Weekly Security Tools Digest
2000/09/15 to 2000/09/21

By Seán Boran (sean at boran.com) for SecurityPortal


The Rundown

Updates to favourite free tools this week include snort, titan, pgp, nessus, nmap, saint, sara, OpenLDAP, Smoothwall, ngrep, BUGS.

Tools for Windows include ICQr, HardenNT, WDEvt22, Screen Logger.

Linux/Unix/Cross Platform: 26 tool updates!.


Favourite Tools

Snort
• snort.panel - A windows-based utility for managing, controlling, and monitoring the Snort IDS. www.xato.net/files.htm

Titan: A presentation on Titan by Brad Powell www.fish.com/titan/vanguard.pdf

Nessus v1.05 has been released. www.nessus.org

PGP freeware: v6.5.8  is available for windows (GUI and command line) and UNIX (CLI only). PGP7 is not yet available as freeware. www.pgpi.org

Nmap:
• New development release, 2.54BETA5 is available. www.insecure.org/nmap/#download
• NDiff 0.02 is available, which compares two nmap scans and outputs the differences. It allows monitoring of your network(s) for interesting changes in port states and visible hosts. www.vinecorp.com/ndiff  [Editor's note: I have just finished a script like this myself, watch this spot for more news on tests of ndiff and other tools such as nlog and nmap2html]

OpenLDAP 2.0.3 is available www.OpenLDAP.org

Smoothwall v0.9.4 is available as an ISO image, a developer kit has been released also. www.smoothwall.org

Saint v3.0 beta 1 www.wwdsi.com/saint
Changes: This version features an RPM for Linux users, GUI support for SAINTwriter, a new man page, and a new configuration script based on GNU Autoconf. Also includes check for Qaz trojan/worm, backdoors on 9704/TCP and 1524/TCP, checks for new CGI vulnerabilities including YaBB, scohelphttp, MultiHTTP, and Mobius DocumentDirect for Internet, and adjusted timing for better scanning.

Sara 3.2.1 www.www-arc.com/wn.html
Changes: Corrected problem in SARA Report filters corrected various Makefile problems Added trinity DDOS (XF Advisory 59) Added test for Web bulletin board (YaBB) Added PhotoAlbum Web vulnerability Added t0rn server Trojan test. Improved mail relay reporting Submitting SARA to industry evaluation Enhanced Report Writer for SARA/SAINT/SATAN Updated to maintain SANS/CVE Certification/Compliance

BUGS/becrypt www.bcrypt.com (in French: www.bcrypt.com/index_fr.html), by Sylvain Martinez
• New Windows version v 2.2 from the BUGS cryptography project.
• New UNIX v3.4.1
• [Editor's note: this is a different project from BeeCrypt www.virtualunlimited.com/products/beecrypt/]

ngrep  (Unix) 1.38 sourceforge.net/projects/ngrep/
Ngrep is now on Sourceforge and available for UNIX and Windows. By Jordan Ritter.

OpenSSL Beta 3 of  0.9.6 is available on www.OpenSSL.org


Tools for Windows


SecuriTeam

HardenNT-Source-20000917.zip
Sep 18 14:16:23 2000, hammer.prohosting.com/~fsneppe/HardenNT.htm
HardenNT (Beta 0917) is a tool created to automate the task of securing one or more Microsoft Windows based computers. It is specifically aimed at securing Windows NT 4.0 machines, although some of the functionality could also be used on Windows 9x or even Windows 2000 networks. HardenNT is not a tool that is to be installed or even run on a computer that one wants to secure. It merely creates a number of batch files that run standard NT (and NT resource kit) tools. This means that the batch files created by HardenNT are to be copied and run on the host you want to secure. Updates frequently, newest version available here. By Bart Timmermans, Filip Sneppe

ICQr Information
14 Sep.2000, www.headstrong.de/cgi-bin/download.cgi?icqrinfo
ICQr Information reads out information stored in ICQ .DAT files. It currently works for ICQ 99a/b and 2000a (older versions are not supported).

Packet Storm

WDEvt22.zip
Sep 16 23:44:03 2000 www.eventlog.com
WDumpEvt is a tool that makes it easy to manage all the information from Windows NT / 2000 logs. The eventlog tree can be browsed, sorted, erased, filtered, or categorized. The data can also be dumped into an ASCII-delimited format for importation or HTML for display. Changes: This version allows dump of the user sessions, failure sessions, RAS sessions and printing jobs. Customized format. Now allows choice of the starting login for the service and drag and drop of the .evt and .act files. The command line tools have also been updated. By Isabelle Volant

SecurityFocus

Screen Logger 1.0
Sep 20 2000, www.mikkotech.com/sl.html
Screen Logger is like a handycam for your screen. It can record everything your computer monitor displays on the screen. The main feature of Screen Logger is to capture your screen and log it into log files for you to view at any time. This is very important feature if you need to keep backups for your work, do some troubleshooting on your computer, or even if you just want to know what happens to your computer while you're away. By capturing screens and log them into log files will give you a figure on what happens to your computer. By Mikko Technology


Tools for UNIX/Linux/BSD & Cross-platform

Packet Storm

chkrootkit-0.17.tar.gz
Sep 20 15:14:26 2000, ftp://ftp.pangeia.com.br/pub/seg/pac/
Changes: Add tests for new and popular variations of rootkits, including Tornkit. Now attempts to identify LKM rootkits. By Nelson Murilo

winfingerprint-229.zip
Sep 20 11:51:14 2000, www.technotronic.com/winfingerprint
Changes: Fixed several bugs that crept into 2.28, re-added time and date enumeration to windows 9x machines, lots of HTML fixes. By Vacuum

pdump-0.781.tar.gz
Sep 18 14:43:20 2000, pdump.lucidx.com 
Changes: Passive operating system detection/fingerprinting similar to siphon has been added, added recognition of df (don't fragment) and tos flags, added an implementation tcpkill from dsniff which is able to kill any open TCP connection, non-promiscuous mode sniffing, and now uses the pdump::Sniff module for packet creation and sniffing. By Sam Kamkar

irpas.tar.gz
Sep 18 15:55:20 2000, www.phenoelit.de
IRPAS is a suite of routing protocol attack tools which sends custom routing protocol packets from the unix command line. It is very useful for searching for new routing protocol vulnerabilities. Included is a tool for sending Cisco Discovery Protocol (CDP) messages, one for injecting IGRP routes, and a scanner for IGRP autonomous systems. By FX

stealth-2.2.17.diff
Sep 18 13:14:40 2000 www.energymech.net/madcamel/fm
Stealth IP Stack is a kernel patch for Linux 2.2.17 which makes your machine almost invisible on the network without impeding normal network operation. Many denial of service attacks, such as stream, are much less effective with this patch installed, and port scanners slow to a crawl. It works by restricting TCP RST packets (no "Connection Refused"), restricting ICMP_UNREACH on udp (Prevents UDP portscans), restricting all ICMP and IGMP requests. A sysctl interface is used so these features can be turned on and off on the fly. By Robert Salizar

anomy-sanitizer-1.26.tar.gz
Sep 15 15:31:08 2000 mailtools.anomy.net
The Anomy mail sanitizer is a filter designed to block email-based attacks such as Trojans and viruses. It reads an RFC822 or MIME message and removes or renames attachments, truncate unusually long MIME header fields and sanitizes HTML by disabling Javascript and Java. It uses a single-pass pure Perl MIME parser, which can make it both more efficient and more precise than other similar programs and has built-in support for third-party virus scanners. Changes: Fixed a bug which caused HTML to be sanitized in message headers, fixed a problem with inline uuencoded attachments, added protection against empty boundary string attacks against Exchange Server 5.5. By Bjarni R. Einarsson

ethereal-0.8.12.tar.gz
Sep 14 11:18:48 2000 ethereal.zing.org
Ethereal is a GTK+-based network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and to give Ethereal features that are missing from closed-source sniffers. Screenshot available here. Changes: Buffer-overflow protection with snprintf, shows invalid checksums, and about a hundred bugfixes. New dissectors include Kerberos 5, RSH, Zebra, and initial support for BXXP, and the Help menu finally gives some help. By Gerald Combs

FreshMeat

Rubber Hose 0.8.2
freshmeat.net/projects/rubberhose/
Rubberhose is a plausibly deniable cryptographic system. It provides an encrypted filesystem that stores more than one piece of information in the same partition in such a way that it is computationally infeasible to prove what and if data exists. License: free to use but restricted

Email Security through Procmail 1.118
freshmeat.net/projects/emailsecuritythroughprocmail/
.DLL and Microsoft Access extensions were added to the considered-executable list. The macro and long-header tests were modified to reduce false positives. By John Hardin.

Seattle Firewall 3.2.2
freshmeat.net/projects/seattlefirewall/
This update allows restricting access to servers based on client IP address, permits changing the default ruleset strength, includes the ability to alter the kernel's dynamic port range, provides for non-masqueraded local interfaces, correctly handles P-T-P devices in the "local" and "dmz" specifications, and supports running the Linux PPTP client on the firewall system. By Tom Eastep.

ipmkchains v0.17
freshmeat.net/projects/ipmkchains/
Added the ability to automatically generate rules to check the source addresses of traffic based on the routing table with the 'add_route_rules' command. Fixed a bug with inserting rules at the start of a list. By Bruce Guenter.

tproxy v1
freshmeat.net/projects/tproxy/
A user-space TCP proxy daemon with out-of-band support created. By Tony Kimball.

ppp-in-telnet v1
freshmeat.net/projects/ptyz/
Tunnel outgoing pppd through a telnet proxy. By Tony Kimball.

SecurityFocus

Note: tools announced on SecurityFocus are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you of new or updated, free, tools.

rpcs
www.securityfocus.com/tools/418
rpcs is a RPC service scanner. It uses rpcinfo -p to collect rpcinfo for a range of hosts, and outputs the results to the console. by Jake V. Bouvrie

acct 0.91
www.cs.uni-potsdam.de/homepages/students/linuxer/ok.html
Acct may be used to dispatch the process-accounting mechanism on Linux which is derived from the BSD operating system. Once process-accounting is enabled, for every process that exit()'s is a record of information (such as uid/gid etc.) stored in a accounting-file.
This information can later be read out and analyzed. Since the information provided by the accounting-mechanisms is not very trustworthy a second mechanism is provided: logging of EoE-information. EoE is a devicedriver which logs execution of programs with full path and arguments (unlike acct(2)). You need to have EoE installed separately. by Sebastian Krahme

AAFID - Autonomous Agents for Intrusion Detection
www.cs.purdue.edu/coast/projects/autonomous-agents.html
AAFID is a distributed monitoring and intrusion detection system that employs small stand-alone programs (Agents) to perform monitoring functions in the hosts of a network. AAFID uses a hierarchical structure to collect the information produced by each agent, by each host, and by each set of hosts, so as to be able to detect suspicious activity. It is important to note that AAFID is not by itself a network-based intrusion detection system. It provides the infrastructure for distributing monitoring tasks over many hosts. Some agents may implement network monitoring functions, while others may implement host monitoring functions. This is the second public release of the AAFID prototype. It is completely implemented in Perl 5, which makes it easier to run it in different platforms. By Gene Spafford,Mikhail Atallah,David Cole,David Cole,Frederic Dumont,Joshua Gray,Benjamin Kuper

Wrapper v2
cegt201.bradley.edu/~im14u2c/wrapper/  
This wrapper is intended to protect SUID/SGID programs that may either be susceptible to buffer overflows on commandline arguments, or inappropriately trust certain environment variables. This wrapper does not fix file race-conditions, nor does it help with other bugs/problems. By Joe Zbiciak

Snuff 0.8.1
Sep 19 2000, ns2.crw.se/~tm/
Snuff is a packet sniffer for Linux which can monitor multiple sessions at once. It also has the capability of mailing or deleting the log once it reaches a certain size. By Noupe.

SING 1.0
www.sourceforge.net/projects/sing  
SING (Send ICMP Nasty Garbage) is a tool that sends ICMP packets fully customized from command line. Its main purpose is to replace/complement the ping command by adding certain enhancements as ICMP fragmentation, send/read spoofed packets (with libpcap included in source distribution file), send/read many ICMP information and error types, etc. Supports also Loose Source Routing, Strict Source Routing and Record Routing. By Alfredo Andres

bsyrin 0.1
www.securityfocus.com/tools/1368
Buffer Syringe is a tool for checking servers/daemons (e.g. ftp) for buffer overflow(s) on given parameter(s) (a stress tool if you may). It has a flexible configuration file where you input the parameters needed to run the program and it logs sessions to textfile for easy viewing and printing. by Digital Monkey

UCD-SNMP 4.1.1
ucd-snmp.ucdavis.edu
Various tools relating to the Simple Network Management Protocol including: - An extensible agent - An SNMP library - tools to request or set information from SNMP agents - tools to generate and handle SNMP traps - a version of the unix 'netstat' command using SNMP - a Tk/perl mib browser. By UC-Davis.

Rpc_Gotcha 1.1
renfro.homepage.com/archive.htm
Rpc_Gotcha is a network based intrusion detection tool for detecting rpc based scans and attacks (buffer overflows). The program will passively sit on the network perimeter and process packets while analyzing the rpc message data payload looking for signs of a possible attack. Rpc_Gotcha will log all rpc calls made to the network and display payload data for possible attacks. Changes: This version has some major bug fixes , memory leaks and signature issues. It will also read tcpdump capture files in a batch mode. By Chad Renfro.

Calamaris 2.37
http://calamaris.cord.de/Welcome.html.en  
Calamaris parses Squid and NetCache Native Logfiles and generates reports about Peak-usage, Request-Methods, Status- report of incoming and outgoing requests, second and Top-level destinations, content-types and performance.  By Cord Beermann

squidauth 1.0
www.securegateway.org 
squidauth.pl is a Perl script that allows the Squid proxy server to authenticate to the TIS Toolkit firewall (or Gauntlet Firewall) authsrv using the authenticate_program parameter in the squid.conf. By Peter Robinson and Anthony Cox

Harden SuSE 2.5
www.suse.de/~marc/rpm
A special script for hardening script for SuSE linux which asks several questions before reconfiguring the system and generating an undo file. By Marc Heuse.
[Editor's note: The date of the download file is May 2000, so it may not have changed, but since it comes directly from a SuSE developer, it's interesting to check out].


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 28 September, 2000