By Pascal Etienne (pascal.etienne at boran.com) for SecurityPortal
Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html
To receive this digest via Email:
http://securityportal.com/subscribe.html
This is a summary of changes to free security tools over the last week.
Updates to General free tools this week include OpenSSL, Stunnel, TrustedBSD and Apache.
Auditing and Intrusion Monitoring tools include 1 Snort tool, Nmap and 1 Nmap tool, PIKT, Chkrootkit, BigBrother, LIDS, Samhain and 1 other tool.
Firewalls for UNIX/Linux/BSD & Cross-platform include FwLogWatch, Zorp, Fireparse, Dante, MonMotha's IPtables, IPtables Linux Firewall and 1 other tool.
Tools for Linux/Unix/Cross Platform include Bastille Linux, Ngrep, Passwdd, SILC and 3 other tools.
Tools for Windows include PwDump3e, Eraser and RPC tools.
SSL
- OpenSSL 0.9.6a
The OpenSSL Project
http://www.openssl.orgThe OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson.
Changes: no information about the changes in this new version.
- Stunnel 3.14
Michal Trojnara
http://www.stunnel.orgThe Stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the programs' code. It will negotiate an SSL connection using the OpenSSL or SSLeay libraries. It calls the underlying crypto libraries, so Stunnel supports whatever cryptographic algorithms you compiled into your crypto package. Runs on Windows and UNIX.
Changes: 3 new Stunnel patches for version 3.14: proxy_sweeheng.patch is a patch for Stunnel to support web proxies (squid, etc.). winnt_cboston.patch includes NT Enhancements, MS Visual C++, Native service support and NT event logging. certchain_jih.patch allows the use of certificate chains, borrowed from mod_ssl code.
TrustedBSD Project
Robert Watson & Ilmar S. Habibulin
http://www.trustedbsd.org/downloadsTrustedBSD provides a set of trusted operating system extensions to the FreeBSD operating system, targeting the Common Criteria for Information Technology Security Evaluation (CC). The targeted features include: Extensible and audited authorization framework for integrating third-party authorization modules, include general-purpose subject and object labeling and centralized policy management. Fine-grained capabilities for system functions so as to implement least-privilege and reduce the risks of compromise. Mandatory access control for privacy and integrity, allowing FreeBSD to be used in environments hosting mutually suspicious parties and multi-level security models. Access control lists for the file system and other kernel resources allowing fine-grained and manageable discretionary access control. Event auditing support, and single-host modular IDS system to monitor security events and notify administrators in the event of irregularities.
Changes: the version 0.6.0 of the ACL patches has been released and is substantially smaller than previous patches, as large parts of the filesystem-independent POSIX. ACL components have been committed to the base system. This updated version takes that into account, updates setfacl, disables emulation of ACLs with acl_get_{fd,file}() for file systems that don't have ACLs enabled, and rearranges the UFS code some so as to better distinguish ACL and non-ACL conditionally compiled code. This patch requires FreeBSD 5.0-CURRENT from March 11, 2001.
Apache 1.3.19 - Apache 2.0.14 Alpha
Apache Software Foundation and The Apache Server Project
http://www.apache.org/distChanges: release of the fourteenth release of Apache 2.0. Apache 2.0 offers numerous enhancements, improvements and performance boosts over the 1.3 code base. The most visible and noteworthy addition is the ability to run Apache in a hybrid thread/process mode on any platform that supports both threads and processes. This has shown to improve the scalability of the Apache HTTPD server significantly in our early testing, on some versions of Unix. With this version of Apache, we have also added support for filtered I/O. This allows modules to modify the output of other modules before it is sent to the client. This release also greatly improves the performance and robustness of Apache on the Microsoft Windows Operating Systems. This alpha includes support for IPv6 on all platforms that support IPv6. See the announcement for more information http://www.apache.org/dist/Announcement2.html.
Snort 1.7
Martin Roesch & many others
http://www.snort.org
- WinSNort2Html 1.1
Chris Koutras
http://home.earthlink.net/~ckoutrasWinSnort2Html takes the alert log files and parses them into a an HTML page. Since it is written in Visual Basic, the program requires VB 5.0 or later runtime libraries. The program runs on Windows 95/98/NT4/2000. WinSnort2Html can be downloaded including the VB5 runtime libraries or without the runtime libraries.
Changes: this version uses a new parsing algorithm which should parse both full and fast of Snort alerts and ignore any other information in the alert log. The program can now be run as a Windows NT/2K service and it can sort the alerts.
Nmap 2.53 - Devel: 2.54 beta 22
Fyodor
http://www.insecure.org/nmapNmap is a utility for port scanning large networks, although it works fine for single hosts. Sometimes you need speed, other times you may need stealth. In some cases, bypassing firewalls may be required. Not to mention the fact that you may want to scan different protocols (UDP, TCP, ICMP, etc.). Nmap supports Vanilla TCP connect() scanning, TCP SYN (half open) scanning, TCP FIN, Xmas, or NULL (stealth) scanning, TCP ftp proxy (bounce attack) scanning, SYN/FIN scanning using IP fragments (bypasses some packet filters), TCP ACK and Window scanning, UDP raw ICMP port unreachable scanning, ICMP scanning (ping-sweep), TCP Ping scanning, Direct (non portmapper) RPC scanning, Remote OS Identification by TCP/IP Fingerprinting, and Reverse-ident scanning. Nmap also supports a number of performance and reliability features such as dynamic delay time calculations, packet timeout and retransmission, parallel port scanning, detection of down hosts via parallel pings.
Changes: new development version 2.54 beta 22. Eliminated usage of u_int32_t (was causing compilation errors on some Sun and HP boxes). Defined integer-width typedefs such as u32/s32/u16/etc. in Nbase. Went through much of the Nmap code and substituted these in where correct lengths are important (port numbers, IP addresses, etc).
- Remote Nmap 0.5 beta
Tuomo Makinen
http://rnmap.sourceforge.netRemote Nmap (Rnmap) is a pair of client and server programs which allow for various authorized clients to run their port scans from a centralized server. Clients should run on any Python supported platform. For server, Python and Nmap portscanner are required. For the client, Python needs to be installed.
Changes: this releases supports cryptography with optional modules. Now Rnmap has application for adding users (rnmap-adduser). User passwords are hashed with MD5. Protocol has changed to support cipher/plaintext communications. Older versions of grnmap.py are not compatible with new server.
PIKT - Problem Informant/Killer Tool 1.12.1 - Devel: 1.13.0pre5
Robert Osterlund
http://pikt.uchicago.edu/piktPIKT is a cross-platform (AIX, FreeBSD, HP-UX, IRIX, Linux, Solaris, SunOS), multi-functional toolkit for monitoring systems, reporting and fixing problems, and managing system configurations. It consists of an embedded scripting language with unique, labor-saving features, a script and system config file preprocessor, a scheduler, an installer, and other tools.
Changes: fifth pre-release of the 1.13.0 series: introduced several new piktc options, including: -M (expand macro(s)), +M (macro(s)), -V (show version info). Introduced a new, "official" PIKT utility, piktx. piktx does remote command execution with PIKT-style macros and command-line (+H and -H) host lists. Moreover, piktx allows concurrent operation from any PIKT host, not just the piktmaster. Fixed a bug where non-existent #include files might cause piktc to dump core. Fixed other minor bugs.
Chkrootkit 0.23
Nelson Murilo
http://www.chkrootkit.orgChkrootkit locally checks for signs of a rootkit. Includes detection of LKM rootkits, ifpromisc.c to check and see if the interface is in promisc mode, chklastlog.c to check lastlog for deletions, and chkwtmp.c to check wtmp for deletions. Tested on Linux, FreeBSD, Solaris, and OpenBSD. The following commands are examined: chfn, chsh, cron, du, find, ifconfig, inetd, killall, login, ls, netstat, passwd, pidof, ps, pstree, rshd, sendmail, sshd2, su, syslogd, tcpd and top.
Changes: this new version includes lrk6 detection, rh[67]-shaper detection, RSHA detection, Romanian rootkit, test for shell history file anomalies (empty or linked history file). More ports added to the bindshell test.
BigBrother 1.7 for UNIX, 1.07d for NT WS, 2.2a for NT SRV
Sean McGuire
http://bb4.com/index.htmlBigBrother is a system and network monitor. It use a web-based monitoring notification & reporting. Big Brother uses a client-server architecture combined with methods which both push and pull data. Network testing is done by polling all monitored services from a single machine, and reporting these results to a central location (the BBDISPLAY). If you want local system information, you can install a BB client on the local machine, which will send CPU, process, disk space, and logfile status reports in periodically. Each report is timestamped with an expiration date (like milk). This lets us know when a report is no longer valid, which is usually an indication of a more serious problem.
Changes: new version 1.7 for Unix.
LIDS 0.9.1 - Devel: 0.9.13 (2.2.18 kernel) / 1.0.5 (2.4.1 kernel)
Xie Hua Gang
http://www.lids.orgThe Linux Intrusion Detection System is a patch which enhances the kernel's security. When it's in effect, many system administration operations can be made impossible even for root. You can turn the security protection on or off on the fly and you can hide sensitive processes and prevent anyone from using ptrace or any other capability on your system. LIDS can also provide raw device and I/O access protection.
Changes: new development version 0.9.13 for Linux kernels 2.2.18. The lidsadm compiling error was fixed. The code was cleaned. Information when accessing a hidden file was added. A lids_script.sh was added. The default lids.conf was fixed.
Samhain 0.9.12 - Devel: 1.1.8
Rainer Wichmann
http://la-samhna.de/samhainSamhain is a file system integrity checker that can optionally be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, tamper-resistant log file, and syslog) are available. Samhain has been tested on Linux, AIX 4.1, HP-UX 10.20, UnixWare 7.1.0, and Solaris 2.6.
Changes: problems with logging to syslog and with templates for the HTML server status page have been fixed.
Viperdb 0.9.7
Peter Surda
http://panorama.sth.ac.at/viperdbViperdb is a file checker. It is meant to be run from cron on a regular basis in order to monitor strange activity on a system. It supports checking of size, mtime, privileges, UID/GID, added/deleted files, and MD5 checksums. Data isn't stored in a single archive as in Tripwire, but is split among all the monitored directories. This Viperdb is in fact a fork of the original, as the original authors seem unreachable.
Changes: this release adds bugfixes in symlink handling, improved detecting of corrupted databases, and a directory-specific option to ignore mtime changes. Upgrading and re-initing of databases is recommended.
FwLogWatch-0.21
Boris Wesslowski
http://www.kyb.uni-stuttgart.de/boris/software.shtmlFwLogWatch analyzes the IPchains packet filter logfiles and generates text and HTML summaries. It features real-time anomaly response capability and has an interactive report generator. FwLogWatch has the following modes: log summary mode, interactive report mode and Real-time response mode.
Changes: added compressed input file support. Added total packet length sum option. Added support for long chain/branch/interface names. Modified time output (summary shows times of packet log entries, log times mode shows times of all entries). Various small fixes and cleanups.
Zorp 0.8.0
Balazs Scheidler
http://www.balabit.hu/products/zorpZorp is a new-generation modular proxy firewall suite to fine tune proxy decisions with its built in script language, fully analyze complex protocols (like SSH with several forwarded TCP connections), and utilize outband authentication techniques (unlike common practices where proxy authentication had to be hacked into the protocol).
Changes: new stable version 0.8 is released with new and improved features. Summary of the new features: using script language as configuration and decision language(Python). Supported protocols are: HTTP/1.1, FTP, SSL, POP3, finger, plug. Utilizing modular application gateways. Able to analyze subprotocols (for example POP3 in SSL). Can add/remove packet filter rules on-demand. You can write your own proxy modules in Python if a native version is not available. This version also fixes a problem in HTTP, which occurred when connecting to a destination server failed more than 4 times and a race condition, which occurred when a thread was started and stopped about the same time (a linked list was not protected by a mutex).
Fireparse 2.1
Aaron D. Marasco
http://aaron.marasco.com/linux.htmlFireparse is a Perl script that emails a report of all packets that have been logged by the kernel's IPtables packet filtering subsystem. The report includes source and destination ports, direction, logged packet count, IPtables rules, and fully resolved host names (if available). The report can be formatted as plain text or as a colored HTML table. Fireparse also moves all IPtables entries from your syslog file into a second message file so that other syslog entries are more easily noticed and filtered. HTML output can also be sent to a dated file.
Changes: huge performance increases with smaller loading requirements, slight security fix. Plus hidden options for advanced users. For an example messages file, v2.0 processed for 29.87 seconds, v2.1 took 3.93!
Dante Socks 1.1.9
Inferno Nettverk A/S
http://www.inet.no/danteDante is a circuit-level firewall/proxy that can be used to provide convenient and secure network connectivity to a wide range of hosts while requiring only the server Dante runs on to have external network connectivity.
Changes: this release is a bugfix release. It fixes a serious problem in the parsing of rules. Everyone should upgrade. Compared to the previous release, this version brings amongst other changes the following: fix big bug in rulespermit().
MonMotha's IPtables Masquerading Firewall 2.3.5
MonMotha and Steff
http://t245.dyndns.org/~monmotha/firewallMonMotha's IPtables firewall is a shell script that implements masquerading and basic security using IPtables. It is easily configurable by modifying the options near the beginning and does not need to be rerun every time your IP address changes, making it perfect for users with dialup connections. Many features, such as SSH rulesets and limited flood protection, are available. There are three branches: the default branch (actual version is 2.3.5), the IPtables-insecure branch (actual version is 2.0.1) and the IPtables 2.2 branch (actual version is 2.2.0).
Changes: new default branch version 2.3.5. This release is currently not stable. USE_MASQ has been changed to MASQ_LAN in port FW. Fix syntax error in TCP port forwards. General cleanup. Fixes in port forwarding. It's LTREJECT, not TLREJECT. More TOS mangling. Port forwarding works again, was broken by stateful match on forward chain.
IPtables Linux Firewall 4.3f - Devel: 4.4c-3
Patrik Hildingsson
http://www.kurd.nuIPtables Linux Firewall is a firewall that uses NetFilter in Linux 2.4. It features easy configuration and a DMZ option, logs portscans (limited so they won't flood the logfile), and has stateful inspection, masquerading, and general NAT support.
Changes: new development version 4.4c-3: bug fixes in DMZ, now drops FORWARDchain.
PCX Firewall 1.4
James A. Pattie
http://pcxfirewall.sourceforge.netPCX Firewall is an IPtables firewalling solution that uses Perl to generate static shell scripts based upon the user's configuration settings. This allows the firewall to startup quickly, as it does not have to parse config files every time it starts.
Note: first time in the Tools Digest.
Bastille Linux v1.1.1 - Devel: 1.2.0.pre14
Jay Beale
http://www.bastille-linux.orgThe Bastille Hardening System attempts to "harden" or "tighten" the Linux operating system. It currently supports Red Hat and Mandrake systems. We attempt to provide the most secure, yet usable, system possible.
Changes: new development release 1.2.0.pre14. No information regarding the changes.
Ngrep 1.39
Jordan Ritter
http://ngrep.sourceforge.netNgrep strives to provide most of GNU grep's common features, applying them to the network layer. Ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as Tcpdump and snoop.
Changes: now Ngrep compiles with the GPL'd GNU regex library, or the more license-friendly PCRE library under the Artistic License (Unix). Recognition of window size changes (Unix). Support for 100bT and PPP interfaces (Win32). Minor bugfix in time printing with -t.
Passwdd 0.11p12
Alexander Feldman
http://sourceforge.net/projects/passwddPasswdd is a client/server packages which allows basic synchronization of password files among different machines. There are Linux/Solaris server and console clients. With Visual C/C++, you can compile the Windows version of the clients. Perl CGIs are included as well.
Changes: no information about the changes.
SILC 20010314 (Devel)
Pekka Riikonen
http://silc.pspt.fiSILC (Secure Internet Live Conferencing) is a protocol which provides secure conferencing services in the Internet over insecure channels. SILC superficially resembles IRC, although they are very different internally. The purpose of SILC is to provide secure conferencing services. Strong cryptographic methods are used to secure all traffic.
Changes: a lot of changes since the previous version. Please refer to http://silc.pspt.fi/changes.txt for more details.
Linux VPN 1.1
Alex Fiori
http://anti.someone.netLinux VPN is an easy way to set up a VPN using pppd over encrypted ssh tunnels with Linux.
Note: first time in the Tools Digest.
FilterProxy 0.29
Bob McElrath
http://draal.physics.wisc.edu/FilterProxyFilterProxy is a Perl script that acts as a generic Web proxy. It is unique in that it allows you to install modules that can perform arbitrary transformations on HTML (or any other MIME-type) and HTTP headers. It filters ads by stripping HTML from the page, anonymizes requests by removing Referer and User-Agent headers, compresses HTML content, and de-animates animated gifs. Configuration is done via Web-based forms or editing a Perl data structure.
Note: first time in the Tools Digest.
CGIproxy (SSL) 1.4.1
James Marshall
http://www.jmarshall.com/tools/cgiproxyCGIproxy is a Perl CGI script that acts as an Internet proxy. Through it, you can retrieve resources that may be inaccessible from your own machine. No user info is transmitted, so it can be used as an anonymous proxy. HTTP and FTP are supported. Options include text-only browsing (to save bandwidth), selective cookie and script removal, simple ad filtering, encoded target URLs, configuration by end user, and more. There is also a version of CGIproxy that can retrieve pages from SSL servers, i.e. those URLs beginning with "https:". CGIproxy needs an SSL server to run part of the proxy on, and on that machine you'll need to install the following two packages: OpenSSL, a freely-available library of SSL and cryptography tools and Net::SSLeay, a Perl interface to OpenSSL
Changes: this release runs 15% faster, fixes bug with meta "refresh" tags causing duplicate entry forms, and fixes another entry form bug. New option to insert a URL entry form at the top of each page; it also shows your current URL. New option to insert your own block of HTML into each page.
PwDump3e
E-business technology, Inc.
http://www.ebiz-tech.comPwDump3 is a Windows NT/2000 remote password hash grabber. It combines the functionality of Pwdump by Jeremy Allison and pwdump2 by Todd Sabin. It can extract the password hashes from a remote Windows NT 4.0 or 2000 box whether or not syskey has been installed. It does this by injecting a process onto the remote system and extracting the hashes and then copying the hashes back to the local system. Using this tool, a system administrator can check on the strength of the passwords on his system. Pwdump3 does not exploit a new vulnerability, it utilizes existing Windows communications capabilities.
Note: first time in the Tools Digest.
Eraser 5.0.1
Sami Tolvanen
http://www.tolvanen.com/eraserEraser is an advanced security tool for Windows, which allows you to completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns. It runs under Windows 95, 98, ME, NT 4.0 and 2000.
Note: first time in the Tools Digest.
RPC tools v1.0
Bindview
http://razor.bindview.com/tools/desc/rpctools1.0-readme.htmlThe RPC tools package contains three separate tools for obtaining information from a system that is running RPC services. Rpcdump allows you to dump the contents of the endpoint mapper database. Ifids is similar to Rpcdump but allows you to query a single RPC server and can even allow you to query an RPC server which is not listed in the endpoint map obtained with Rpcdump above. Walksam is a tool which allows you to dump the information of each user found within the SAM database via Named Pipes or using the additional protocol sequences used by Windows 2000 domain controllers.
Note: first time in the Tools Digest.
Note: tools announced on forums are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.
© Copyright 2001, SecurityPortal Inc. & Pascal Etienne, All Rights Reserved, Last Update: 14 mars, 2001 |