Weekly Security Tools Digest
2000/12/09 to 2000/12/15

By Seán Boran (sean at boran.com) for SecurityPortal


Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html

To receive this digest via Email:
http://securityportal.com/subscribe.html

This is a summary of changes to free security tools over the last week.


The Rundown

Updates to General free tools this week include: Portable OpenSSH, sftp, AES encryption, Apache and Linux Kernel.

Auditing and Intrusion Monitoring tools include Nmap, Snort, SAINT, libnids and 8 other tools.

Firewalls for UNIX/Linux/BSD & Cross-platform include 5 tools and FwLogWatch which looks interesting.

Tools for Linux/Unix/Cross Platform include AMaViS, Immunix and 13 other tools. Generic Software Wrappers Toolkit 1.5.0 is a completely new tool in the digest and seems to be of interest.

Tools for Windows include 12 tools (most of them come from Foundstone).


General Tools

SSH

This is a Unix/Linux port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups. OpenSSH also features an independent implementation of the SSH2 protocol.
• Changes: OpenSSH is also designed to run on MacOS X.

Sftp is an ftp replacement that runs over an SSH tunnel. Two programs are included - sftp and sftpserv.
• Comment: no new release of 0.9.6, but the author noticed that: sftp should work with ssh1, ssh2 (although early versions of F-secure ssh2 don't work for some reason), and rsh (if rsftp is used), with all known forms of authentication. If it doesn't work in some configuration, it's a bug and should be fixed.

 

Apache 1.3.14 - Apache 2.0a Alpha
Apache Software Foundation and The Apache Server Project
http://www.apache.org/dist

Apache 2.0a Alpha is now available for alpha testing.
• Changes: new alpha version 2.0a. For more information about the changes, please consult http://www.apache.org/dist/CHANGES_2.0a

 

AES Encryption for Shell Scripts 0.6 (devel.)
Eric Lee Green and Randy Kielber
http://aescrypt.sourceforge.net

AES Encryption for Shell Scripts provides strong encryption/decryption using the Advanced Encryption Standard algorithm "Rijndael" to do 128-bit encryption. This program was deliberately kept extremely simple. It is not intended to be a full encryption solution, it is intended to be used within scripts as part of a complete solution. Key chain management, public key signatures, etc. are all expected to be done external to this program.
• Current limitations: the keyfile is not encrypted. The keysize (= 128 bits) is hard-coded at the moment, despite any documentation to the contrary (need a "-s" option to specify key size). AES Encryption for Shell Scripts needs a key generator: this should be a simple shell script -- use dd to grab some data, then md5sum to create a hex mix of that data, then 'awk' to grab the hex part of the output of md5sum). It relies upon having /dev/urandom (see the Ocotillo PRNG if you don't have a /dev/urandom).

 

Linux-2.2.18
http://www.kernel.org

New version 2.2.18 of Linux Kernel. The latest beta version of the Linux kernel is 2.4.0-test12.
• Changes: This is the newest stable release. Contains additional 2.4test ABI calls for controlling how capabilities are handled when using setuid calls. Complete changelog available at http://www.kernel.org/pub/linux/kernel/v2.2/linux-2.2.18.log.

 


Auditing and Intrusion Monitoring Tools

Nmap
Fyodor
http://www.nmap.org

Wap-Nmap enables an Nmap scan from a WAP enabled device and pumps the results back to the device.
• Changes: new version 1.0.1. Now works better with hand phones.

 

Snort 1.7 beta8
http://ww.snort.org

• New beta release: new version 1.7 beta8 has been released. No information about updates and changes.
• Updated Ruleset - by Jim Forster. I've updated the current snortfull.conf file today, with some repairs and updated information on many of the rules. (MANY thanks to Joe McAlerney and Roel Jonkman of Silicon Defense for the work on this!). Updates include CVE References, BUGTRAQ IDs, and MCAFEE IDs. McAfee ID's for the Virus and Worm rules can be looked up at http://vil.nai.com/vil/dispVirus.asp?virus_k=ID NUMBER. As usual, let me know of any problems with this release. You can download this updated set at http://www.snort.org/snort-files.htm#Rules

 

SAINT v. 3.1.1
World Wide Digital Security, Inc.
http://www.wwdsi.com/saint

Saint is a security scanning tool based on Satan.
• Changes: new vulnerability checks in this version: check for Microsoft PhoneBook Server, check for multiple vulnerabilities in Serv-U FTP Server, check for vulnerability in MailMan. This new version also fixes source code to compile on non-ANSI C compilers.

 

Libnids 1.16
Rafal Wojtczuk
http://www.packetfactory.net/Projects/Libnids

Libnids is an implementation of an E-component of Network Intrusion Detection System. It emulates the IP stack of Linux 2.0.x. Libnids offers IP defragmentation, TCP stream assembly and TCP port scan detection. The most valuable feature of libnids is reliability. A number of tests were conducted, which proved that libnids predicts behavior of protected Linux hosts as closely as possible. Libnids is highly configurable in run-time and offers a convenient interface. Currently it compiles on Linux, *BSD and Solaris. WIN32 port is maintained separately here. Using libnids, one has got a convenient access to data carried by a TCP stream, no matter how artfully obscured by an attacker. You may have a look at a sample application.
• Changes: release forced by a security bug. A typo in libnids.c could cause libnids to segfault when source routed frame has been received.

 

FreshMeat

FCheck 2.07.55
Michael A. Gumienny
http://sites.netscape.net/fcheck/fcheck.html

FCheck is a PERL script written to generate and comparatively monitor a UNIX system against its baseline for any file alterations and report them through syslog, console, or any log monitoring interface. Monitoring events can be done in as little as one minute intervals if a system's drive space is small enough, making it very difficult to circumvent. This is a freely-available open-source alternative to 'tripwire' that is time tested, and is easier to configure and use. It runs under Unix and Windows NT/9x/3.x.(MD5:Not Generated)
• Changes: new version 2.07.55 available - no further information regarding enhancements or changes.

 

Qaudit.pl 02
Vade79
http://www.fakehalo.org

Qaudit.pl is a script for quickly auditing .c and .cc source files. It checks for standard stack/heap overflows, format bugs, exec calls, env vars and miscellaneous functions related to possible security issues. This may not always be the best way to go about auditing, since it is not as good as doing it by hand, but I have found it to be rather useful for simple auditing.
• Changes: version 02 released.

 

Uptime Client 4.14 - Devel: 4.2.1.17
Alex de Haas
http://uptimes.atomicvoid.net

Uptime Client is a little program that keeps track of your uptime and sends it to a server where you can compare it to many other hosts and browse through various statistical information.
• Changes: new development version 4.2.1.17 released. The version numbering of the Uptime Client has changed (read the README for an explanation). The client has been updated for the Uptimes Protocol 4.2 (for details: http://www.uptimes.net/stuff/protocol.html). Initial attempts to add the support for a configuration file - in other words: it's there, but it's dirty. This version includes a better Makefile and the code and code layout have been cleanup. The INSTALL and README files have been updated.

 

Linux dshield.org Perl Client 0.1
Rob Casey
http://www.dshield.org

The Linux dshield.org Perl Client package consists of an updated Linux dshield.org Perl client for submitting kernel firewall filter log entries to dshield.org. It has been written to implement tighter coding and better processing than the Perl client currently available on dshield.org.

 

PacketStorm

TcpSpy 1.4
Tim J. Robbins
http://box3n.gumbynet.org/~fyre/software

TcpSpy is a Linux administrator's tool that logs information about incoming and outgoing TCP/IP connections: local address, remote address and, probably the most useful feature, the user name. The current version allows you to include and exclude certain users from logging - this may be useful if you suspect one of the users on your system is up to no good but do not want to violate the privacy of the other users.
• Changes: new version 1.4 released. This version allow logging of the filename of the executable that created or accepted connections. Assorted bug fixes and code cleanups. Too many changes between version 1.2 and 1.3 to mention here, please see the TcpSpy for details. The major difference is the addition of the 'rule engine'.

 

Integrity checking utility (ICU) 0.1
Andreas Östling
http://nitzer.dhs.org/ICU/ICU.html

ICU (Integrity Checking Utility) is a PERL program used for executing AIDE filesystem integrity checks on remote hosts from an ICU server and sending reports via email. This is done with help from SSH.

 

SecurityFocus

Distributed Port Scanner 0.0.1
Chris Bechberger
http://www.geocities.com/bechberger

Distributed Port Scanner consists of a server that controls clients and tells them what port on the target machine to scan.

 


Firewalls for UNIX/Linux/BSD & Cross-platform

FreshMeat

Zorp 0.6
Balazs Scheidler
http://www.balabit.hu/products/zorp

Zorp is a new generation proxy firewall suite running on Linux platforms. Its core framework allows the administrator to fine-tune proxy decisions (with its built in script language), fully analyze complex protocols (like SSH with several forwarded TCP connections) and utilize outband authentication techniques (unlike common practices where proxy authentication had to be hacked into the protocol). FTP and HTTP protocols are fully supported with an application-level proxy.
• Changes: first stable version Zorp 0.6.0 released.

 

FwLogWatch-0.0.27
Boris Wesslowski
http://www.kyb.uni-stuttgart.de/boris/software.shtml

FwLogWatch analyzes the IPchains packet filter logfiles and generates text and HTML summaries. It features real-time anomaly response capability and has an interactive report generator. FwLogWatch has the following features:
• Log summary mode: options to find and display relevant patterns in connection attempts. Intelligent selection of certain fields. It can separate recent from old entries and detects time-warps in log files. It includes plain text and HTML output with sort options. Integrated resolver for protocols, services and host names. Own DNS cache for faster lookups. Detects and processes IPchains, netfilter/iptables and Cisco log entries.
• Interactive report mode: the integrated report generator fills and presents a report that can be sent to abuse contacts of attacking sites or computer emergency response and coordination centers (CERT/CC). Supports templates and incident number generation. All fields can be adjusted as needed interactively.
• Real-time response mode: the program detaches and stays in the background as a daemon. It detects if the necessary IPchains rules with logging turned on exist. Response can be a notification (a log file entry, an email or a remote winpopup message), a firewall modification or anything that can be invoked in a shell. In block mode a new chain for FwLogWatch is added and attackers are completely blocked with new firewall rules. Supports trusted hosts (anti-spoof).
• Changes: Solaris portability patches, added at_least option, added basic Cisco support, added basic netfilter support, extended the man page and added some options to the command line that were available only in the configuration file, improved web interface, colors of the HTML output can be changed in the configuration file, multiple actions can be combined in real-time response mode, added mail notification option to real-time response mode, added sort order options, added daemon status display through own web server. Various small fixes, several internal optimizations and various fixes and code cleanups.
• Comment: FwLogWatch  is updated on a regular basis. It seems to be a really good tool that should be tested by people interested in firewall.

 

MmTcpFwd 0.4b
Matthew Mondor
http://mmondor.rubiks.net

MmTcpFwd is a port forwarder daemon for Linux firewalls, a superserver which starts a standalone, non-root daemon per service. It has ability to limit connections on how many IPs and connections per IP, auto-DENY IPs upon an exceeded connection threshold, or fake services a-la portsentry. It uses a single configuration file.
• Changes: this new version includes a security enhancement: noticed that the non-root port forwarders still had some file descriptors open from the parent process, resulting from fork() duplication, childs now immediately close them before starting their normal operations. This also allows to leave more free file descriptors for the system and normal forwarding activities. This fix resulted more from paranoia than from actual risks, if the remote user was somehow able to buffer overflow with some code to use the descriptors it could have become a security risk. My fd functions are very safe against that however, and not running as root also secures things a lot; mmidentd, a fake MASQ-compatible ident server I wrote also has all those security enhancements, as it is made to run on firewalls. The version 0.4b includes now a standard Makefile: it allows easier compilation, using CFLAGS env var, it can now link with shared libraries and makes the executable much smaller. It also permits to make clean and make uninstall.

 

Defcon4 v4.5
Brad Welch
http://freshmeat.net/projects/defcon4

Defcon4 is a good starting-point firewall script to use with IPchains, and tweaked to the user's needs. It has been tested on Redhat 5.x, 6.x all kernels above 2.2.x.
• Changes: version 4.5 of Defcon4 released - no further information regarding enhancements or changes.

 

Ferm 0.0.8
Auke Kok
http://www.geo.vu.nl/~koka/ferm

Ferm compiles ready-to-go firewall rules from a structured rule-setup. These rules will be executed by the preferred kernel interface, such as IPchains and IPtables. Ferm will also add in modularizing firewalls, because it creates the possibility to split up the firewall into several different files, which can be loaded at will, so you can dynamically adjust your rules.

 

SecurityFocus

Firewall Log Daemon 1.2
Ian Jones
http://www.speakeasy.org/~roux/dmn

Firewall Log Daemon is a program written in C which will watch for IPchains or iptables log alerts in real-time. The program will start a small daemon process that parses and resolves firewall logs by reading a FIFO that syslog writes to. It can queue a batch of alerts and mail them to you, or can be used in a script to crunch an existing log file or data stream. It features hostname, port, protocol, and ICMP type/code lookup, with output formatted by a user-defined template.
• Changes: Implemented output preprocessor templates: user definable output templates. If no output template is defined, the hard-coded output will result. Changed command line options: "-t <template>" to designate output template, "-l <logfile>" to override hardcoded default logfile, "-m" for mixed logging environments (tables and chains together), "-e <mail>" to specify the email target in daemon mode, "-s" to disable extended port lookups (use getservbyport instead). Moved icmp lookups to file access instead of hardcoded. Fixed problems with buffer file, no more lost logs between reboots. Fixed pid file not being deleted if daemon aborts at startup. Included routines for user setup errors. Fixed internal buffer overrun hazard, memory checks. Fixed signal handling to use sigaction instead of signal().

 


Tools for UNIX/Linux/BSD & Cross-platform

AMaViS
Christian Bricart
http://www.amavis.org

AMaViS is a mail virus scanner tool.
• Changes: An AMaViS Security Announcement was released addressing a potential hole for script viruses which has been fixed in AMaViS-Perl-10. We strongly advise you to upgrade. It fixes a potential hole for script viruses as well as a few problems with configure. Get it from this server or SourceForge. See Sourceforge for the release announcement.

 

Immunix System 7 (Beta)
Immunix
http://www.immunix.org/download2.html

Immunix System 7 is based mostly on the Redhat Linux 7.0 distribution. It has been rebuilt with the latest (as of October 2000) Immunix Stackguard enhancements to the egcs compiler and Immunix FormatGuard enhancements to the glibc libraries. We have also included the Immunix Subdomain kernel module and OpenWall kernel patch for added security.

 

Egressor 1.0
MITRE's Cyber Resource Center Development Team
http://www.packetfactory.net/Projects/Egressor

MITRE has released a freeware tool that allows a company to check the configuration of their Internet point-of-presence router. The tool will help companies determine whether their routers are configured to the Help Defeat Denial of Service Attacks guidelines. This configuration of egress filtering reduces the chance that their computers can unwittingly contribute to a distributed denial of service attack. The tool has two parts; a generator and a receiver. The test generator (or "client") is being provided as C source code and the test receiver (or "server") is a PERL script. Both are currently known to work on LINUX, and the server also works on Solaris.

 

unrm v0.91
Octavian Popescu
http://hideout.art.ro

Unrm is a small linux utility which can, under some circumstances, recover almost 99% of your erased data (similar to DOS's undelete).
• Changes: for more accuracy, searches your data among all the erased data in that day.

 

FreshMeat

Generic Software Wrappers Toolkit 1.5.0
NAI Labs SEE Group
http://www.pgp.com/research/nailabs/secure-execution/wrappers.asp

The Generic Software Wrappers Toolkit allows you to wrap closed-source applications to constrain or transform their behavior. Wrappers are written that intercept system calls and other system events, and allow you to deny, transform, log, or augment the system events. They are written in a custom language that abstracts away many of the gritty issues, allowing the wrapper author to concentrate on policy. Sample wrappers include dbfencrypt, which provides transparent access to "encrypted" files; controlledx, which limits the programs a process can execute; and id-seq, a trainable sequence-based intrusion detection wrapper.

 

PAM SecureMediaXS 1.5
Igmar Palsenberg
http://projects.jdimedia.nl/index.phtml?ID=crypto

PAM SecureMediaXS is a PAM module that authenticates a user using challenge-response. All tokens that support ANSI X9.9 are currently supported and it provides full support for CryptoCard RB1 tokens. With PAM SecureMediaXS module, authentication works the following way: the computer asks the user who he is; this is the normal Login: prompt. Then the computer generates a random number and this number is given to the user. The random number is DES-encrypted with the user's 56 bit key. The user punches the random number into his calculator, and types in the return-value and finally the computer compares the response the user punched in with his own calculation. If the two calculations match, the user is who he claims to be, and is granted access. Otherwise access is denied.

 

Mmidentd 0.1b
Matthew Mondor
http://mmondor.rubiks.net/software.html

Mmidentd is a standalone ident server which can be run on masquerading Linux gateways/firewalls. It has security and capabilities similar to mmtcpfwd (See the Firewall section above). For example, it runs as a non-root user and communicates with an internal counterpart (running with root privileges) through a private pipe to allow DENYing any IP-abusing connection limits. It can handle many connections at once if wanted, and it uses pthreads.
• Notice: first public release.

 

PacketStorm

MimeDefang 0.6
Roaring Penguin Software - David F. Skoll
http://www.roaringpenguin.com/mimedefang

MIME Defanger is a flexible MIME e-mail scanner designed to protect Windows clients from viruses and other harmful executables. It works with Sendmail 8.10 / 8.11 and will alter or delete various parts of a MIME message according to a flexible configuration file.
• Changes: Built in  re_match functions are case-insensitive, fixes for problems with MS Outlook clients, integration with the H+BEDV virus-scanner, more flexible filter and action specifications, and a new requirement of Sendmail 8.11.

 

RenAttach 0.14
Jem Berkes
http://www.pc-tools.net/linux

RenAttach is an e-mail filter/processor that runs from a user's .forward file (or Sendmail). It is designed to protect end users (particularly those using Windows) from malicious e-mail attachments containing viruses or Trojans. It does NOT scan specifically for viruses, but rather renames e-mail attachments so that they can not be accidentally executed. It handles both UUEncoded and Mime encoded attachments. All incoming mail is instantly, automatically filtered.

 

Rule Set Based Access Control - Rsbac 1.1.0
Amon Ott
http://www.rsbac.org

Rule Set Based Access Control (RSBAC) is an open source security extension for current Linux kernels. It is based on the Generalized Framework for Access Control (GFAC) and provides a flexible system of access control implemented with the help of a kernel patch. All security relevant system calls are extended by security enforcement code. This code calls the central decision component, which in turn calls all active decision modules and generates a combined decision. This decision is then enforced by the system call extensions.
• Changes: this version was ported to 2.4.0-test11. sys_mmap and sys_mprotect are now intercepted.

 

Stealth Kernel Patch 2.2.18
MadCamel
http://www.energymech.net/madcamel/fm

Stealth IP Stack is a kernel patch for Linux 2.2.18 which makes your machine almost invisible on the network without impeding normal network operation. Many denial of service attacks, such as stream, are much less effective with this patch installed, and port scanners slow to a crawl. It works by restricting TCP RST packets (no "Connection Refused"), restricting ICMP_UNREACH on udp (Prevents UDP portscans), restricting all ICMP and IGMP requests.  A sysctl interface is used so these features can be turned on and off on the fly.
• Changes: new version 2.1.18. Stealth has been ported to Linux 2.2.18.

 

Defile v.1
Sil
http://www.antioffline.com

Defile v.1 is a shell script which automates the secure removal of trivial files such as cookies, cache, etc., as well as old and unnecessary files such as core dumps, dead.letters, etc, it uses a package which ensures a pseudo random wiping compliant to U.S. Department of Defense standard and adds an hourly cron to ensure those files are wiped.

 

SecurityFocus

Drall 1.2.0.2 - devel: 1.3.4.0
Henrik Edlund
http://www.edlund.org/hacks/drall/index.html

Drall is a script which allows users to access their directories and files remotely without the need of using insecure FTP and telnet. It enables the user to treat the remote file system as if it was on their local hard disk trough a normal web browser. The interface resembles the well known Norton commander (of DOS fame) and Midnight Commander (of UNIX fame). A dual-frame interface makes it easy to see an overview of the file system and the modular design means you only use the features you need. Drall is written in Perl for easy customization and expansion.
• Changes:  New development version 1.3.4.0. Added a check so that there actually is an authenticated user before trying to do any suid stuff. and fixed so that the username and session variables in the script URL are escaped.

 

Averist 1.1.0.2
Henrik Edlund
http://www.edlund.org/hacks/averist/index.html

Averist is a module that adds an authentication layer to any CGI application written in Perl. It supports initial authentication through CGI (form), and it can use CGI (hidden form fields) or cookies for re-authentication after a configurable timeout. It can also use a local or remote SQL database or DBM file for storing the session keys for increased security. The username and password check at the initial authentication can be done via an LDAP directory, an SQL database, a DBM file, or a passwd style file. Averist is written in Perl for easy customization and expansion.

 

LinearC Beta
KPL - Knowledge Propulsion Laboratory
http://linearc.kplab.com/download.html

KPL, or Knowledge Propulsion Laboratory, has opened beta testing for LinearC, a privacy-protecting filtering proxy. LinearC was first announced at Toorcon Security Expo in a talk by KPL's Chief Scientist. Privacy vulnerabilities relating to the :CueCat, images loaded through FTP and others are taken care of. In addition, cookies are stored on the proxy and easily expired or deleted. It runs under FreeBSD, Linux, MacOS, Windows 2000, Windows 95/98 and Windows NT.

 


Tools for Windows

PacketStorm

NTLast 3.0
Foundstone
http://www.foundstone.com/resources/tools.html

NTLast v3.0 is a security audit tool for Windows NT. It can help identify and track who has gained access to your system, and document the details. Includes raw time output for Excel analysis and additional features for Webmasters.

 

Forensic Toolkit 2.0
Foundstone
http://www.foundstone.com/resources/tools.html

Forensic Toolkit v2.0 is a file properties analyzer designed to examine NTFS files on a disk drive for unauthorized activity. Lists files by their last access time, search for access times between certain time frames, and scan the disk for hidden files and data streams. Dump file and security attributes. Report on audited files. Discover altered ACL's. See if a server reveals too much info via NULL sessions.

 

Patchit 2.0
Foundstone
http://www.foundstone.com/resources/tools.html

Patchit v2.0 is a file byte-patching utility. This is driven by a simple scripting language. It can patch sequences of bytes in any file, search for byte patterns (with wildcards) and also extract and utilize DLL exported function addresses as source positions in files to be patched.

 

Attacker 3.0
Foundstone
http://www.foundstone.com/resources/tools.html

Attacker is a TCP/UDP port listener/attack warning program. You provide a list of ports to listen on and the program will notify you when a connection or data arrives at the port(s). Can minimize to the system tray and play an audible alert. This program is intended to act as a guard dog to notify you of attempted probes to your computer via the Internet.

 

BOPing 2.0
Foundstone
http://www.foundstone.com/resources/tools.html

BOPing is a scanner for the infamous Back Orifice program. It is many times faster than the ping sweeper built in to the original client program. This is intended as a vigilante tool to notify victims who unknowingly have the Trojan on their system. It includes the ability to notify detected victims by sending them a BO message box message directly from within the program. This is first and foremost a simple tool for network administrators to perform a quick scan of their local area networks. Do not attempt to use this program against computers on the Internet that you have no right to scan since you are highly likely to be tracked down and attract the attention of your ISP and have your account terminated.

 

DoSPing 2.0
Foundstone
http://www.foundstone.com/resources/tools.html

DDoSPing is a remote scanner for the most common Distributed Denial of Service programs (often called Zombies by the press). These were the programs responsible for the recent rash of attacks on high profile web sites. This tool will detect Trinoo, Stacheldraht and Tribe Flood Network programs running with their default settings, although setup of each program type is possible from the configuration screen. Scanning is performed by sending the appropriate UDP and ICMP messages at a controllable rate to a user defined range of addresses.

 

FileWatch 1.0
Foundstone
http://www.foundstone.com/resources/tools.html

FileWatch (originally called ICEWatch 1.x) is a small utility that can monitor a given file for changes. Monitoring can detect file size changes or simply file writes, both with minimal impact on system resources (no polling is performed). The primary use of this utility is for monitoring changes in the log file of a personal firewall program and being able to spawn a separate application when changes are detected, but the tool can be applied to any number of other uses.

 

NTO Max 2.0
Foundstone
http://www.foundstone.com/resources/tools.html

NTO May is a Pro-active tool to find holes before hackers do. Never "goes out of date". A scriptable, server stress testing tool. This tool takes a text file  as input and runs a server through a series of tests based on the input. The purpose of this tool is to find buffer overflows of DOS points in a server. Be aware that the script file must be terminated by double carriage return, or you will get a script failure error when running NTOMax.
• Freeware Features: trial parameter lets you view the buffer to be sent w/o sending it, v parameter now toggles on verbose output - off by default, norecv parameter turns off the initial receive after initial connect - on by default and reopen parameter turns off/on ability to reopen connections before sends

 

NTO Tools 2.0
Foundstone
http://www.foundstone.com/resources/tools.html

New Seek and Destroy Toolkit includes four powerful network tools: NTOLoga - Powerful, network wide backup/clear utility for NT logs, LServers - NetBIOS name dumper, NPList - NT network process dumper, and NTODrv - NT network  driver/service dumper.

 

Blast 2.0
Foundstone
http://www.foundstone.com/resources/tools.html

Blast 2.0 is a small, quick TCP service stress test tool. Blast does a good amount of work very quickly and can help spot potential weaknesses in your network servers.  For a detailed explanation and examples of usage of this tool, please read the .txt file included in the zip.

 

ShoWin 2.0
Foundstone
http://www.foundstone.com/resources/tools.html

Displays useful information about windows by dragging a cursor over them. It will also display hidden password editbox fields (text behind the asterisks *****) and can enable windows that have been disabled and unhide hidden windows. ShoWin runs under Windows 95/98 and Windows NT.

 

SecurityFocus

ICQr Information 1.3
Moritz Bartl
http://www.headstrong.de/cgi-bin/download.cgi?icqrinfo

ICQr Information reads out information stored in ICQ 99a, 99b and 2000a .DAT files, including user passwords, personal information (such as address) and even deleted contacts.

 


Note: tools announced on forums like SecurityFocus are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.

About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 14 December, 2000