By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html
To receive this digest via Email:
http://securityportal.com/subscribe.html
This is a summary of changes to free security tools over the last week.
Updates to favourite free tools this week include: SSH server for NT, Nmap, Saint, Bugs/BCRYPT, NetSaint.
Interesting Documents: NT4/IIS4 Hardening Guide v1.1.
Tools for Windows include RIC, and PowerCrypt.
Firewalls for UNIX/Linux/BSD & Cross-platform: 8 other tools.
Tools for Linux/Unix/Cross Platform: 16 items this week.
SSH daemon for NT
http://www.shebeen.com/files/sshdnt.zipThis is the first SSH server I've come across for NT and looks interesting. It is without source code, but seems to be UNIX SSH 1.2.26 ported used the Cygnus libraries and uses UNIX-like configuration files.
- The install.bat script installs scp, ssh-keygen and sshd in %systemroot%\system32, configuration files in c:\etc, a Bourne shell (sh.exe) in c:\bin, generates an SSH host key and starts SSHD as a proper service. It also stops and starts VNC (if you have it).
- If not installing as Administrator, try the modified install.bat that (ignores VNC and) works for Users other than Administrator (but with admin rights). http://www.boran.com/security/sp/ssh/sshd_nt_install.bat
Also, put your user name in \etc\passwd (all NT users allowed to receive SSH requests must be listed), then regenerate the HOST key and start sshd:
ssh-keygen -b 1024 -f /usr/local/etc/ssh_host_key -N ''
sshd- Although it requires a bit of effort to get going, this is an excellent tool for securely transferring files from a UNIX to an NT box. The fact that NT accounts are passwords are used is an added bonus. The default configuration in sshd_config is quite tight.
- More documentation of the exact sources used and modifications would be welcome.
- The scp included is not as powerful as that in Putty, and no ssh client is included. So, you'll still need your favorite SSH client (putty, Mindterm, etc.)
Nmap
Fyodor
http://www.nmap.org
- wap-nmap 1.0.0
L33tdawg
http://www.hackinthebox.org/article.php?sid=1170Wap-nmap enables an nmap scan from a WAP enabled device and pumps the results back to the device.
SAINT v. 3.1.1b2
World Wide Digital Security, Inc.
http://www.wwdsi.com/saintSaint is a security scanning tool based on Satan.
• Changes: this version now includes the Bind DOS check, check for some instances of the filename inspection vulnerability in Microsoft IIS, check for Microsoft Terminal Server, check for new vulnerabilities in YaBB and phf. The false-alarm checking has been improved. This new version also includes bug fixes.
BUGS/bcrypt 4.0.0
Sylvain Martinez
http://www.bcrypt.com (in French: http://www.bcrypt.com/index_fr.html)BUGS is a strong dynamic private key encryption algorithm and applications. It is easy to use, and includes sample applications and documentation. The cryptography library can also be used with your own programs and is multi-platform.
• New CRYPTOGRAPHY ALGORITHM: BUGS V 4.0.0
• New UNIX version: bugs v4.0.0
• New Windows version: BCRYPT 4.1
• New DOCUMENTATION: V4.0
• Changes: This new version is an important change and offers much more dynamic options! The new cryptography library BUGS v4.0.0 is NOT compatible with the older version. There are lots of changes and improvements, this library is much more powerful than the previous one and the source code is much easier to read. Simon Huot managed to crack the old password generation algorithm (he still hasn't managed to crack the file encryption algorithm). It seems it would be better to do not use the Random Seed (prob seed in the previous version) when using BUGS as a password generator. This only affects Unix users using BUGS as a password generator. This new version corrects the problem. See http://www.bcrypt.com/crypto/doc/changes.txt for more information about the changes in version 4.0.0.
NetSaint Network Monitor
Ethan Galstad
http://www.netsaint.orgNick Reinking has updated the netsaint_statd package.
• Changes: Updates include bug fixes, expanded functionality for existing plugins, a new plugin for checking processes, and support for UnixWare 2.
Documents
- IIS and NT 4.0 Hardening Guide v1.1
Gavin Reid
http://www.shebeen.com/iis4_nt4sec.htmDetailed instructions on tightening down the security on an IIS 4.0 web server. Includes install and setup details, server configuration, hardening, registry edits, securing permissions, firewall ACL's, and SSHD. This hardening procedure should NOT be used on general-purpose NT servers on an internal LAN as it removes several of the services that NT uses for default functionality.
Comment: An interesting addition is an SSH daemon for NT (without source code), which we tested above.
RIC - The Registry Key Integrity Checker
Forix Business Solutions
http://www.forixnt.com/tools.htmlThe Registry Key Integrity Checker (RIC) is a utility that NT administrators can use to perform integrity checking of specific NT Registry keys. Integrity checking through the use of checksums has been long used to determine whether changes have been made to system files, and it can now be used to do the same for NT Registry keys! By monitoring specific keys, NT administrators can determine whether or not changes have been made to those keys. Additionally, RIC is agentless, meaning that it can be run from a central location. Currently this release of RIC is a free limited demo. As feedback is collected from users, the utility will be expanded and a more fully-functional version will be released at a nominal fee.
• Changes: the tool has been updated.
PowerCrypt 2000 3.3
Orlin Velinov
www.ovsoft.it/powercry_eng.htmOVSoft - PowerCrypt 2000 is an innovative and powerful file encoder for Windows 2000, Windows 3.x, Windows 95/98 and Windows NT. It makes sure your files with a 100% secure encryption algorithm, which is not resolvable by NSA nor CIA. You can encode multiple files at a time, manage your archives and compress data for a better disk space usage. Get three goals at a time: max security, easy usage, fast encryption.
Astaro 1.718
Astaro AG
http://www.astaro.com/products/index.htmlAstaro Security Linux is a new firewall solution. It does stateful inspection, packet filtering, content filtering, virus scanning, VPN with IPSec, and much more. With its Web-based management tool and the ability to pull updates over the Internet, it it is pretty easy to manage. It is based on a special hardened Linux 2.4 distribution where most daemons are running in change-roots and are protected by kernel capabilities.
Fire-Waller 1.2.1
Jani Mikkonen
http://www.saunalahti.fi/~mikpija/unix/fire-wallerFire-Waller reads your syslog against packet filter rows and creates HTML output of the found rows. All addresses in logfiles are checked against a name server and protocols/services are converted from numeric values to text.
MonMotha's IPtables Masquerading Firewall 2.1.15 (devel)
MonMotha and Steff
http://t245.dyndns.org/~monmotha/firewall/index.phpMonMotha's IPtables firewall is a shell script that implements masquerading and basic security using IPtables. It is easily configurable by modifying the options near the beginning and does not need to be rerun every time the IP address changes, making it perfect for users with dialup connections. Many features, such as a built-in list of the root DNS servers (for people who run their own DNS servers), are available.
• Changes: the list of root DNS servers was removed since only other root DNS servers need to get zone transfers from them and they should run their own firewalls. This version now allows all ICMP in from the Internet like it should (of course flood limiting still in place).
Fwup 20000914
Raf
http://fwup.orgFirewall is a set of scripts (firewall, Fwup, and fwdown) that implement an IPchains firewall and various forms of network address and port translation. All you have to do is read the policy file and edit it to reflect your topology and filtering policy. It supports many different types of network topology (single host, traditional forwarding, masquerading, port forwarding, alias port forwarding and NAT), up to 10 untrusted interfaces each with their own policy, and over 50 network applications. Fwup depends on IPchains, IPmasqadm and IP (iproute2).
AGT 0.82 (devel)
Andy Gilligan
http://agt.sourceforge.netAGT is a powerful front-end to IPtables. It allows all options to be specified in a few simple configuration files, letting you to make complex changes to a firewall in a matter of seconds.
Reverb 0.1.0
Team Teso
http://teso.scene.at/releases.php3The reverb tool is designed to tunnel through firewalls. It can relay passive to passive, active to active, and active to passive sockets. The time options make it possible to have it connect periodically to set up a tunnel at known times.
Firestarter 0.5.1
Tomas Junnonen
http://firestarter.sourceforge.netFirestarter is a firewall tool for Linux, and uses GNOME. You can use the wizard to create a basic firewall, then streamline it further using the dynamic rules. You can open and close ports with a few clicks, or stealth your services giving access only to a select few. It features a real-time hit monitor which you can watch as attackers probe your machine for open ports.
GuardDog 0.9.3
Simon Edwards
http://www.simonzone.com/software/guarddogGuardDog is a user friendly firewall generation/management utility for KDE on Linux. It allows you simply specify which protocols should be allowed and requires no knowledge of port numbers. It is intended for client machines and currently does not support router/gateway configurations. Generates scripts for IPchains. Sane defaults for new firewalls, RPM packages for Redhat and Mandrake, and display glitch fixes.
Syslog-ng 1.4.10 - devel: 1.5.0
Balazs Scheidler
http://www.balabit.hu/products/syslog-ngSyslog-ng is a syslogd replacement, but with new functionality for the new generation. The original syslogd allows messages only to be sorted based on priority/facility pair, Syslog-ng adds the possibility to filter based on message contents using regular expressions. The new configuration scheme is intuitive and powerful.
• Features: filtering using regular expressions, log forwarding, hash protected log (planned in version 1.5), multi-platform. Requires libol-0.2.17.
• Changes: this version fixes several bugs (remote DOS attack).
Squid 2.3 - devel: 2.4
Glenn Chisholm, Alex Rousskov and Duane Wessels
http://www.squid-cache.orgSquid is a full-featured Web proxy cache designed to run on Unix systems free, open-source software the result of many contributions by unpaid volunteers funded by the National Science Foundation. It supports proxying and caching of HTTP, FTP, and other URL's, proxying for SSL, cache hierarchies, ICP, HTCP, CARP, Cache Digests, transparent caching, WCCP (Squid v2.3), extensive access controls, HTTP server acceleration, SNMP and caching of DNS lookups.
The Anomy mail sanitizer 1.32
Bjarni R. Einarsson
http://mailtools.anomy.netThe Anomy mail sanitizer is a filter designed to block email-based security risks, such as Trojans and viruses. It can scan an arbitrarily complex RFC822 or MIME message and remove or rename attachments, truncate unusually long MIME header fields and sanitize HTML by disabling JavaScript, etc. It uses a single-pass pure Perl MIME parser, which can make it both more efficient and more precise than other similar programs. The sanitizer has built-in support for third-party virus scanners.
• Changes: the texts 'DEFANGED', 'BLACKLISTED' and 'PANIC' are user configurable. The documentation has been updated. Several bug fixes and updates. Warning, this revision "may" work-around out-of-memory problems in the MIME::Base64 module under Solaris.
LIDS 0.9.1 - devel: 0.9.11-2.2.17
Xie Hua Gang and Biondi Philippe
http://www.lids.orgThe Linux Intrusion Detection System is a patch which enhances the kernel's security. When it's in effect, many system administration operations can be made impossible even for root. You can turn the security protection on or off on the fly and you can hide sensitive processes and prevent anyone from using ptrace or any other capability on your system. LIDS can also provide raw device and I/O access protection.
• Changes: the new development version 0.9.11 for 2.2.17 has been released.
Network Security Analysis Tool 1.23
Mixter and 2XS Ltd.
http://mixter.warrior2k.com/nsat-1.23.tgzNSAT is a fast, stable bulk security scanner designed to audit remote network services and check for versions, security problems, gather information about the servers and the machine, and much more. Unlike many other auditing tools, it can collect information about services independently of vulnerabilities, which makes it less dependent on frequent updates as new vulnerabilities are found.
IPlog 2.2.2
Ryan McCabe
http://ojnk.sourceforge.netIPlog is a TCP/IP traffic logger capable of logging TCP port scans, TCP null scans, FIN scans, UDP and ICMP "smurf" attacks, bogus TCP flags, TCP SYN scans, TCP "Xmas" scans, ICMP ping floods, UDP scans, and IP fragment attacks. It currently runs on Linux, FreeBSD, OpenBSD, BSD and Solaris.
• Changes: IPlog now has the ability to detect TCP SYN scans, and has been fixed to allow greater portability.
Solpromisc 1.0
UDP - Digital Security Architect
http://www.low-level.net/udp/projects.htmlSolpromisc is a kernel module which you can load to detect attempts to put devices into promiscuous mode from user space via DLPI (e.g. solsniff, tcpdump, anything pcap based). It dumps the cred struct for the process, and the driver responsible, to the dmesg output buffer for collection by syslog.
Pakemon 0.3.0
Keiji
http://www.sfc.keio.ac.jp/~keiji/ids/pakemonPakemon has been developed to share IDS components based on the open source model. Current version of Pakemon monitors all traffic on a network, search given data patterns in the traffic and output session logs and summary logs of matched traffic. Pakemon has been tested on Redhat Linux 6.2j, OpenBSD2.7, FreeBSD 3.3 and NetBSD 1.4.
Linux BSM, The Linux Basic Security Module 0.60
University of California at Davis
http://soledad.cs.ucdavis.eduThe Linux Basic Security Module (Linux BSM) is an initiative of the University of California at Davis to provide a comprehensive auditing package for Linux that is fully compliant with the U.S. Government's C2 standards for security. C2 is defined in the standards document "Trusted Computer System Evaluation Criteria, DOD standard 5200.28-STD, December, 1985" or more commonly called (due to it's cover) the Orange Book. Specifically, the Linux BSM is an auditing tool that aims to bring the capabilities of Sun's Solaris Basic Security Module to Linux. Linux BSM monitors and records system events on the kernel level, allowing the system administrator to keep a watchful eye on the activities of the system.
TcpSpy 1.2
Tim J. Robbins
http://box3n.gumbynet.org/~fyre/softwareTtcpSpy is a Linux administrator's tool that logs information about incoming and outgoing TCP/IP connections: local address, remote address and, probably the most useful feature, the user name. The current version allows you to include and exclude certain users from logging - this may be useful if you suspect one of the users on your system is up to no good but do not want to violate the privacy of the other users.
Drall 1.3.0.0
Henrik Edlund
http://www.edlund.org/hacks/drall/index.htmlDrall is a script which allows users to access their directories and files remotely without the need of using insecure FTP and telnet. It enables the user to treat the remote file system as if it was on their local hard disk trough a normal web browser. The interface resembles the well known Norton commander (of DOS fame) and Midnight Commander (of UNIX fame). A dual-frame interface makes it easy to see an overview of the file system and the modular design means you only use the features you need. Drall is written in Perl for easy customization and expansion.
Pdump 0.8
Samy Kamkar
http://pdump.lucidx.comPdump is a highly configurable packet sniffer written in Perl, that dumps, greps, monitors, creates, and modifies traffic on a network. It combines many of the features found in tcpdump, ngrep, tcptrace, dsniff (and its webspy and urlsnarf), pfilt, macof, and xpy. It also allows users to simply add their modifications via a plug-in system. It is able to do such things as passive operating system detection/fingerprinting and has enough artificial intelligence to watch streaming packets and then create it's own packets to do various things in the connection such as killing open TCP connections within any connection on the local network, going in our out of the network.
VTun 2.4b1
Maxim Krasnyansky
http://vtun.sourceforge.netVTun is the easiest way to create Virtual Tunnels over TCP/IP networks with traffic shaping, compression, and encryption. It is a user space implementation and doesn't need modification of any kernel parts. VTun supports IP, PPP, SLIP, Ethernet, and other tunnel types. VTun is easily and highly configurable; it can be used for various network tasks like VPN, Mobil IP, Shaped Internet access, Ethernet tunnel, IP address saving, etc.
SILC (Secure Internet Live Conferencing): 20001120 Development Version
Pekka Riikonen
http://silc.pspt.fiSILC (Secure Internet Live Conferencing) is a protocol which provides secure conferencing services in the Internet over insecure channels. SILC superficially resembles IRC, although they are very different internally. The purpose of SILC is to provide secure conferencing services. Strong cryptographic methods are used to secure all traffic.
Webmin 0.83
J. Cameron
http://www.webmin.com/webminWebmin is a web-based interface for system administration for Unix. Using any browser that supports tables and forms (and Java for the File Manager module), Webmin allow to setup user accounts, Apache, DNS, file sharing, etc. Webmin consists of a simple web server, and a number of CGI programs which directly update system files like /etc/inetd.conf and /etc/passwd. The web server and all CGI programs are written in Perl version 5, and use no external modules. Webmin runs on any Linux platforms supporting Perl, on Solaris and UNIX.
PasswdGen - Random Password Generator 2.2
Denis Lemire
http://www.members.home.com/denisl/passwdgenPasswdGen is a random password generator. It has various command line for controlling type of characters to include, password length, and even which hand the password can be typed with on a qwerty keyboard.
Note: tools announced on forums like SecurityFocus are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you of new or updated, free, tools.
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
| © Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 07 December, 2000 |