Weekly Security Tools Digest
2000/10/21 to 2000/10/27

By Seán Boran (sean at boran.com) for SecurityPortal


Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html

To receive this digest via Email:
http://securityportal.com/subscribe.html

This is a summary of changes to free security tools over the last week.


The Rundown

Updates to favourite free tools this week include: snort, SSH, SSL, PGP, Sara, ECC library, BUGS/bcrypt, saint, AMaViS. Documents: Solaris hardening, crypto law survey.

Tools for Windows include iScan, srvc.pl, startup.pl, ldapdump.pl, mIRC.Crypt.

Linux/Unix/Cross Platform: 35 tools in the basket this week!


Favourite Tools

Snort
http://ww.snort.org

This bash script is a wrapper to snort utility from www.snort.org It aims to install, start and stop snort in a chroot jail under unprivileged user and group.
• Changes: this version fixes a problem in running() function under certain platforms.

This script generates an IDS report for those using the Win32 port of snort.  It extracts alerts from the EventLog, and then performs a quick stealth scan and OS ID scan of the 'offending' IP addresses, using eEye Security's nmapNT.

 

SSH

OpenSSH.reverse is an OpenSSH Server/Client to tunnel through firewalls. It was developed to allow users outside firewalls (which deny any incoming connects) or users behind masquerading routers to use SSH. When having "reverse fun", the server (sshd) acts indeed as client and initiates a connection to the now-server 'SSH' outside the firewall. SSH-protocol negotiation goes as normal then, and the user of SSH-client sees no difference as if he would do the connect normally. Since the SSH-client acts as server until connect arrives, it blocks the user's terminal until a person (or crond) behind the firewall initiates the connection. Open-SSH Reverse can be downloaded from:
http://teso.scene.at/releases/openssh.reverse.tgz

 

SSL

sslwrap is a simple UNIX daemon that sits over any simple TCP service such as POP3, IMAP, SMTP, and encrypts all of the data on the connection using TLS/SSL. It uses ssleay to support SSL version 2 and 3. It can run from inetd and encrypt data for services located on another computer. It works with the existing servers, and does not require any modifications to the existing servers.
• Changes: compatibility fixes for OpenSSL 0.9.4

The SSL-Proxy for Windows NT acts as proxy between your browser and the web server. The proxy supports http and https. The proxy allows client auth helps you to break SSL traffic for analysis. This helps you for SSL-only websites to figure out HEADER, REQUESTS, COOKIES. etc. Compass needs the proxy for application security checks.

A presentation about SSL by the author of mod_ssl

 

PGP

BkGnuPG is an email plugin for the email software Becky! 2 beta.
• Changes: the English version is now available.

Unixmail for Windows is a package of Unix mail tools ported to MS Windows, and bundled together with an easy-to-use installer. The bundle currently includes fetchmail, mutt (with ncurses), and GnuPG. The existence of this project in effect turns these tools into a cross-platform email system.

 

SARA 3.2.3, Advanced Research Corporation
http://www.www-arc.com/sara

SARA is a security scanning tool based on Satan, with interfaces to other free tools, e.g. Nmap, samba.
• Changes: fixed problem with smb.sara while handling very large shares and problem with small format in Reporter reports generated with "-r".
• New features: this version includes HTTP tests for Web Shopper, Shopping Cart, PHP, and PUT. The SARA Reporter manual correction facility (see README) has been added. The TCP wrapper detection and the login.sara have been improved.

 

Elliptic Curves Cryptography Library 0.0.7 (devel), David Stes
http://objc.sourceforge.net

ECC is a class library for working with elliptic curves in cryptography. It consists of a set of TCP/IP client server examples for digital signature, encryption, and key exchange (such as Diffie-Hellman key exchange, Massey Omura encryption, or DSA style signatures in the elliptic curve case).

 

BUGS/bcrypt 3.5.3, Sylvain Martinez
http://www.bcrypt.com (in French: http://www.bcrypt.com/index_fr.html)

• New BUGS Library: v3.5.3 with a new feature that allows to produce cipher file in ASCII format (copy and paste in emails)
• New UNIX version: bugs v3.5.3 and
• New Windows version: BCRYPT 3.1
• New DOCUMENTATION: V3.0
• Changes: The new documentation (version 3.0) corrects a lot of errors and gives more information about the BUGS algorithm. The library version 3.5.3 corrects few minor bugs, has got a new algorithm to generate cipher text in ASCII mode and also corrects a bug with the power level 3. The new UNIX version (v. 3.5.3) contains the new library and documentation. The new Windows version contains the new library and corrects many bugs

 

SAINT v. 3.0.1 beta 1, World Wide Digital Security, Inc.
http://www.wwdsi.com/saint

Saint is a security scanning tool based on Satan.
• New: the version 3.0.1 beta 1 has been released.
• Changes: this release adds several vulnerability checks for setproctitle vulnerability in ftpd (added checks for HP-UX, OpenBSD, and ProFTP), Linux statd format string vulnerability, Big Brother (two vulnerabilities), Apache::ASP (source.asp), Poll It, guestbook.cgi, Excite for Web Servers, OmniHTTPD (imagemap.exe), Mini SQL (w3-msql), and the AltaVista search engine. In also includes checks for folder traversal vulnerability in IIS 4.0 and 5.0 web servers as well as a check for vulnerability in BOA and other web servers which allow traversal using hex-encoded dot-dot-slash.

 

Hardening Solaris V0.82, Ivan Buetler, Compass Security AG
http://www.csnc.ch/download/sources/Hardening-Solaris_V0.82.pdf

This PDF document provides a step by step tutorial to creating a Solaris system resistant to various method of attack, based on the Titan scripts.

 

AMaViS-perl-8, Christian Bricart
http://www.amavis.org

AMaViS is a mail virus scanner tool. Amavis-perl is the development branch of the AMaViS mail virus scanner tool.
• Changes: the major features of this release are drastically reduced resource consumption, preliminary support for exim, better configurability, and
several bug fixes.

 

Crypto Law Survey 18.2, Bert-Jaap Koops
http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm

This document focuses on legal issues regarding cryptography in the world.
• Changes: these following countries have been updated: EUROPE : European Union (new export regulation), Netherlands (Legal Access project), Russia (intends change), UK ("prohibition" of key escrow); AMERICAS : US (AES selected); ASIA / OCEANIA : Malaysia (decryption orders), Singapore (decryption order).


Tools for Windows

iScan Vulnerability Scanner, Forix Business Solutions
http://www.forixnt.com/tools.html

iScan is a vulnerability scanner for NT platforms. It runs under Windows 2000 and Windows NT.

 

srvc.pl, Forix Business Solutions
http://www.forixnt.com/tools.html

This script uses Win32::Lanman to dump information about all services on the NT system to STDOUT.

 

startup.pl, Forix Business Solutions
http://www.forixnt.com/tools.html

This script combs through certain Registry keys, as well as the StartUp folders in all profiles, on local and remote NT systems, to show the administrator what applications are being called on system startup and user login.

 

ldapdump.pl, Forix Business Solutions
http://www.forixnt.com/tools.html

This tool allows dumping of information (with Net::LDAP) via an anonymous connection to an LDAP server.

 

mIRC.Crypt 1.0 Beta 15, Lost and EvilK
http://noomorph.virtualave.net/mirc_dev/

mIRC.Crypt is a software to cryptographically Secure IRC Channel System for mIRC and PGP. It employs Blowfish block cipher, ANSI X9.17 key generation and 128 bit IDEA/CBC/SHA RSA SSL.


Tools for UNIX/Linux/BSD & Cross-platform

SecuriTeam

ITS4 1.1.1, Viega
http://www.cigital.com/its4

ITS4 is a command-line tool for statically scanning C and C++ source code for security vulnerabilities. ITS4 scans through source code for potentially dangerous function calls that are stored in a database. Anything that is in the database gets flagged. ITS4 tries to automate a lot of the grepping usually done by hand when performing security audits.
• Changes: release of version 1.1.1

 

IP SCFW, SYN Cookies Firewall 0.9.1, Bronzesoft
http://www.bronzesoft.org

SYN cookies are a technique to prevent SYN flooding attack. It was originated from D. J. Bernstein and Eric Schenk, and it is now a standard part of Linux kernel. However, the implementation in Linux is now aimed to protect only the box. The IP SCFW tries to create a firewall feature in Linux that provides SYN cookies protection for entire internal network. SYN Cookies Firewall can be used to interdict half-open TCP connection, so the protected server will not enter half-open state (TCP_SYN_RECV). When the connection is fully established, the firewall relays the connection between the client and the server.

 

Packet Storm

whisker-1.4+SSL
By Rain Forrest Puppy and ssl patch by H.D. Moore
http://www.wiretrip.net

whisker v1.40 with native SSL support. Adds a -x option which uses the Net::SSLeay perl module and OpenSSL. Whisker is what I've dubbed a 'next generation' CGI scanner. I've implemented anti-IDS checks into the scan. Includes over 200 checks. Lots of options. Reads in nmap output, files full of domains, or single host. Virtual host support. Proxy support. Can be used as a CGI. SSL patch homepage is
http://www.digitaloffense.net:8000 

check-ps-1.3.1, Duncan Simpson
http://checkps.alcom.co.uk

Check-ps is a program that is designed to detect rootkit versions of ps that fail to tell you about selected processes. It is a simple program that runs ps and compares it with its own list. The program will run in the background or one-shot mode. Check-ps has grown rather to better resist increasingly sophisticated attacks, generate more useful reports, and implement more detection methods.
• Changes: better reporting, bug fixes, more resistant to attack.

 

rc.firewall-5.0, Jean-Sebastien Morisset
http://www.jsmoriss.dyndns.org/linux/firewall.html

rc.firewall is an IPchains-based firewall script with extensive support for network services (IPSec, VTUN, NFS, SMB, Napster, Proxies, etc.), masquerading, port forwarding (including definitions for network games), and IP accounting. Protections include spoofing, stuffed routing / masquerading, DoS, smurf attacks, outgoing port scans, and much more.
• Changes: the version 5.0 supports DMZ's, and all services are modular, allowing multiple public IP addresses to be managed.

 

fwlogwatch-0.0.22, Boris Wesslowski
http://www.kyb.uni-stuttgart.de/boris/software.shtml

fwlogwatch analyzes the IPchains packet filter logfiles and generates text and HTML summaries. It features real-time anomaly response capability and has an interactive report generator.

 

FreshMeat

Refugee 0.95 - devel: 0.99, Gregory Hull
http://freshmeat.net/projects/refugee

Refugee is a file encryption utility. It implements Blowfish and Rijndael and is portable. It supports key sizes from 32-448 bits and gives the user many ways to make keys.
• The development version 0.99 is available.
• New features: Refugee 0.99 now uses block ciphers in CBC mode. Previous versions used ECB mode. Version 0.99 can decrypt old ECB mode files but files from version 0.99 cannot be decrypted by previous versions of Refugee.
• Changes: Some bug have been fixed, including a major steganography bug fix. Hide will now distribute data more evenly throughout a png file. Hide from version 0.99 is not compatible with version 0.98 but it is possible to have #define COMPAT_098 to build a Hide that will make files compatible with Seek 0.98. Seek 0.99 can extract data from 0.98 files and 0.99 files. Version 0.99 supports Unix socket credentials but this only works on Linux at the moment.

 

Scrubber 0.2, Gregory Hull
http://www.synack.com/soft.html

Scrubber is a data destruction utility that will write overwrite unused filesystem blocks with pseudo-random data. It currently only works under Linux and on unmounted ext2fs partitions.

 

Topsecret 0.90, Siva R. Krishna
http://users.fdn.com/~nomad01/topsl.html

Topsecret is a program to encrypt your sensitive files by using a "Catalyst" file as the encryption key.

 

RadiusContext 1.71, Sean Reifschneider
http://www.tummy.com/radiusContext

RadiusContext is a RADIUS accounting log analysis package. Livingston, MERIT and Ascend RADIUS log formats are supported. It is written in python and is able to parse log files up to several Gigabytes in size.
• Changes: The README file now includes a section on the supported RADIUS servers. A README.FORMAT file which describes the input format used by RadiusContext has been added.

 

fwlogwatch 0.0.22, Boris Wesslowski
http://www.kyb.uni-stuttgart.de/boris/software.shtml

Fwlogwatch is a RUS-CERT project to build an IPchains packet filter log analyzer with text and html summary output, interactive incident report generator, and real-time anomaly response capability.

 

neped 1.4, Jordi Murgó
ftp://apostols.org/AposTools/snapshots/neped

Neped is a detector for promiscuous Ethernet cards, to check for sniffers on local subnet

 

Instant Firewall 1.3, Simon Brooke
http://www.jasmine.org.uk/~simon/bookshelf/papers/instant-firewall/instant-firewall.html

The instant firewall is a little shell script to simplify setting up a three-way (outside-periphery-inside) firewall using IPchains. Edit the script to set the desired policy, then run it to create a SysV style init.d script.

 

ip-masq-log 1.0.0, Roberto Zunino
http://www.cli.di.unipi.it/~zunino/linux

The ip-masq-log patch can be used on a masquerading firewall (NAT) to keep a log of all the outgoing masqueraded TCP connections. It's even possible to log the name of the user who has opened the connection. This can be a useful security tool for many small networks that are hidden by a masquerading box if users cannot be totally trusted. It can be used with Linux 2.2.16, 2.2.17 and maybe other versions. Read the README for more info.

 

cruft 0.2 (devel), Mendel Cooper
http://personal.riverusers.com/~thegrendel/software.html

Cruft is a medium-security file encryption package as replacement for the UNIX crypt utility.

 

ISB 0.5, UndeF
http://cyberpunk.n3.net/software.html

ISB (Impurity Spot Buster) is a small (but effective) command line remote security scanner for Unix systems. It requires a Unix platform and Perl 5.004 or higher.
• Features: this versions includes TCP portscan (strobe technique), all the standard services vulnerabilities checks (banner check and version detection), over 80 vulnerable CGI scripts database (including Frontpage, and CFM). It provides the OS detection via Nmap and produce a human readable logfile as output.

 

Security-script v0.09, Peter Halliday
http://halliday.wl.vg/scripts

Security-script is a port of FreeBSD's /etc/security script. It check many aspects of your system's security and then emails you with the results. Checks include finding setuid of files and directories, uid's of 0, the count of the firewall wall rules set up to deny or reject, checks for failed logins, and checks for rejected connections.
• Changes: several bugs were fixed and several new features were added: support for 3 filesystem types: ext2, ufs, and reiserfs (due to a request). The script now checks for authentication failures which will look for password failures in ftp, SSH, and other logins. An uninstall script has been added.

 

Edge router 1.022 (alpha), Stuart Lynne and Richard Pitt
http://edge.fireplug.net

Edge router allows to turn a very minimally configured consumer PC (old 486) into a basic stand alone Internet firewall, complete with address translation, proxying, and IP packet forwarding.

 

Iceberg 1.0.5, Ivo Schooneman
http://iceberg.als.cx

Iceberg is a modular firewall script. It can handle up to two Wan interfaces and three LAN interfaces. There is double spoofing protection, blocking, and connection logging included.

 

Knetfilter 1.2.2, Luigi Genoni
http://expansa.sns.it/knetfilter

Knetfilter is a KDE 1.X frontend to IPtables, used with Linux kernels 2.4.0 and up to manage the netfilter functions. It is possible to perform all standard and most "exceptional" system management of a complex firewall within the program.
• Changes: new version 1.2.2. released.

 

Firewall 1.1, Michael Sharp
http://www.geocities.com/covert11/firewall/firewall.html

Firewall is an IPchains Linux Firewall that filters traffic on all major Services ports and blocks all well known exploitable ports and Trojan ports. There are options to log all TCP/UDP/ICMP traffic, as well as having your system logs mailed to a remote location at specified times. All Services ports are completely configurable to allow users to enter the system, while keeping the others out, and to block or open a port while blocking IP ranges.

 

Toby IDS 0.76b (devel), Bo Adler
http://www.buttsoft.com/~thumper/software/sysadmin/Toby

The Toby intrusion detection system is a fairly complete reimplementation of tripwire-1.3 (ASR) into Perl. It maintains a database of file properties to detect alterations to those properties. It supports MD5 and SHA-1 checksums of the file contents. It features a configuration file which is actually a Perl script, with the attendant power, flexibility, and difficulty.

 

SecurityFocus

Note: tools announced on SecurityFocus are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you of new or updated, free, tools.

Vlad 0.7.4, Razor Security
http://razor.bindview.com/tools/vlad/index.shtml

VLAD the Scanner is an open-source security scanner that checks for the SANS Top Ten security vulnerabilities commonly found to be the source of a system compromise. It has been tested on Linux, OpenBSD, and FreeBSD. It requires several Perl modules to run (see the README for more details).
• Changes: VLAD has been updated and will check for the latest IIS Unicode bug recently reported in MS00-078.

 

exiscan v0.7, dcanthrax
http://duncanthrax.net/exiscan

Exiscan is an email virus scanner which works together with the Exim MTA and McAfee's uvscan or Trend Micro's vscan. It is written in Perl and is designed to be as subtle and lightweight as possible. The special thing about exiscan is that is does not resend messages after scanning them, so that the process is fully transparent to the MTA and requires only minimal reconfiguration of Exim.
• Changes: exiscan can now use the reformime MIME decoder instead of metamail, includes a configurable sender and receiver notification, includes a better security against fake X-Scanner header lines. Other small cosmetic fixes.

 

Shoki 0.08.2, Shoki
http://www.meshuggeneh.net/shoki

Shoki is a collection of IDS tools, scripts, and so forth. All the bits together can collect data from sensors, schlep it to a central location for storage, run signature-based and statistical analysis on the data, and load the data into a SQL database. Shoki runs on FreeBSD, Linux, NetBSD and OpenBSD.

 

BeeCrypt 1.1.2, Bob Deblier
http://beecrypt.virtualunlimited.com

BeeCrypt is an open source cryptography library written in C and assembler. It contains implementations of well-known algorithms including Blowfish, SHA-1, Diffie-Hellman, and ElGamal. It is not designed to solve one specific problem, like file encryption, but to be a general purpose toolkit which can be used in a variety of applications. BeeCrypt runs under Linux, Solaris, UNIX, Windows 2000, Windows 95/98 and Windows NT.
• Changes: The Windows 2000 entropy bug was fixed. More sparcv9 assembler code was added. Along with other changes, this new version includes code for interfacing with BeeCrypt for Java, an alternative entropy provider for Windows users, and initial FreeBSD support.

 

Crypt::Rijndael 0.1, Rafael R. Sevilla
ftp://ftp.cpan.org

Crypt::Rijndael is an implementation of the algorithm for the Advanced Encryption Standard, Rijndael, as a Perl module that interfaces to C code. It implements ECB and CBC encryption modes.

 

CUM Security Toolkit [CST] 1.2, toxic ocean
http://www.securax.org/cum

CUM Security Toolkit is a security scanner running under Java. It scans for web servers vulnerabilities using a database of scripts (user editable). The sample databases included contains +350 possibly vulnerable scripts/dirs.

 

IPchains Firewalling Module for Webmin 0.82.1, Tim Niemueller
http://www.niemueller.de/webmin/modules/ipchains

This module creates a shell script containing all calls for IPchains. It allows you to easily maintain a firewall based on IPchains with the Webmin look and feel. It has three operation modes: Newbie (select one of five security levels), Template (define from a table with protocols and directions what should be allowed to pass your firewall), and Expert (have the real IPchains experience by having every parameter under control by editing a script file which has all IPchains rules). Nearly all of the IPchains options are supported.

 

floppyfw 1.0.6 (stable) - devel: 1.1.3, Thomas ez Lundquist
http://freshmeat.net/projects/floppyfw

floppyfw is a static router with the firewall-capabilities in Linux. It is basically a Screening router or Package filtering firewall.
• Changes: the development version 1.1.3 has been released. In this version, all NICs have been removed from Kernel. A /modules/nics.bz2 with quite a lot of modules have been added. They also have been added to /modules.lst.
• New: A lot of modules (NIC's, file systems, etc.) for the kernel 2.2.17 based versions of floppyfw are available at: http://www.zelow.no/floppyfw/download/modules/2.2.17

 

mmtcpfwd 0.2, Matthew Mondor
http://mmondor.rubiks.net/software.html

Mmtcpfwd is a port forwarder daemon for Linux firewalls, a superserver which starts a standalone, non-root daemon per service. It has ability to limit connections on how many IPs and connections per IP, auto-DENY IPs upon an exceeded connection threshold, or fake services a-la portsentry. It uses a single configuration file and runs on Linux platforms.

 

phpSecurePages 0.20b, Paul Kruyt
http://www.phpsecurepages.f2s.com

PhpSecurePages is a PHP module to secures pages with a login name and password. It can handle multiple user groups (each with their own viewing rights), store data in a MySQL database or a configuration file, and be used to identify your Web site viewers. It also has multiple language support and session support for both PHP3 and PHP4 and runs under UNIX platforms and Windows NT.

 

IDSwakeup 1.0, Stéphane Aubert
http://www.hsc.fr/ressources/outils/idswakeup/index.html.en

IDSwakeup is a collection of tools that allows to test network intrusion detection systems. The main goal of IDSwakeup is to generate false attack that mimic well known ones, in order to see if NIDS detects them and generates false positives. This tools runs under UNIX platforms.

 

rkscan, Hervé Schauer Consultants
http://www.hsc.fr/ressources/outils

Rkscan is a small kernel-based module rootkit scanner to help sysadmins detect infected computers.

 

filterrules, Hervé Schauer Consultants
http://www.hsc.fr/ressources/outils

Filterrules is a program which allows you to determine the rules of a firewall in a very reliable way. It is made up of two parts: a "master", in charge of forging several IP packets, and a "slave", which listens on the other side of the firewall, and which tells to the master which packets passed through. At the end of the test, the firewall rules are displayed in the ipfw format.


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 26 October, 2000