.
VIGILANTE-2000007 1871 Aug 28 02:16:01 2000

bubonic.c 6625 Aug 28 02:06:39 2000
Bubonic.c is a denial of service tool that sends random TCP packets with random settings. Tested against Windows 2000 and RedHat Zoot. Homepage: http://www.antioffline.com. By Sil
daemonic.c 8144 Aug 28 01:55:49 2000

Dameonic.c is a theoretical router based denial of service attack that exploits a weakness within the Border Gateway Protocol (BGP). If a malicious user sends spoofed malformed packets to a neighboring router, the peer will ignore it and possibly kill the session entirely. Written on a Ultra 5 running Linux Zoot, this has been compiled on Linux, OpenBSD, Solaris without problems. Homepage: http://www.antioffline.com. By Sil

Freshmeat

nothing


Tools announced on SecurityFocus (this example is for sun/unix related stuff)

FreeVeracity: New Free Intrusion Detection Tool for Free Platforms - FreeVeracity is a general-purpose data integrity tool for free platforms (e.g. GNU/Linux, FreeBSD, NetBSD, OpenBSD) that uses cryptographic hashes to detect changes in files. FreeVeracity can be deployed in a wide variety of applications including network intrusion detection and firewall monitoring. By installing FreeVeracity integrity servers on your computers, you can actively monitor the integrity of your entire network. 
The bad news is, it's not free for Solaris. It was not clear how much it costs for Solaris either.

nPULSE 0.2 by Dr. Steven Horsburgh
nPULSE is a web-based network monitoring package for Unix-like operating systems. It can quickly monitor tens, hundreds, even thousands of sites/devices at a time on multiple ports. nPULSE is written in Perl and comes with its own mini web server for extra security.

Automated Password Generator (APG) 1.0.4 by Adel I. Mirzazhanov
APG (Automated Password Generator) is a tool set for random password generation

Samhain 0.9.2, by Rainer Wichmann
Samhain is a file system integrity checker that can optionally be used as a client/server
application for centralized monitoring of networked hosts. Databases and configuration files can
be stored on the server. In addition to forwarding reports to the log server via authenticated
TCP/IP connections, several other logging facilities (e-mail, console, tamper-resistant log file,
and syslog) are available. Samhain has been tested on Linux, AIX 4.1, HP-UX 10.20, Unixware
7.1.0, and Solaris 2.6.

XOR Cipher Analyzer 0.2 by Marvin,
XOR-analyze is a program for cryptanalyzing (breaking) one of the most easily-breakable ciphers. It works with variable key lengths and includes an encryption/decryption program.

MIME Defanger 0.4 by David F. Skoll
MIME Defanger is an e-mail filter program which works with Sendmail 8.10. MIME Defanger filters all e-mail messages sent via SMTP. MIME Defanger splits multi-part MIME messages into their components and potentially deletes or modifies the various parts. It then reassembles the parts back into an e-mail message and sends it on its way. Mail filter can more reliably determine attachment names, and extra logging via syslog.

NetSaint 0.0.6b5 beta by Ethan Galstad
NetSaint is a program that will monitor hosts and services on your network. It has the ability to email or page you when a problem arises and when a problem is resolved. Several CGI programs are included in order to allow you to view the current service status, problem history, notification history, and log file via the web.

Cryptix 3 is a cleanroom implementation of Sun's Java Cryptography Extensions (JCE) version 1.1. In addition to that it contains the Cryptix Provider which delivers a wide range of algorithms and support for PGP 2.x. Cryptix 3 runs on both JDK 1.1 and JDK 1.2 (Java 2).
This really is a useful toolkit, I've used and can recommend it.


References and Resources

Hardening:
Solaris Hardening: Yassp, titan
Linux Hardening: Bastille

Auditing:
Network Scanners:  Nmap, Nessus, saint, sara.

Intrusion Detection:
Network IDS: snort, tcpdump, tocsin.
Host based IDS: tripwire, Aide, tcpd, rdist, tara (i.e. tiger),   lsof
Log Analysis: Logcheck (see also Sean's improved logcheck.sh)
Forensics: TCT

General:
UNIX login and simple VPNs: SSH1 and OpenSSH
Crypto library: OpenSSL
Firewall proxies:  fwtk/smap, squid
Firewall packet filter engines: IP Filter
PKI & Directories: OpenLDAP, OpenCA
SSL/TLS for Apache: Mod_ssl


© Copyright 2000, SecurityPortal Inc. & Seán Boran, All Rights Reserved, Last Update: 01 September, 2000