Weekly Security Tools Digest
2000/11/11 to 2000/11/17

By Seán Boran (sean at boran.com) for SecurityPortal


Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html

To receive this digest via Email:
http://securityportal.com/subscribe.html

This is a summary of changes to free security tools over the last week.


The Rundown

Updates to favourite free tools this week include: SAINT, Snort tools, PGP and LIDS.

Tools for Windows include RIC, Versioner, Outlook password stripper and CIS database scanner.

Firewalls for UNIX/Linux/BSD & Cross-platform: 3 firewalls or tools related to firewalls.

Tools for Linux/Unix/Cross Platform: 17 updates this week.


Favourite Tools

SAINT v. 3.1
World Wide Digital Security, Inc.
http://www.wwdsi.com/saint

Saint is a security scanning tool based on Satan.
• New: the version 3.1.1b1 has been released.
• Changes: this new version now checks for vulnerable versions of the Lotus Domino Server, vulnerable iPlanet Web Servers and Cisco Catalyst switch vulnerabilities. The detection of unpassworded NT guest and administrator accounts using samba has been improved. Bugs have been fixed in the IMAP and Cold Fusion checks. This version also includes an improved FAQ and documentation to include instructions on using rules/drop to ignore false alarms.

 

Snort
http://ww.snort.org

SnortSnarf is a Perl program to take files of alerts from the free Snort Intrusion Detection System, and produce HTML output intended for diagnostic inspection and tracking down problems. It uses a cron job to produce a daily/hourly/whatever file of snort alerts. This script can be run on each such file to produce a convenient HTML breakout of all the alerts.
• Changes: version 111500 released. No information about this new release was available in the ChangeLog.

 

PGP

BkGnuPG is an email plugin for the email software Becky 2 beta.
• Changes: version 1.0 is now available.

 

LIDS: Linux Intrusion Detection System 0.9.10 for 2.2.17
Xie Hua Gang
http://www.lids.org

LIDS is a kernel patch and admin tool to enhance the Linux kernel security. It is an implementation of a reference monitor and Mandatory Access Control in the kernel.
• New: the development version LIDS 0.9.10 for 2.2.17 released
• Changes: fixed umount filesystem bug, fixed NFSd and FTPd capability usage, fixed capability inherit and sys_sysctl() bug fixed.

 

BIND (Berkeley Internet Name Domain) Security Fixes
Internet Software Consortium
http://www.isc.org/products/BIND/

8.2.2 patchlevel 7 has been released fixing several Denial of Service bugs, see also
http://www.isc.org/products/BIND/bind-security.html

9.0.1 is a maintenance release, containing fixes for a number of bugs in BIND 9.0.0 but no new features (with the exception of a few minor features added to dig, host, and nslookup).

 


Tools for Windows

Zombie Zapper
Bindview Razor
http://razor.bindview.com/tools/ZombieZapper_form.shtml

Zombie Zappe is a free, open source tool that can tell a zombie system flooding packets to stop flooding. It works against Trinoo, TFN, Stacheldraht, Trinoo for Windows, and Shaft. It does assume various defaults used by these attack tools are still in place, but allows you to put the zombies to sleep.

 

RIC - The Registry Key Integrity Checker
Forix Business Solutions
http://www.forixnt.com/tools.html

The Registry Key Integrity Checker (RIC) is a utility that NT administrators can use to perform integrity checking of specific NT Registry keys. Integrity checking through the use of checksums has been long used to determine whether changes have been made to system files, and it can now be used to do the same for NT Registry keys!  By monitoring specific keys, NT administrators can determine whether or not changes have been made to those keys. Additionally, RIC is agentless, meaning that it can be run from a central location. Currently this release of RIC is a free limited demo. As feedback is collected from users, the utility will be expanded and a more fully-functional version will be released at a nominal fee.

 

Packetstorm

Versioner 0.9
Vacuum
http://www.technotronic.com/versioner

Versioner is a graphical utility that traverses directories gathering the file properties described below. Versioner's output is in comma separated values format and automatically launches the program associated with the .csv extension (Usually MS-Excel). This data can also be imported into MS-Access. It can be used to determine "What has changed?" on a given host. This can be useful post-software installation, or post intrusion incident as a way of checking file integrity. Versioner can also be used to compare data on multiple machines to determine "What is different?". Excel tip: Turning on autofilter will allow you to sort versioner's data in many useful ways.

 

SecuriTeam

Outlook PST Password stripper
William Lefkovics
http://www.msexchange.org/files

This utility was originally designed to upgrade the PST format to version 19. One of its side effects, however, is that it can strip out the PST password. This can therefore be used to recover passwords you may have forgotten on your PST files.

 

Talisker

CIS - Cerberus' Internet Scanner Database Module
Cerberus Information Security, Ltd
http://www.cerberus-infosec.co.uk/cis.shtml

CIS is a free security scanner designed to help administrators locate and fix security holes in their computer systems. It runs on Windows NT or 2000.
• Features: takes a modular approach, comprehensive (pushing around 300 checks). Hidden Command line capability - run scans in the background. Scan modules include WWW, SQL, ftp, various NT checks, SMTP, POP3, DNS, finger and more. Reports generated are HTML based with hyper-text links to more information. Easy to use Graphical User Interface. Multi-threaded so scan time is minimized. Light on memory usage Updated on a very regular basis. The version 5 free.


Firewalls for UNIX/Linux/BSD & Cross-platform

FreshMeat

Fwlogwatch 0.0.26
Boris Wesslowski
http://www.kyb.uni-stuttgart.de/boris/software.shtml

Fwlogwatch analyzes the IPchains packet filter logfiles and generates text and HTML summaries. It features real-time anomaly response capability and has an interactive report generator.

 

Fire-Waller 1.2
Jani Mikkonen
http://www.saunalahti.fi/~mikpija/unix/fire-waller

Fire-Waller reads your syslog against packet filter rows and creates HTML output of the found rows. All addresses in logfiles are checked against a nameserver and protocols/services are converted from numeric values to text.

 

SecurityFocus

Note: tools announced on SecurityFocus are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you of new or updated, free, tools.

FCT - Firewall Configuration Tool 1.1.5
Jens Hellmerichs-Friedrich
http://fct.linuxfirewall.org

FCT is an HTML based tool for the configuration of a firewall. It features automatic script-generation for IP-filtering commands (ipfwadm) on a firewall for multiple interfaces and any internet services.


Tools for UNIX/Linux/BSD & Cross-platform

Exiscan v0.8
Tom Kistner
http://duncanthrax.net/exiscan

Exiscan is an email virus scanner which works together with the Exim MTA (http://www.exim.org). It is written in Perl and designed to be as subtle
and lightweight as possible. Exiscan relies on McAffee's uvscan or Trend Micro's vscan to do the actual scanning work.
• Changes: small fixes in the debug mode and a new features: unpacking of MS-TNEF and SMIME wrappers.

 

PIKT - Problem Informant/Killer Tool 1.12.0
Robert Osterlund
http://pikt.uchicago.edu/pikt

PIKT is a cross-platform (AIX, FreeBSD, HP-UX, IRIX, Linux, Solaris, SunOS), multi-functional toolkit for monitoring systems, reporting and fixing problems, and managing system configurations. It consists of an embedded scripting language with unique, labor-saving features, a script and system config file preprocessor, a scheduler, an installer, and other tools.
• Changes: highlights of this new release: added secret key authentication and data encryption to master-slave, piktc-to-piktc_svc communications. Made other security enhancements, improved diagnostic logging, allowed for empty host lists (hosts and members stanzas) in systems.cfg. Eased systems.cfg syntax rules, allowing intermixing of hosts, aliases, and members stanzas, and in just about any order. For when 'configure' is run with the --prefix= option, fixed 'make install' so it no longer has the potential to trash other, non-PIKT ownerships and permissions (before, --prefix= was effectively disallowed because of this). Modified how the master piktc does "fetch_file" operations (thereby enabling 'piktc -f' for the OSes lacking that functionality previously). Added several new Pikt functions. Fixed a number of bugs. Made other code improvements.

 

FreshMeat

Software Enigma 0.1
Konrad Rieck
http://www.r0q.cx/senigma

The Software Enigma is a little application that imitates the original behavior of the Enigma, a cryptographic device that was used in World War II by the Germans and cracked by several parties. It was designed in order to demonstrate the techniques used to crack this mechanism. It could be used to understand and play with the encryption mechanisms.

 

FCheck 2.07.54
Michael A. Gumienny
http://sites.netscape.net/fcheck/fcheck.html

FCheck is a PERL script written to generate and comparatively monitor a UNIX system against its baseline for any file alterations and report them through syslog, console, or any log monitoring interface. Monitoring events can be done in as little as one minute intervals if a system's drive space is small enough, making it very difficult to circumvent. This is a freely-available open-source alternative to 'tripwire' that is time tested, and is easier to configure and use.

 

LibFormat 1.0pre5
Tim J. Robbins
http://box3n.gumbynet.org/~fyre/software

LibFormat is a library for the Linux operating system that intercepts calls to the printf() family of functions (among others). Its purpose is to prevent so-called 'format string' attacks in which a possibly malicious user-supplied format string is used.

 

IP Personality 20000727
Gaël Roualland, Jean-Marc Saffroy
http://ippersonality.sourceforge.net

The IP Personality project is a patch to the newer Linux kernels that adds netfilter features: it enables the emulation of other OSes at network level, thus fooling remote OS detection tools such as Nmap that rely on network fingerprinting.

 

IP-masq-log 1.0.1
Roberto Zunino
http://www.cli.di.unipi.it/~zunino/linux

The IP-masq-log patch can be used on a masquerading firewall (NAT) to keep a log of all the outgoing masqueraded TCP connections. It's even possible to log the name of the user who has opened the connection. This can be a useful security tool for many small networks that are hidden by a masquerading box if users cannot be totally trusted. The version 1.0.1 fixes some bugs.

 

SSLDump 0.9b1
Eric Rescorla
http://www.rtfm.com/ssldump

SSLDump is an SSLv3/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the records and displays them in a textual form to the console. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic.
• Changes: the version 0.9b1 has been ported to Linux, Solaris, and HP/UX. The decoding of printable characters when printing hex data has been added. The man page and assorted other printing have been reviewed.

 

IPpl 1.4.12 - devel 1.99.5
Hugo Haas, Etienne Bernard
http://pltplp.net/ippl

IPpl is a configurable IP protocols logger. It currently logs incoming ICMP messages, TCP connections and UDP datagrams. It is configured with Apache-like rules and has a built-in DNS cache. It is aimed to replace IPlogger.

 

Packet Storm

Scanlogd 2.2
Solar Designer
http://www.openwall.com

Scanlogd is a TCP port scan detection tool, originally designed to illustrate various attacks an IDS developer has to deal with, for a Phrack Magazine article. Thus, unlike some of the other port scan detection tools out there, scanlogd is designed to be totally safe to use. This release of scanlogd can be built with support for one of several packet capture interfaces. In addition to the raw socket interface on Linux, scanlogd is now aware of libnids and Libpcap.

 

Recover 1.2
Tom Pycke
http://www.linuxave.net/~recover

Recover is a utility which automates some steps as described in the Ext2fs-Undeletion howto in order to recover a lost file. The goal is to make it as easy as possible to undelete a file (ie.a GTK and/or Qt interface). Right now, there is only a console version. It indexes all the deleted inodes with debugfs, then asks a series of questions about the deleted file. All deleted files which match your criteria are dumped to a directory.
• Changes: device scanning was added, and the code was coverted from C++ to plain C.

 

Tinc 1.0pre3
Guus Sliepen, Ivo Timmermans
http://tinc.nl.linux.org

Tinc is a Virtual Private Network (VPN) daemon that uses tunneling and encryption to create a secure private network between multiple hosts on the Internet. This tunneling allows VPN sites to share information with each other over the Internet without exposing any information.
• Changes: this version fixes the security hole in all previous versions of Tinc. Support for multiple subnets was added. OpenSSL is now used, as well as public/private key cryptography. Universal TUN/TAP driver is now supported, and it now compiles under Solaris 8.

 

TcpSpy 1.1
Tim J. Robbins
http://box3n.gumbynet.org/~fyre/software

TtcpSpy is a Linux administrator's tool that logs information about incoming and outgoing TCP/IP connections: local address, remote address and, probably the most useful feature, the user name. The current version allows you to include and exclude certain users from logging - this may be useful if you suspect one of the users on your system is up to no good but do not want to violate the privacy of the other users.

 

Ncpquery 1.2
Simple Nomad
http://razor.bindview.com/tools/index.shtml

NCPQuery is an open source tool that allows probing of a Novell Netware 5.0/5.1 server running IP. It uses TCP port 524 to enumerate objects with public read access, disclosing such information as account names, server services, and other various objects.

 

Tailbeep 0.44
Tommy
http://soomka.com

Tailbeep opens a file (-f), seeks to the end, and watches for a string (-s). If the string is found, a beep is sent to the specified TTY (-t) device. You can also daemonize (-d) it. I wrote it so I could watch /var/log/messages for the DENY string (so I can tell if someone is trying to break into the firewall).
• Changes: added make rh60 so people with RedHat 6.x can make binaries for glibc20 systems.

 

SecurityFocus

IDSA 0.8
Marc Welz
http://jade.cs.uct.ac.za/idsa

IDSA is an Intrusion Detection System running on Linux platforms that tries to have a host-based intrusion detection systems integrated into the host/operating system infrastructure. The system is currently incomplete (some features have not been implemented). It can be used as a system logger and tcpd (TCP wrapper) replacement.

 

KSSH 0.4.1
Andrea Rizzi, Kevin Lo
http://www.geocities.com/bilibao/kssh.html

KSSH is a simple KDE front-end for Secure Shell (ssh). It calls a terminal where it will execute an ssh call based on user-specified parameters (host, username, port, etc.).


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 16 November, 2000