Weekly Security Tools Digest
2000/12/16 to 2000/12/22

By Seán Boran (sean at boran.com) for SecurityPortal


Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html

To receive this digest via Email:
http://securityportal.com/subscribe.html

This is a summary of changes to free security tools over the last week.


The Rundown

Updates to General free tools this week include: PuTTY and Perl.

Auditing and Intrusion Monitoring tools include Snort tool, nmap/NDiff, LIDS, OpenWall Linux Kernel Patch, lsof and 7 other tools.

Firewalls for UNIX/Linux/BSD & Cross-platform include IPfilter and 3 tools.

Tools for Linux/Unix/Cross Platform include Dsniff, Stunnel and 8 other tools.

Tools for Windows include SafeGuard PrivateCrypt and EnsuredEmail.


General Tools

SSH

PuTTY is a free implementation of Telnet and SSH for Win32 platforms, along with an xterm terminal emulator.
• Changes: this new version includes a lot of changes and enhancements: addition of PuTTYgen, an RSA key generation utility. Since PuTTY uses the same RSA key file format as SSH 1, keys generated by PuTTYgen are usable with SSH 1 as well. The SSH compression is now implemented. There is security improvements: better collection of randomness for the cryptographic random number generator (Thanks to Peter Gutmann of cryptlib for ideas); PSCP should now not be vulnerable to malicious servers sending deliberately incorrect and harmful filenames down the SCP connection. (The problem was reported in Bugtraq #1742.); the ssh client will not open agent forwarding channels unless agent forwarding has genuinely been enabled, by the user and the server. This allows a user to disable agent forwarding if they suspect the server might abuse the agent. (The problem was reported in Bugtraq #1949.). There is also several new configurable options: the Compose key support is now off by default and configurable on; whether or not Alt on its own brings up the System menu; whether or not scrollback resets to the bottom when the display changes (Previously you could control whether it reset on a key press.); application keypad mode and application cursor keys mode can be completely disabled (Independently.); always On Top for the PuTTY window, so you can use it to keep system logs on-screen the whole time (Might work particularly well with a really small font.). This version also includes a better network error handling. All errors are now translated into plain text: "Unexpected network error 10053" is a thing of the past and a small patch to improve Chinese support has been added (thanks to Zhong Ming-Xun). A lot of bugs have been corrected in this new release, more information at http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html.
• Comment: plink/pscp are my favourite windows SSH command-line clients. An upgrade to this new version is recommended since quite a few SSH server weaknesses have been fixed.

 

Perl
http://news.perl.org

The TRIAL1 version of Perl 5.6.1 has been released. It is recommended to not use it on production systems.

 


Auditing and Intrusion Monitoring Tools

Snort
http://ww.snort.org

Intrusion Detection Message Exchange Format (IDMEF) XML output plugin for Snort - Produces IDMEF messages in response to events triggering Snort rules. It is configured in a standard Snort configuration file, and can run concurrently with existing Snort logging output. The plugin is compatible with the upcoming release of Snort 1.7, and is currently used with Snort 1.7-beta7 or higher from the CVS tree.

 

Nmap
Fyodor
http://www.nmap.org

NDiff compares two Nmap scans and outputs the differences. It allows monitoring of your network(s) for interesting changes in port states and visible hosts. Viewing results in this manner eliminates the need to sift through voluminous raw scan output in search of the few noteworthy differences. It should be useful to network administrators, security analysts, and other interested parties who need to monitor large networks in an organized fashion.
• Changes: Improved NDiff verbose-mode output formatting. Added html output modes to NDiff. Better address and port sorting in NDiff output modes. Added ndiff2html filter. Added invocation summaries (usage) to NDiff, ngen, nrun, and ndiff2html. Fixed UDP port specifications in ngen. Fixed other port-specification bugs in ngen. Added NDIFF_SERVICES_FILE environment variable for ngen (PortSpec.pm), (a temporary measure until better ndiff.conf and command-line options are added - see INSTALL). Various tweaks to the documentation to appease perlpod. Improved NDiff_Quickstart's treatment of data stores. Replaced ndiff.conf in /usr/local/lib/ndiff with ndiff.conf.sample in the install directory.
• Comment: another great tool. We'll be trying it out in January.

 

FreshMeat

LIDS 0.9.1 - Devel: 0.9.11-2.2.18
Xie Hua Gang and Biondi Philippe
http://www.lids.org

The Linux Intrusion Detection System is a patch which enhances the kernel's security. When it's in effect, many system administration operations can be made impossible even for root. You can turn the security protection on or off on the fly and you can hide sensitive processes and prevent anyone from using ptrace or any other capability on your system. LIDS can also provide raw device and I/O access protection.
• Changes: the new development version 0.9.11 for 2.2.18 (for kernel 2.2) has been released. This release includes various bug fixes in lidsadm and is compatible with kernel 2.2.18 and also includes workarounds for GNU MailMan and Courier Mail.

 

Openwall Linux kernel patch 2.2.18-ow1
Solar Designer
http://www.openwall.com/linux

The Openwall Linux kernel patch is patch is a collection of security "hardening" features for the Linux kernel. In addition to the new features, some versions of the patch contain various security fixes. The "hardening" features of the patch, while not a complete method of protection, provide an extra layer of security against the easier ways to exploit certain classes of vulnerabilities and/or reduce the impact of those vulnerabilities. The patch can also add a little bit more privacy to the system by restricting access to parts of /proc so that users may not see what others are doing.

 

Checkservice 1.1.0
Paul van Tilburg
http://www.linvision.com/checkservice

Checkservice is a Perl script that monitors services on remote hosts. It uses plugins to provide a more thorough check than just a socket check, and can be configured to check multiple services on multiple hosts using two different methods (simple and extended). It is able to write logs and when running in the background enables warnings. It features a beep-, mail-, and SMS-warning system.
• Changes: fixed 2 little annoying bugs in php3 status page. Fixed multiple email-addresses bug which let SMTP servers reject it. Converted status page to XHTML 1.0. Fixed bug with webcache only showing last checked host. Fixed bug that created multiple entries of same failure in the failure-cache.

 

Prtchk.pl 0.3a
Greg M. Kurtzer
http://www.gregsinter.net/greg/scripts

Prtchk.pl monitors a server's TCP ports and notifies someone (by email) if the ports close. All options are easily configured by a configuration file.

 

Cgichk 2.42 - Devel: 2.50
Toby Deshane
http://sourceforge.net/projects/cgichk

Cgichk is a Web vulnerability tool that automatically searches for a series of interesting directories and files on a given site. It also includes a whois lookup.
• Changes: major code rewrite. HTTP requests have been fixed (most sites work correctly now) and HTTP proxy support was added. User agent identification was added. The URL parsing code was rewritten and a couple more targets were added to this new version.

 

Lm_sensors 2.5.4
Alexander Larsson and Frodo Looijaard
http://www.netroedge.com/~lm78

Lm_sensors is an effort to provide some essential tools for monitoring the hardware health of Linux systems containing hardware health monitoring hardware such as the LM78 and LM75 connected via the SMBus (usually found in P6 and P-II systems).
• Changes: the version 2.5.4 supports Serverworks SMBus. It was provided by Steffen Persvold at Scali under NDA development with ServerWorks. We've successfully tested it to a limited extent. We're looking for more testers with feedback.

 

Project Xerxes 0.0.1
Dimitrios J. Stasinopoulos
http://reverant.fortunecity.com

Project Xerxes is a project designed to help system administrators cope with having to watch multiple machines for security breaches, system notices, warnings, and others. It consists of a server and a client. The server sits at the administrator's machine, while the client sits at any number of machines that need to be watched.

 

Uptime Client 4.14 - Devel: 4.2.1.19
Alex de Haas
http://uptimes.atomicvoid.net

Uptime Client is a little program that keeps track of your uptime and sends it to a server where you can compare it to many other hosts and browse through various statistical information.
• Changes: new development version. This new version fixes FreeBSD compilation failure and splits all getstats() calls for the various platforms into stats-xxx.c like files.

 

UPython 3.0
Sena
http://decoy.ath.cx/~sena/upython-3.0.tar.gz

UPython is a client for the Uptimes Project (http://www.uptimes.net/), written entirely in Python. It supports the 4.20 protocol and proxy servers.

 

PacketStorm

lsof 4.54b
Vic Abell
ftp://vic.cc.purdue.edu/pub/tools/unix/lsof

Lsof is an extremely powerful Unix diagnostic tool. Its name stands for LiSt Open Files, and it does just that. It lists information about any files that are open by processes currently running on the system. It easily pinpoints which process is using each network connection / open port.
• Changes: this new release compensates AIX 5L for a missing header file, handles device special files more accurately; supports Apple Darwin / Mac OS X 1.2; limits UnixWare support to 7.1.0, but includes a 2.1.3 patch; limits OpenServer support to 5.0.5.

 


Firewalls for UNIX/Linux/BSD & Cross-platform

IP Filter 3.4.15
Darren Reed
http://coombs.anu.edu.au/~avalon

IP Filter is a TCP/IP packet filter, suitable for use in a firewall environment. To use, it can either be used as a loadable kernel module or incorporated into a UNIX kernel; use as a loadable kernel module where possible is highly recommended. Scripts are provided to install and patch system files, as required.
• Changes: in this new version, a minimum TTL filtering (to be replaced later by return-icmp-as-dest for all ICMP packets matching state entries) has been added. The NAT'ing of fragments, the sanity checks for ICMPV6 and the compilation problems on IRIX 6.2 with IDF/IDL installed have been fixed.

 

FreshMeat

Ferm 0.0.9
Auke Kok
http://www.geo.vu.nl/~koka/ferm

Ferm compiles ready-to-go firewall rules from a structured rule-setup. These rules will be executed by the preferred kernel interface, such as IPchains and IPtables. Ferm will also add in modularizing firewalls, because it creates the possibility to split up the firewall into several different files, which can be loaded at will, so you can dynamically adjust your rules.
• Changes: the REDIRECT option has been corrected, you can now specify the port number that you are redirecting to (D. Bidwell). A basic IPtables support has been added. The typo error between 's' and 'd' for portspec has been corrected and the manual page have been updated.

 

rChains 200012151232
Curt Rebelein, Junior
ftp://ftp.rebby.com/pub/Linux/software/scripts/firewall

rChains is a highly detailed firewall script which implements many features including per host bandwidth monitoring w/ MRTG.

 

Firewall Monitor 1.0.3
Scaramanga (Gianni Tedesco)
http://www.sourceforge.net/projects/firestorm-ids

Fwmon is a firewall monitor for Linux. It integrates with IPchains to give you real-time notification of firewall events. It has fairly customizable output, allowing you to display a packet summary, hex, and ASCII data dumps to stdout, a logfile, or Tcpdump-style capture files. It also boasts some simple security features such as the ability to chroot itself, and operate in a non-root environment.

 


Tools for UNIX/Linux/BSD & Cross-platform

Dsniff 2.3
Dugsong
http://www.monkey.org/~dugsong/dsniff

Dsniff is a suite of sniffing tools for penetration testing.
• Changes: add VRRP parsing to Dsniff, from Eric Jackson. Require pcap filter argument for tcpkill, tcpnice. Add Microsoft PPTP MS-CHAP (v1, v2) parsing to dsniff, based on anger.c by Aleph One. Fix pcAnywhere 7, 9.x parsing in dsniff. Add -t trigger[,...] flag to dsniff, to specify individual triggers
on the command line. Convert most everything to use the new interface. New programs: dnsspoof, msgsnarf, sshmitm, webmitm. Fix inverted regex matching in *snarf programs. Consistent arpspoof, macof, tcpnice, tcpkill output. Rename arpredirect to arpspoof (maintain consistent *sniff, *snarf,
*spoof, *spy nomenclature). Consistent pcap filter argument to dsniff, *snarf programs. Add trigger for Checkpoint Firewall-1 Session Authentication Agent (261/TCP), as suggested by Joe Segreti. Add SMTP parsing to dsniff, as requested by Denis Ducamp. Add rexec and RPC ypserv parsing to dsniff, as requested by Oliver Friedrichs. Add HTTP proxy auth parsing back to dsniff, it got lost in the shuffle, reported by Denis Ducamp. Add NNTPv2 and other AUTHINFO extensions to dsniff.

 

MimeDefang 0.7
Roaring Penguin Software - David F. Skoll
http://www.roaringpenguin.com/mimedefang

MIME Defanger is a flexible MIME e-mail scanner designed to protect Windows clients from viruses and other harmful executables. It works with Sendmail 8.10 / 8.11 and will alter or delete various parts of a MIME message according to a flexible configuration file.
• Changes: in all: Added test suite and test filter. In configure.in: made spool directory for processing mail configurable (./configure --with-spooldir=DIR). In particular we NO LONGER use /tmp by default; it's /var/spool/MIMEDefang. In mimedefang.pl.in: Added action_discard() action. In mimedefang.c (eom): Added check for DISCARD file to support action_discard in filter.

 

FreshMeat

Stunnel 3.9
Michal Trojnara
http://freshmeat.net/projects/stunnel

The Stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the programs' code. It will negotiate an SSL connection using the OpenSSL or SSLeay libraries. It calls the underlying crypto libraries, so Stunnel supports whatever cryptographic algorithms you compiled into your crypto package.
• Changes: the temporary key generation has been updated: Stunnel is now honoring requested key-lengths correctly and the temporary key is changed every hour. Transfer() no longer hangs on some platforms and a potential security problem with syslog() call has been fixed.

 

The Anomy mail sanitizer 1.33
Bjarni R. Einarsson
http://mailtools.anomy.net

The Anomy mail sanitizer is a filter designed to block email-based security risks, such as Trojans and viruses. It can scan an arbitrarily complex RFC822 or MIME message and remove or rename attachments, truncate unusually long MIME header fields and sanitize HTML by disabling JavaScript, etc. It uses a single-pass pure Perl MIME parser, which can make it both more efficient and more precise than other similar programs. The sanitizer has built-in support for third-party virus scanners.
• Changes: fixed a bug in how forwarded/uuencoded attachments are handled which could cause the next MIME boundary to get corrupted. Simplified the forwarded message handler a bit, added a test case for it.

 

TEA Total 0.1 (Devel)
Alex Holden
http://www.linuxhacker.org/tea-total

TEA Total is a collection of extremely small encryption tools. At the heart of TEA Total is the TEA (Tiny Encryption Algorithm): a fast and secure 128-bit private key algorithm which was developed and placed in the public domain by David Wheeler and Roger Needham of the Cambridge Computer Laboratory. TEA is said to be several times faster than DES, as well as being much smaller and more secure. It also isn't encumbered by any patents and the reference implementation is in the public domain.

 

PacketStorm

Saint Jude 0.07
Tim Lawless
http://freshmeat.net/projects/stjude

Saint Jude LKM is a Linux Kernel Module for 2.2.0 and greater kernels. This module implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local, and ultimately, remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occurring. This is done without checking for attack signatures of known exploits, and thus should work for both known and unknown exploits.
• Changes: several versions were issued during this week. Here is a summary of the changes between the different releases. Changes between version 0.04 and version 0.05: new response method which will execute an external command to record and deal with the intrusion. It is likely to be noted by an astute individual that this also affords the opportunity to counter-attack the attacker, using their control channel against them. Changes between version 0.05 and version 0.06: fixed some broken code from 0.05 due to a 2am release. Changes between version 0.06 and version 0.07: include file <sys/mman.h> changed to <linux/mman.h>. Make file now defines explicitly where the linux include files are. This fixes a major crapping out when the include files were expected to be found in /usr/include/linux. If your linux kernel tree is not under /usr/src/linux, you will need to modify the Makefile appropriately. This seemed to effect Mandrake 7.x and Debian systems. Redhat 6.2 (stock) was unaffected, unknown about Redhat 7.

 

Secure CGI Library 1.0
Frank Denis (aka Jedi/Sector One)
http://www.jedi.claranet.fr

The Secure CGI Library eases the development of C/C++ web applications using the CGI interface. It's designed with security in mind and can enforce correct limits to avoid common denial-of-services attacks. It can also handle an unlimited number of variables, with unlimited content size, and with very fast parsing and hashed lookups.

 

SecurityFocus

Intel CDSA 2 Implementation
Intel
http://developer.intel.com/ial/security

The Common Data Security Architecture is composed of cryptographically signed modules that provide cryptographic, database, certificate, trust policy, authorization, biometric, and other services. CDSA 2 is an Open Group standard created by many companies and published freely. Intel has created an open source implementation of CDSA 2.

 

IDSA 0.84
Marc Welz
http://jade.cs.uct.ac.za/idsa


IDS/A is an experimental interface between applications and a daemon which functions as system logger, reference monitor, and soon intrusion detection system. IDS/A is not yet complete, but can already be used as system log replacement with extra neat features such as automatic log rotation. It also ships with two example applications which demonstrate how the system can be used to block basic banner grabbing port or CGI scanners. It runs under Linux platforms.

 

Phalanx 1.2
Stephen Martin
http://www.marketrends.net/phalanx

Digital-Phalanx is a Unix Security Daemon for OpenBSD platforms. Once installed on a machine and activated, it will only allow 'cleared' users from 'cleared' domains to exist in the server. It is primarily a point defense system for your Unix server. Digital-Phalanx is available in both a perl5 and a C++ version. The perl5 version which is coded in generic perl5 should run on most Unix systems. It has been developed,tested and implemented upon BSDI 3.0 and OpenBSD 2.3 servers. The Perl5 implementation has the advantage of being reconfigurable in flight and being written in Perl5 should run as is straight from the .tar file.

 


Tools for Windows

SecurityFocus

SafeGuard PrivateCrypt 1.0
Utimaco Safeware AG
http://www.privatecrypt.com/int

With SafeGuard PrivateCrypt by Utimaco Safeware AG, the encryption of files is really simple now. A click and a password starts secure and fast encryption and zipping of files. Via e-mail the file can be transferred as usual - the receiver needs nothing but the password to unzip it easily and read it. PrivateCrypt runs under Windows 95, Windows 98, Windows NT 4.0 (Service Pack 3 or higher) or Windows 2000 and following releases. SafeGuard PrivateCrypt is available as freeware if you are a private user.

 

Ensuredmail 1.4
Ensuredmail, Inc.
http://www.ensuredmail.com

Ensuredmail is privacy software that: protects your email and attachments from unauthorized access without changing or modifying your existing email accounts. It fully supports Microsoft Outlook™ 97, 98, 2000 and Outlook Express 4.0 and 5.0 and runs under Windows 2000, Windows 95/98 and Windows NT. It provides reliable read-receipts the first time or every time a message is successfully opened - it's your choice. It protects your local files from unauthorized access. It could be integrated with most web-mail systems (see the homepage to see compatibility list) and prevents recipients from forwarding your sensitive information.

 

E-Lock Reader 4.0
E-Lock Technologies
http://www.elock.com/download/downreader.asp

The E-Lock Reader is a free verification tool that allows recipients of digitally signed information to verify the associated signatures. In a typical e-business scenario, one or few individuals conduct the actual signing process, while the document may have to be ratified or viewed by multiple people. The E-Lock Reader makes it possible for diverse parties to verify digital signatures without the need for complex digital signature products. It runs under Windows 2000, Windows 95/98 and Windows NT.

 

Project R3x 0.37.9
Bogdan Calin
http://soul4blade.home.ro

Project R3x is a program for auditing Windows networks, network scanning, OS detection, and more. Main features are: scanning large networks by sending UDP query status to every IP and wait for responses. List NetBIOS name table for each responding computer. Provide NetBIOS hostname, currently logged username, MAC address. OS detection using SMB queries (Windows 9x/NT/2k/Unix). Enumerate all shares on the remote computer (including printers,administrative shares C$,D$,ADMIN$, .. ). Crack Windows 9x (share level security) passwords using the bug discovered by NSFocus Security Team (www.nsfocus.com). Probing Windows 9x/NT/2k for weak passwords using a dictionary of commonly used passwords. Probing for well known services (such as www/ftp/telnet/smtp...). Resolve hostnames (reverse DNS). Output results in a nice HTML format. This tool runs under Windows 2000, Windows 95/98 and Windows NT.

 


Note: tools announced on forums like SecurityFocus are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.

About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 20 December, 2000