Weekly Security Tools Digest
2000/09/08 to 2000/09/14

By Seán Boran (sean at boran.com) for SecurityPortal


The Rundown

Updates to favourite free tools this week include snort, lsof, logcheck, OpenSSL, Mindterm SSH, smoothwall, beecrypt.

Tools for Windows include crucialADS.

Linux/Unix/Cross Platform tools include pdump, several Linux kernel modules, capsel, banner, nabou, aph, lids, guardog.


Favourite Tools

Snort

Spade is a Snort preprocessor plugin that looks at TCP SYN packets to specified networks, and sends alerts about those that are unusual (e.g., the have a destination port/host combination rarely seen on your network). This might indicate some probing or scanning that is occurring (or it might be something benign that just seems unusual). You can find out more information and download a copy from: www.silicondefense.com/spice

ACID, Analysis Console for Incident Databases, is a PHP analysis engine to search and process a database of alerts generated by IDSes, among them Snort (and the database plug-in). This application was developed at the CERT Coordination Center as a part of the AIRCERT project. See www.cert.org/kb/acid for the most up to date information and documentation about this application.

Updated the Snort Database Search pages: The output page is now completely stand alone, to get rid of all the HTML info it was passing before. To hit it directly, the string to send is

http://www.snort.org/Database/rules_results.asp?type=ruletype&type=ruletype&port=&keyword=&thedate=

Keywords that can be passed as 'ruletype' are- BACKDOOR-ACTIVITY, BACKDOOR-ATTEMPT, BACKDOOR-SIG, DDOS, FINGER, FTP, MISC, NETBIOS, OVERFLOW, PING, RPC, RSERVICE, SCAN, SMTP, SYSADMIN, TELNET, MAILVIRUS, WEB-CGI, WEB-COLDFUSION, WEB-FRONTPAGE, WEB-IIS, WEB-MISC, FALSES, or BETA

New snortsnarf released, changes:
+ added special handling of alerts from the Spade anomalous event sensor including a special section of the pages
+ CIDR specification of networks now supported for -homenet
+ for pages listing alerts, a summary of the alert types is now presented at top of page
+ Geektools now added as an IP lookup option (contrib. by Dr. Paul Mitchell)
+ arachNIDS links are now generated even if IDS### is not at the start of the alert message
+ added new SISR module set_flags.pl to summarize protocol flags and added corresponding details to the example config file

Logcheck

Logcheck 1.1.1 has been released. The only change is that the entire package is now covered by the GNU license. http://www.psionic.com/abacus/logcheck/

OpenSSL

Beta 1 of OpenSSL 0.9.6 is now available, as is a release plan for OpenSSL 0.9.6. See http://www.openssl.org

Lsof (list open files)

Lsof has been upgraded to v4.51 ftp://vic.cc.purdue.edu/pub/tools/unix/lsof  
Changes: adds support for Solaris 9 (SunOS 5.9); changes scripts/ to make Perl 5 the standard; recognizes FreeBSD 4.1; has been tested on OpenServer 5.0.6; recognizes AIX C compiler version 5; adds support for Tru64 UNIX 5.1; adds Tru64 UNIX 5.[01] support for library files on AdvFS; adds AIX 4.3.3 ability to select the proper rnode and user structures; corrects a bug in the reporting of a PTX fattach()'d target address; encourages NetBSD and OpenBSD lsof to use /usr/include/uvm when it's available; adds snprintf() support, including a private version for dialects without one; fixes a BSDI, DEC/OSF1, Digital UNIX, FreeBSD, NetBSD, OpenBSD, and Tru64 UNIX repeat-mode memory leak; works on Linux 2.4; modifies the Pyramid MkKernOpts script.

An experimental release lsof_4.52D.uw.tar.gz is also available. ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/NEW/

Mindterm SSH:

We have now opened two mailing lists which you can join. One for announcements only and one for user discussion and feedback. Note that the most recent release is v1.2.1 - Aug 1, 2000. www.mindbright.se/mindterm/

Smoothwall

v0.9.2 is a GPL distribution of Linux based around VA Linux 6.2.1 that we have customised and cut down to a minimal but secure specification. SmoothWall turns a redundant 486/P100 upwards PC unit into a fully fledged dial up router and firewall for your SoHO/Home/Teleworkers network. www.smoothwall.org and sourceforge.net/projects/smoothwall

beecrypt 1.1.0 

Along with other changes, this new version includes code for interfacing with BeeCrypt for Java, an alternative entropy provider for Windows users (see below), and initial FreeBSD support. BeeCrypt for Java is a pure Java implementation of the BeeCrypt cryptography library. It is a JCE 1.2 compatible cryptographic service provider and can be used with BeeJCE, our version of Sun's Java Cryptography Extensions. Because VU is a Dutch company, you can use BeeCrypt for Java and BeeJCE to build Java products that are freely exportable worldwide. By Virtual Unlimited BV  beecrypt.virtualunlimited.com


Tools for Windows


Packet Storm

auto.txt

Sep 12 14:27:29 2000 www.tlsecurity.net.
Auto.txt lists nine known and unknown methods of starting programs upon bootup in Windows. Trojans, backdoors, and keyloggers often use these to restart themselves.

winfingerprint-228.zip

Sep 12 14:07:11 2000 www.technotronic.com/winfingerprint
Winfingerprint 228: Advanced remote windows OS detection. Current Features: Determine OS using SMB Queries, PDC (Primary Domain Controller), BDC (Backup Domain Controller), NT member server, NT Workstation, SQLServer, Novell NetWare Server, Windows for Workgroups, Windows 9X, Enumerate Servers, Enumerate Shares including Administrative ($), Enumerate Global Groups, Enumerate Users, Displays Active Services, Ability to Scan Network Neighborhood, Ability to establish NULL IPC$ session with host, Ability to Query Registry (currently determines Service Pack Level & Applied Hotfixes. Changes: Added Basic Event Log Support, changed usage, code cleanups, bug fixes. By Vacuum

crucialADS.zip
Sep 8 09:16:53 2000  www.crucialsecurity.com/crucial_downloads.htm
CrucialADS v1.0 is a GUI based Alternate Data Stream scanning tool. Crucial ADS is designed to quickly and easily detect the presence of Alternate Data Streams in NTFS files and directories. NTFS files contain one primary stream, and,  optionally, one or more alternate data streams. The problem is that NT comes with no utilities that list any stream other than the primary stream in a file. When viewing a directory with explorer, or using the dir command in cmd.exe, the information reported pertains to the primary stream only. By Crucial Security, Inc.

SecurityFocus

Scrcrack 1.0 www.geocities.com/scrcrack
Scrcrack is a fast tool to reveal the Windows 95/98 Screensaver-password. by Spider


Tools for UNIX/Linux/BSD & Cross-platform

 

Packet Storm

pdump-0.780.tar.gz
Sep 13 16:01:05 2000 pdump.lucidx.com
Pdump is a sniffer written in perl which dumps, greps, monitors, creates, and modifies traffic on a network. It combines features from tcpdump, ngrep, tcptrace, dsniff (and its webspy and urlsnarf), pfilt, macof, and xpy. It understands tcpdump-like syntax and allows easy modifications via a plug-in system.
Changes: New features added include displaying TCP sequence numbers and configurable packet display to match specific packets with Perl regular expressions. Many bugs have been fixed. By Sam Kamkar

envcheck.tgz
Sep 13 13:40:21 2000 c.home.cern.ch/c/cons/www/security/
Envcheck is a Linux kernel module which detects and prevents exploitation of the recent glibc vulnerabilities by intercepting the execve system call and sanitising the environment passed. At the cost of a very small performance penalty, it has advantages over a glibc upgrade, including logging of exploit attempts, it works with statically linked binaries, it is transparent to applications that may be sensitive to a change of glibc, and it partially protects libc5. By Lionel Cons

guarddog-0.9.2.tar.gz
Sep 12 22:01:40 2000 www.simonzone.com/software/guarddog
GuardDog is a firewall configuration utility for KDE on Linux. GuardDog is aimed at two groups of users - novice to intermediate users who are not experts in TCP/IP networking and security, and those users who don't want the hassle of dealing with cryptic shell scripts and ipchains parameters. Features an easy to use goal oriented GUI and the ability to generate ipchains scripts as output. Screenshot here. Changes: RealPlayer support was added. Small changes were made to the GUI to fix a few layout problems. The manual is much more complete, and it now includes a tutorial and FAQ section. By Simon Edwards

lids-0.9.8-2.2.17.tar.gz
Sep 12 21:48:00 2000 www.lids.org
The Linux Intrusion Detection System is a patch which enhances the kernel's security. When it's in effect, many system administration operations can be made impossible even for root. You can turn the security protection on or off online and you can hide sensitive processes and prevent anyone from using ptrace or any other capability on your system. LIDS can also provide raw device and I/O access protection. Changes: LIDS is now based on Linux kernel version 2.2.17. By Xie Hua Gang

sendip-1.0.tar.gz
Sep 12 17:13:48 2000 www.earth.li/projectpurple/progs/sendip.html
SendIP is a commandline tool to send arbitrary IP packets. It has a large number of command line options to specify the content of every header of a TCP, UDP, ICMP, or raw IP packet. It also allows any data to be added to the packet. Checksums can be calculated automatically, but if you wish to send out wrong checksums, that is supported too. Changes: This release compiles under *BSD as well as Linux, doesn't need GNU make, and includes RPMs and random header field generation. By Mike Ricketts

rc.firewall 
Sep 12 17:39:05 2000
rc.firewall v4.1 is an ipchains-based firewall script with extensive support for network services (including NFS, IPsec VPNs, Proxies, etc.), masquerading, port forwarding, and IP accounting. Protections include spoofing, stuffed routing/masquerading, DoS, smurf attacks, outgoing port scans, and much more. Multiple private and public interfaces are also supported.
Changes: New rules to block the Trinity v3 DoS tool, support for CVS pserver port, command line interface definitions, and an external script for custom changes. By Jean-Sebastien Morisset

ipchains-firewall-1.7.1.tar.gz
Sep 12 15:02:30 2000 ipchains.nerdherd.org
ipchains-firewall is an easily-configurable shell script to establish masquerading and firewalling rules using ipchains. The package contains a script to establish firewalling for a single machine connected to the network without masquerading, a script to establish firewalling for a system acting as a router routing to non-private IP space, a script to establish firewalling and masquerading for a system acting as a router routing to private IP address space, and one to establish firewalling and masquerading for a system acting as a router, routing to multiple RFC1918 subnets over multiple interfaces. The distribution also includes a copy of midentd v1.6, to enable identd over the masqueraded network.
Changes: Fixes for path problems related to use of script with Red Hat Linux and from ip-up scripts, a test for ipchains kernel support, and a few minor bugfixes. By Ian Hall-Beyer

nabou-1.5.tar.gz
Sep 12 14:58:40 2000 www.0x49.org/nabou/
nabou is a Perl script which can be used to monitor changes to your system. It provides file integrity checking, and can also watch crontabs, suid files and user accounts for changes. It stores all data in standard dbm databases. Changes: This release includes many bugfixes, database encryption support, process monitoring capabilities, and some more output options. By Thomas Linden

linux-2.2.17-ow1.tar.gz 
Sep 12 14:11:29 2000 www.openwall.com/linux
The Secure-Linux patch adds a few security features to the kernel which, while not a complete method of protection, will stop most of the 'cookbook' buffer overflow exploits cold. It also adds the option of restricting the use of symlinks and named pipes in +t (temp) directories which fixes most tmp-race exploits as well. It can also add a little bit more privacy to the system by restricting access to parts of /proc to root so that users may not see who else is logged on or what they're doing. Also tightens down file descriptors 0, 1, and 2, implements process limits and shared memory destruction, and privileged IP aliases for kernel 2.0. Changes: Now works on kernel 2.2.17! By Solar Designer

capsel.tgz 
Sep 12 12:08:06 2000 http://www.elzabsoft.pl/~wp
Capsel v1.56 is a Linux kernel module for v2.2.x with many features that increase your system security. It features the ability to stop chroot jail break, stop ptracing, control the execve call, and removes read permission from core dumps. It also changes the behavior of set*uid system calls which may be used by programs to drop almost all capabilities and UID without dropping capabilities that are needed to work correctly (i.e. bind sockets). Changes: Capsel now clears all environment variables for privileged executables. It no longer needs a patched glibc to prevent users from using dynamic linker (LD_PRELOAD-like) stuff. By Wojciech Purczynski

banner.c_v1.0
Sep 11 13:42:29 2000
Banner.c is an advanced banner grabber that allows you to scan a range of hosts, search for keywords in the banners, and has the ability to recognize certain port daemons by name. Compiles on several platforms. By Cyber_Bob

FPipe_2.04.zip
Sep 11 11:02:00 2000,  www.foundstone.com
FPipe version 2.4 is a TCP source port forwarder/redirector that can be used to force a TCP stream to always connect using a specific source port. This tool can be used to get around firewalls that only accept traffic originating from common source ports.

SecurityFocus

Note from SecurityFocus: tools announced on SF are not necessarily updates or new, it's just that someone posted an announcement. We try only to notify you only of new or updated tools, but it's not easy. Also, not all tools are free.

webNIS 1.0 
Tue Sep 12 2000 www.itlab.musc.edu/~nafees/webNIS.html
webNIS is a simple authentication mechanism. It provides a server, or inetd service which simply takes in a login and a password, and responds with the user's real name (as listed in the gecos records) or nothing in case of failure. by Nafees Bin Zafar

Automated Password Generator (APG) 1.1.4 
www.adel.nursat.kz/apg
APG (Automated Password Generator) is a tool set for random password generation. by Adel I. Mirzazhanov

Librnet 0.1.5
Mon Sep 11 2000 www.sikurezza.org/sullivan
Librnet, Library for Raw Networking, aims to provide powerful and easy-to-use raw networking to the programmers who wish to develop their own `low-level' network related software, without thinking too much at the underlay layers. by Lorenzo Cavallaro

TopSecret Net c0.9 beta
Mon Sep 11 2000 users.fdn.com/~nomad01/topsnet.html  
Topsecret_net is a network encryption program. It allows you to transfer files across a LAN or the internet with protection against electronic eavesdropping. by Siva R. Krishna

Webmin 0.81
Mon Sep 11 2000  www.webmin.com/webmin
Webmin is a web-based interface for system administration for Unix. Using any browser that supports tables and forms (and Java for the File Manager module), you can setup user accounts, Apache, DNS, file sharing and so on. Webmin consists of a simple web server, and a number of CGI programs which directly update system files like /etc/inetd.conf and /etc/passwd. The web server and all CGI programs are written in Perl version 5, and use no external modules. This means that you only need a Perl binary to run Webmin. By jcameron@webmin.com

Sysmon 0.83.2 
Fri Sep 08 2000   puck.nether.net/sysmon
Sysmon is a network monitoring tool designed to provide high performance and accurate network
monitoring. Currently supported protocols include SMTP, IMAP, HTTP, TCP, UDP, NNTP, and PING
tests. by Jared Mauch

Altivore 0.9.3
Fri Sep 08 2000 www.networkice.com/altivore
Altivore is an alternative implementation of Carnivore. Source code is being disclosed in an effort to
provide a solid foundation for debate of the technical features of Carnivore. This software contains
the basic Carnivore features outlined in the FBI's solicitation for independent review of Carnivore. By Network ICE. The basic capabilities are:
- monitors suspect's e-mail (either headers or full content)
- lists servers suspect accesses (FTP, HTTP, etc.)
- full "sniffing" of suspect's IP address
- discovery of suspect's current IP address through RADIUS logon


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 15 September, 2000