Weekly Security Tools Digest
2000/12/23 to 2000/12/29

By Seán Boran (sean at boran.com) for SecurityPortal


Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html

To receive this digest via Email:
http://securityportal.com/subscribe.html

This is a summary of changes to free security tools over the last week.


The Rundown

Updates to General free tools this week include Stunnel and an SSH/Telnet client in Java.

Auditing and Intrusion Monitoring tools include Saint, Sara, integrit and chkrootkit.

Firewalls for UNIX/Linux/BSD & Cross-platform : no changes.

Tools for Linux/Unix/Cross Platform include Anomy sanitize, pdump,  MIME defang and 7 others.

Tools for Windows include twwwscan and ensuredmail.


General Tools

SSH

The Java Telnet/SSH Application/Applet Final v2.0
Matthias L. Jugel, Marcus Meißner
http://www.mud.de/se/jta

The software has been rewritten and comes with a complete new base system. Apart from changes to the event handling in our terminal emulation the base parts have only been ported to Java 2. Both the terminal emulation and the telnet protocol handler have been taken out of the software to be available as standalone packages to be used by other programmers. Features include: full Java 2 compatibility (works with Java 1.1.X for now), 11 plugins, application menu bar for plugin menus, configuration file: configurable foreground and background color, telnet and ssh support, upcoming PersonalJava Application Environment edition

 

SSL

Stunnel 3.11
Michal Trojnara
http://www.stunnel.org

The Stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the programs' code. It will negotiate an SSL connection using the OpenSSL or SSLeay libraries. It calls the underlying crypto libraries, so Stunnel supports whatever cryptographic algorithms you compiled into your crypto package. Runs on Windows and UNIX.
Changes: Internal thread synchronization code was added. Bugs were fixed. New problem with zombies fixed. Attempt to be integer-size independent. SIGHUP handler added. Documentation updates. * -D option now takes [facility].level as argument. 0-7 still supported. You can cross-compile stunnel.exe on Unix, now.


Auditing and Intrusion Monitoring Tools

SAINT 3.1.2
World Wide Digital Security, Inc.
http://www.wwdsi.com/saint

Saint is a security scanning tool based on Satan.
• Changes: Check for OpenBSD/NetBSD ftpd buffer overflow. Updated Kerberos tutorials to address vulnerabilities in KTH version. Documentation on unpacking SAINT (useful to those who are unfamiliar with Unix). Fixed bug in rpcgen source code. Modified configure script to work around missing links on Linux systems.

 

SARA 3.3.1
Advanced Research Corporation
http://www-arc.com/sara

Security Auditor's Research Assistant (SARA) is a security analysis tool based on Satan. Checks for common old holes, backdoors, trust relationships, default cgi, common logins, open shares, and much more.

 

FreshMeat

integrit 1.02.05-beta
http://integrit.sourceforge.net
http://sourceforge.net/projects/integrit/

integrit is an alternative to file integrity verification programs like tripwire and aide. It helps you determine whether an intruder has modified a computer system. integrit's major advantages are a small memory footprint and simplicity. It works by creating a database that is a snapshot of the most essential parts of your computer system. You put the database somewhere safe, and you can then use it to make sure that no one has made any illicit modifications to the computer system. In the case of a break in, you know exactly which files have been modified, added, or removed.

 

Packetstorm

chkrootkit 0.19
ftp://ftp.pangeia.com.br/pub/seg/pac
Nelson Murilo

chkrootkit locally checks for signs of a rootkit. Includes detection of LKM rootkits, ifpromisc.c to check and see if the interface is in promisc mode, chklastlog.c to check lastlog for deletions, and chkwtmp.c to check wtmp for deletions. Tested on Linux, FreeBSD, Solaris, and OpenBSD. Changes: Ambient's Rootkit for Linux (ARK) detection, OpenBSD support, xinetd support, new command line options, and bug fixes.


Firewalls for UNIX/Linux/BSD & Cross-platform

no changes noted this week.


Tools for UNIX/Linux/BSD & Cross-platform

pdump v0.8
Samy Kamkar
http://pdump.org 

pdump is a raw packet sniffer and injector. It has the features of many other programs such as tcpdump, dsniff, and ngrep.
• Changes: Added almost 600 new fingerprints for the -x option, much better password sniffing library along with new password sniffing plugs for the web, fixed a few bugs, added new protocol sniffing, added advancements to other protocols, and added new methods for decoding packets.
Comment: does not compile on Solaris.

 

The Anomy sanitizer 1.33
Bjarni R. Einarsson
http://mailtools.anomy.net

The Anomy sanitizer is what most people would call "an email virus scanner". That description is not totally accurate, but it does cover one of the more important jobs that the sanitizer can do for you - it can scan email attachments for viruses. Other things it can do: Disable potentially dangerous HTML code, such as javascript, within incoming email. Protect you from email-based break-in attempts which exploit bugs in common email programs (Outlook, Eudora, Pine, ...). Block or "mangle" attachments based on their file names. This way if you don't need to receive e.g. visual basic scripts, then you don't have to worry about the security risk they imply (the ILOVEYOU virus was a visual basic program). This lets you protect yourself and your users from whole classes of attacks, without relying on complex, resource intensive and outdated virus scanning solutions.

 

SecuriTeam

http://angst.sourceforge.net/FreshMeat

Angst is a simple active packet sniffer, based on libpcap and libnet. It dumps into a file the payload of all the TCP packets received on the specified ports. Also, it floods the local network with random MAC addresses (like macof v1.1 by Ian Vitek), causing switches to send packets to all ports. It was only compiled and tested on OpenBSD.

 

Packetstorm

ICMP_Scanning Paper v2.5
Ofir Arkin
http://www.sys-security.com

Usage in Scanning v2.5 - This paper outlines what can be done with the ICMP protocol regarding scanning. Although it may seem harmless at first glance, this paper includes details on plain Host Detection techniques, Advanced Host Detection techniques, Inverse Mapping, Trace routing, OS fingerprinting methods with ICMP, and which ICMP traffic should be filtered on a Filtering Device.
• Changes: This version introduces a few new OS fingerprinting methods, some of which use ICMP error messages, allowing a remote OS fingerprint even if all the ports are closed. Also a lot of information on ICMP error messages has been added. Also added some snort rules.

 

xlockmore 5.00
http://www.tux.org/~bagleyd/xlockmore.html

xlockmore is an enhanced version of xlock. It incorporates several new commandline options , which allow you to run it in a window, in the root window, in a different size/location, change the size of the iconified window, to install a new colormap and delay locking for use with xautolock.
Changes: A large number of bugfixes, updates, and new features. Includes some new modes.

 

bind-8.2.2-P7-chaos1.diff
Sean Trifero
http://www.innu.org/~sean

Bind-8.2.2P7 patch which logs all bind version requests to syslog. Changes: Ported to Bind-8.2.2P7.

 

snoopy 1.3
Mike Baker
http://packetstorm.securify.com/linux/security/snoopy-1.3.tar.gz

Snoopy is designed to log all commands executed by providing a transparent wrapper around calls to execve() via LD_PRELOAD. Logging is done via syslogd and written to authpriv, allowing secure offsite logging of activity. Changes: Integrity checking, a new method of logging, and faster logging.

 

Achilles 0.16
http://www.digizen-security.com/projects.html

Achilles is a tool designed for testing the security of web applications. Achilles is a proxy server, which acts as a man-in-the-middle during an HTTP session. A typical HTTP proxy will relay packets to and from a client browser and a web server. Achilles will intercept an HTTP sessions data in either direction and give the user the ability to alter the data before transmission. When in intercept mode, Achilles will pretend to be the server and negotiate two SSL sessions, one with the client browser and another with the web server. As data is transmitted between the two nodes, Achilles decrypts the data and gives the user the ability to alter and/or log the data in clear text before transmission.

 

MimeDefang 0.7
Roaring Penguin Software - David F. Skoll
http://www.roaringpenguin.com/mimedefang

MIME Defanger is a flexible MIME e-mail scanner designed to protect Windows clients
from viruses and other harmful executables. It works with Sendmail 8.10 / 8.11 and will
alter or delete various parts of a MIME message according to a flexible configuration
file.

Freshmeat

Yala 0.2
Florian Forster
http://13hackerz.de/yaala/

Yet Another Apache Log Analyser Description "yaala" parses webserver-logfiles and generates very detailed statistics. And I'm pretty sure that you'll get by far more information than you ever wanted. This tool is for sysadmins to get some detailed information about the webserver-usage. Right now only apache-combined-logs are supported, but the modular structure allows other logtypes to be implemented very easily.


Tools for Windows

SecurityFocus

twwwscan 0.7 re-released
http://search.iland.co.kr/twwwscan

Twwwscan is a fast windows based command line WWW Vulnerability scanner. anti-IDS Support -URL Encoding passive mode scan support - (-pw,-pu,-pa). Support http_port option support report (html type). Added old type -v option. NT/2000 IIS detail patch information, more webserver defense information, CVE information support (only NT/2000), support advertising (company,security information,...) Included Last (~2000/12/23) WWW Vulnerabilities 300 over bugs check and looks for fun directories.
Tested On Windows 95OSR2,98,98SE,NT4,2k,Me

 

 

Ensuredmail
http://www.ensuredmail.com

Protects your email and attachments from unauthorized access without changing or modifying your existing email accounts. Fully supports Microsoft Outlook™ 97, 98, 2000 and Outlook Express 4.0 and 5.0 Provides reliable read-receipts the first time or every time a message is successfully opened - it's your choice. Protects your local files from unauthorized access. Seamlessly integrates with most web-mail systems. Prevents recipients from forwarding your sensitive information


Note: tools announced on forums are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.

About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 29 December, 2000