Weekly Security Tools Digest
2001/03/16 to 2001/03/22

By Pascal Etienne (pascal.etienne at boran.com) for SecurityPortal


Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html

To receive this digest via Email:
http://securityportal.com/subscribe.html

This is a summary of changes to free security tools over the last week.


The Rundown

Updates to General free tools this week include MindTerm SSH, OpenSSH, the Coroner Toolkit and Trusted BSD.

Auditing and Intrusion Monitoring tools include Snort attack scripts, NmapNT, WAP-Nmap, SAINT, NetSaint, LIDS, Chkrootkit, BigBrother, MergeLog, Samhain and 2 other tools.

Firewalls for UNIX/Linux/BSD & Cross-platform include IPtables, IPfilter, IPtables Linux Firewall, Securepoint Firewall Server SB and 2 other tools.

Tools for Linux/Unix/Cross Platform include Bastille Linux, Squid, APG, NSA Security-enhanced Linux, Linux VPN, SILC, Libmcrypt, Saint Jude LKM and 4 other tools.

Tools for Windows include Winfingerprint.


General Tools

SSH

MindTerm is a complete ssh-client in pure Java. It can be used either as a standalone Java application or as a Java applet. Three packages of importance are provided (terminal, ssh, and security). The terminal package is a rather complete vt102/xterm-terminal, and the ssh-package contains the ssh- protocol and also "drop-in" socket replacements to use ssh-tunnels transparently from a Java application/applet. It also contains functionality to realize a ssh-server. Finally, the security package contains RSA, DES, 3DES, Blowfish, IDEA, and RC4 ciphers.

Changes: the version 1.99pre5 is now available. Added ftp over SFTP bridge (i.e. connect with any ftp client to SFTP server through MindTerm bridge). Added detection/disabling of Rijndael/AES for OpenSSH (endianess-bug). Added detection/disabling of rekeying for OpenSSH. Improved key event handling with respect to "international" keyboards considerably. Fixed bug in terminal didn't convert to default character encoding when used form ssh2. Fixed bug with ftp proxy, didn't look for right listen address. Fixed bug in SFTP (braindamage, file handle was treated as String causing funny conversion at times...). Fixed bug in x11 forward in ssh1. Fixed bug in forwarded channels in ssh1 (didn't hang-up correctly). Fixed bug, lazily didn't check length of ssh2 string type. Fixed bug, didn't detect F-SECURE old servers with draft incompatibilities. Furthermore, the final release will at least include the following additional items: better handling of settings for ssh2 (e.g. now can't choose ciphers), better DSA/RSA key handling o ssh-rsa keys for ssh2, changing of some ssh2 settings (e.g. cipher/mac/compression) while connected (code is there but GUI needed), GUI for scp1 and SFTP file transfers, handling of open connections through tunnels, remappable copy/paste keys and possibility to choose ssh1 or ssh2 when server supports both.

 

OpenSSH 2.5.2p1
Damien Miller
http://www.openssh.com/portable.html

This is a Unix/Linux port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups. OpenSSH also features an independent implementation of the SSH2 protocol.

Changes: release of version 2.5.2p1. Consult ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/ChangeLog for more information about the changes.

 

The Coroner's Toolkit 1.06
Dan Farmer and Wietse Venema
http://www.porcupine.org/forensics/tct.html

The Coroner's Toolkit is a collection of programs that can be used for a post-mortem analysis of a UNIX system after break-in. Notable TCT components are the grave-robber tool that captures information, the ils and mactime tools that display access patterns of files dead or alive, the unrm and lazarus tools that recover deleted files, and the keyfind tool that recovers cryptographic keys from a running process or from files. It runs under FreeBSD, Linux, OpenBSD, Solaris and SunOS.

Changes: fixed rpm root directory when running on a corpse. Fixed file(1) output parsing problem with multiple characters.

 

TrustedBSD Project
Robert Watson & Ilmar S. Habibulin
http://www.trustedbsd.org/downloads

TrustedBSD provides a set of trusted operating system extensions to the FreeBSD operating system, targeting the Common Criteria for Information Technology Security Evaluation (CC). The targeted features include: Extensible and audited authorization framework for integrating third-party authorization modules, include general-purpose subject and object labeling and centralized policy management. Fine-grained capabilities for system functions so as to implement least-privilege and reduce the risks of compromise. Mandatory access control for privacy and integrity, allowing FreeBSD to be used in environments hosting mutually suspicious parties and multi-level security models. Access control lists for the file system and other kernel resources allowing fine-grained and manageable discretionary access control. Event auditing support, and single-host modular IDS system to monitor security events and notify administrators in the event of irregularities.

Changes: the version 0.6.1 of the ACL patches has been released and take into account recent extended attribute API changes, as well as improve handling of non-ACL cases with the acl_get_{fd,file}() interface. Also, remove getfacl and setfacl from the ACL distribution, as they have now been committed to the base source tree. All that remains in the ACL distribution is the UFS-specific modifications to the kernel, which are now being reviewed for near-term committing. This patch requires FreeBSD 5.0-CURRENT from March 19, 2001.


Auditing and Intrusion Monitoring Tools

Snort 1.7
Martin Roesch
http://www.snort.org

Attack scripts which take snort signatures to simulate hacker's attack (for snort testing).

Note: first time in the Tools Digest.

 

Nmap 2.53 - Devel: 2.54 beta 22
Fyodor
http://www.nmap.org

NmapNT is a Windows port of the most popular network scanning tool to date, Nmap. Nmap, which to date only ran under Unix, has a superior ability to map out and scan remote networks. Now this same power can be taken advantage of from NT platforms.

Changes: release of the Service Pack 1 for NmapNT.

 

WAP-Nmap enables an Nmap scan from a WAP enabled device and pumps the results back to the device.

Changes: no information about the changes.

 

SAINT 3.1.7
World Wide Digital Security, Inc.
http://www.wwdsi.com/saint

Saint is a security scanning tool based on Satan.

Changes: new checks with this version: SNMP vulnerabilities in Cisco IOS and CatOS, Net.Commerce and WebSphere user enumeration and encryption vulnerabilities, PHP Nuke (base-64 encoded null character vulnerability), Interbase server backdoor account, MERCUR Mail Servers, CUPS print servers, new vulnerabilities in WFTP, post-query, anonymous FTP servers allowing directory traversal using ../, new vulnerabilities in Icecast.

 

NetSaint Network Monitor 0.0.7 beta3
Ethan Galstad
http://www.netsaint.org

NetSaint is a program that will monitor hosts and services on your network. It has the ability to email or page you when a problem arises and when it gets resolved. NetSaint is written in C and is designed to run under Linux, although it should work under most other Unix variants. It can run either as a normal process or as a daemon, intermittently running checks on various services that you specify. The actual service checks are performed by external "plugins" which return service information to NetSaint. Several CGI programs are included with NetSaint in order to allow you to view the current service status, history, etc. via a web browser.

Changes: beta 3 of the 0.0.7 release is now available. It fixes several bugs: embedded Perl interpreter bug fixes; fixed bug where host/service state statistics were incorrectly inflated - retention data must be blown away in order to remove the incorrect times, unless someone writes a script; fixed date/time format bugs in PostgreSQL code. Added three auto-layout modes to statusmap CGI. Added support for DB table optimization (i.e. VACUUM in pgsql).

 

LIDS 0.9.1 - Devel: 0.9.13 (2.2.18 kernel) / 1.0.6 (2.4.2 kernel)
Xie Hua Gang
http://www.lids.org

The Linux Intrusion Detection System is a patch which enhances the kernel's security. When it's in effect, many system administration operations can be made impossible even for root. You can turn the security protection on or off on the fly and you can hide sensitive processes and prevent anyone from using ptrace or any other capability on your system. LIDS can also provide raw device and I/O access protection.

Changes: new development version 1.0.6 for Linux kernels 2.4.2. Add inherit level (TTL) field in structure lids_sys_acl. Add parent pid in lids_security_alert message. Include the updated lidsadm man page from Steve Bremer.

 

Chkrootkit 0.23a
Nelson Murilo
http://www.chkrootkit.org

Chkrootkit locally checks for signs of a rootkit. Includes detection of LKM rootkits, ifpromisc.c to check and see if the interface is in promisc mode, chklastlog.c to check lastlog for deletions, and chkwtmp.c to check wtmp for deletions. Tested on Linux, FreeBSD, Solaris, and OpenBSD. The following commands are examined: chfn, chsh, cron, du, find, ifconfig, inetd, killall, login, ls, netstat, passwd, pidof, ps, pstree, rshd, sendmail, sshd2, su, syslogd, tcpd and top.

Changes: this version fixes a bug found in the cron and bindshell tests.

 

BigBrother 1.7a for UNIX, 1.07d for NT WS, 2.2a for NT SRV
Sean McGuire
http://bb4.com/index.html

BigBrother is a system and network monitor. It use a web-based monitoring notification & reporting. Big Brother uses a client-server architecture combined with methods which both push and pull data. Network testing is done by polling all monitored services from a single machine, and reporting these results to a central location (the BBDISPLAY). If you want local system information, you can install a BB client on the local machine, which will send CPU, process, disk space, and logfile status reports in periodically. Each report is timestamped with an expiration date (like milk). This lets us know when a report is no longer valid, which is usually an indication of a more serious problem.

Changes: new version 1.7a for Unix. No information about the changes.

 

MergeLog 4.4
Bertrand Demiddelaer
http://download.sourceforge.net/mergelog

MergeLog is a small and fast C program which merges and sorts http log files in 'Common Log Format' from web servers behind round-robin DNS. It has been designed to easily manage huge log files from highly stressed servers. MergeLog is distributed with ZMergeLog which supports gzipped log files.

Changes: fixed a major bug on a broken month initialization.

 

FreshMeat

Samhain 0.9.12 - Devel: 1.1.9
Rainer Wichmann
http://la-samhna.de/samhain

Samhain is a file system integrity checker that can optionally be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, tamper-resistant log file, and syslog) are available. Samhain has been tested on Linux, AIX 4.1, HP-UX 10.20, UnixWare 7.1.0, and Solaris 2.6.

Changes: compatibility option for old behavior (plain hash instead of HMAC, ECB instead of CBC mode), use CBC rather than ECB mode for encryption, use HMAC-TIGER for message authentication codes, handle NULL data in sh_tiger_hash, option to set syslog facility (default is LOG_AUTHPRIV), longer timeout (300 sec) on /dev/random if no /dev/urandom, fix minor output error with stealth option, option not to log names of config/database files on startup.

 

PacketStorm

Viperdb 0.9.8
Peter Surda
http://panorama.sth.ac.at/viperdb

Viperdb is a file checker. It is meant to be run from cron on a regular basis in order to monitor strange activity on a system. It supports checking of size, mtime, privileges, UID/GID, added/deleted files, and MD5 checksums. Data isn't stored in a single archive as in Tripwire, but is split among all the monitored directories. This Viperdb is in fact a fork of the original, as the original authors seem unreachable.

Changes: bug fixes.

 

SecurityFocus

Check 2.07.59
Michael A. Gumienny
http://www.geocities.com/fcheck2000

FCheck is a PERL script written to generate and comparatively monitor a UNIX system against its baseline for any file alterations and report them through syslog, console, or any log monitoring interface. Monitoring events can be done in as little as one minute intervals if a system's drive space is small enough, making it very difficult to circumvent. This is a freely-available open-source alternative to 'tripwire' that is time tested, and is easier to configure and use. It runs under AIX, BSDI, DG-UX, Digital UNIX/Alpha, FreeBSD, HP-UX, Linux, NetBSD, OpenBSD, Perl (any system supporting Perl), SCO, Solaris, SunOS, UNIX, UnixWare, Windows 2000, Windows 3.x, Windows 95/98 and Windows NT.

Changes: added ability to determine version of MD5 being used. Modified the routines that call MD5 and "file" to pipes, slight speed increase and less vulnerable to shell exploits.


Firewalls for UNIX/Linux/BSD & Cross-platform

IPtables 1.2.1a
NetFilter Core Team
http://netfilter.kernelnotes.org

IPtables is the new packet alteration framework (firewall utility) for Linux 2.4. It is an enhancement on IPchains, and is used to control packet filtering, Network Address Translation (masquerading, port forwarding, transparent proxying), and special effects.

Changes: several bug fixes: missing quotes around log-prefix, bug in save function of string match, ip6tables.c string buffer size fixes, dependency problem with iptables-save / iptables-restore, strtok problem with iptables-save / iptables-restore, problems with TCP/UDP extension and multiple calls of do_command(). Kernel bugfixes in patch-o-matic: updated rpc-record patch to work with 2.4.0, new ftp-pasv patch for fixing PASV detection with some ftpd's, fix checksum calculation of TOS target. Other enhancements: new `pending-patches' target, build all shared library extensions regardless of kernel tree, new counter-restore functions for IPtables, added libiptc and libipulog to the 'devel' Makefile target, ported iptables-save/restore to IPv6, updated ULOG target (now in-kernel accumulation [= higher performance]), added fxp support to ftp-multi patch, implemented Boyer Moore Sublinear search algorithm for string match, fixed tcp-window-tracking incompatibility with NAT helpers. New patch-o-matic patches: new generic sequence number offset API for NAT helpers, new psd (port-scan-detection) match, new NETLINK target for old IPchains -o behavior, new SAME target as a special case of SNAT, ported LOG target to IPv6, ported owner, limit, mac and multiport match to IPv6.

 

IPfilter 3.4.16
Darren Reed
http://coombs.anu.edu.au/~avalon

IPfilter is a TCP/IP packet filter suitable for use in a firewall environment. To use, it can either be run as a loadable kernel module (recommended) or incorporated into your kernel. Scripts are provided to install and patch system files as required. IP Filter also supports transparent proxying via packet forwarding, including round-robin forwarding to achieve load-balanced proxy.

Changes: round-robin redirection to spread traffic load over multiple IP addresses. Load-splitting for redirection (splits IP traffic between two alternate destinations). Solaris8 support. IPV6 Support (ipf -6/ipfstat -6). Save/Restore of state and NAT information (ipfs). "top" style output option for ipstat (ipfstat -t). Destination and source address matching for map/rdr rules. l4check - program to monitor redirection destinations for layer 4 load balancing.

 

FreshMeat

IPtables Linux Firewall  4.3f - Devel: 4.4c-3c
Patrik Hildingsson
http://my.netfilter.se

IPtables Linux Firewall is a firewall that uses NetFilter in Linux 2.4. It features easy configuration and a DMZ option, logs portscans (limited so they won't flood the logfile), and has stateful inspection, masquerading, and general NAT support.

Changes: new development version 4.4c-3c: another bugfix in FORWARD chain.

 

Securepoint Firewall Server SB 1.165
Lutz Hausmann
http://www.securepoint.cc

The Securepoint Firewall Server is a high-performance, commercial-grade application designed to offer full protection for network assets. The Securepoint is a complete software system with an operation system, based on a secure Linux. You can use the firewall on a standard PC with two or three network cards, and is easy to install and administer.

Changes: update network interfaces VIA-RHINE (Module 42), new revisions of D-Link DFE 530-TX will supported now, new revisions of network interface 3c905 Revision C (Module 43), for older revision use Module 7. Passive FTP is not for free by default in firewall rules now, there is a new service (ftp-data-pasv); if you need passive ftp you have to configure the new service (ftp-data-pasv) - attention: if you do this, the ports 1024 to 65535 are to open. Small error deleted: ping for external to internal, if the internal net isn't masked. New configuration possibilities with the program config.fw: backup of configuration, restore of configuration, insert patch and mail of configuration to Securepoint support department.

 

Astaro Security Linux 1.800
Astaro AG
http://www.astaro.com/products/index.html

Astaro Security Linux is a new firewall solution. It does stateful inspection, packet filtering, content filtering, virus scanning, VPN with IPsec, and much more. With its Web-based management tool and the ability to pull updates over the Internet, it it is pretty easy to manage. It is based on a special hardened Linux 2.4 distribution where most daemons are running in change-roots and are protected by kernel capabilities. See also the discussion board on http://www.astaro.org.

Changes: no information about the changes.

 

PCX Firewall 1.5
James A. Pattie
http://pcxfirewall.sourceforge.net

PCX Firewall is an IPtables firewalling solution that uses Perl to generate static shell scripts based upon the user's configuration settings. This allows the firewall to startup quickly, as it does not have to parse config files every time it starts.

Changes: this new version includes minor rule cleanups.


Tools for UNIX/Linux/BSD & Cross-platform

Bastille Linux v1.1.1 - Devel: 1.2.0.pre17
Jay Beale
http://www.bastille-linux.org

The Bastille Hardening System attempts to "harden" or "tighten" the Linux operating system. It currently supports Red Hat and Mandrake systems. We attempt to provide the most secure, yet usable, system possible.

Changes: new development release 1.2.0.pre17. This is another alpha release featuring a smarter interface and increased compatibility. Mandrake 8.0 and Red Hat 7.0 support on the way!

 

Squid Web Proxy Cache 2.4 - Devel: 2.5
Glenn Chisholm, Alex Rousskov and Duane Wessels
http://www.squid-cache.org

Squid is a full-featured Web proxy cache designed to run on Unix systems free, open-source software the result of many contributions by unpaid volunteers funded by the National Science Foundation. It supports proxying and caching of HTTP, FTP, and other URL's, proxying for SSL, cache hierarchies, ICP, HTCP, CARP, Cache Digests, transparent caching, WCCP (Squid v2.3), extensive access controls, HTTP server acceleration, SNMP and caching of DNS lookups.

Changes: new stable version 2.4 including the following changes: fixed a bug in and cleaned up class 2/3 delay pools incrementing; fixed a core dump bug when using external dnsservers that become overloaded; fixed some NULL pointer bugs for NULL storage system when reconfiguring; fixed a bug with useragent logging that caused Squid to think the logfile never got opened; fixed a compiling bug with --disable-unlinkd. New development version 2.5 including the following changes: major rewrite of proxy authentication to support other schemes than basic. First in the line is NTLM support but others can easily be added (digest is on the way). Reworked how request bodies are passed down to the protocols. Now all client side processing is inside client_side.c, and the pass and pump modules is no longer used. Optimized searching in proxy_auth and ident ACL types. Should now handle large access lists a lot more efficient. Fixed forwarding/peer loop detection code - now a peer is ignored if it turns out to be us, rather than committing suicide. Changed the internal URL code to obey appendDomain for internal objects if it needs appending. This fixes weirdness where a machine can think it is "foo.bar.com", and "foo" is requested. Added support for NetFilter in Linux-2.4. This allows transparent proxy connections to function correctly in the absence of a Host: header. This requires --enable-linux-netfilter to be passed through to configure.

 

APG - Automated Password Generator 2.0.0a0
Adel I. Mirzazhanov
http://www.adel.nursat.kz/apg

APG is the tool set for random password generation. There is a Standalone version that generates some random words of required type and prints them to standard output and there is a network version that consist of an APG server and of an APG client. When client's request is arrived, the server generates some random words of predefined type and send them to client over the network (according to RFC0972). APG uses two Password Generation. Algorithms: the Pronounceable Password Generation Algorithm (according to NIST FIPS 181) and the Random Character Password Generation Algorithm with 19 configurable modes of operation. The password length parameters are configurable as well as the amount of generated passwords. It supports /dev/random. It has the ability to use password generation service from any type of box (Mac, WinXX, etc.) that connected to network and has the ability to enforce remote users to use only allowed type of password generation.

Changes: added new algorithm (-b option) to check generated passwords quality (Bloom filter). Added utility apgbfm to manage Bloom filter. Some code style fixes. Added APG_TIPS file in documentation.

 

MimeDefang 1.0
David F. Skoll
http://www.roaringpenguin.com/mimedefang

MIME Defanger is a flexible MIME e-mail scanner designed to protect Windows clients from viruses and other harmful executables. It works with Sendmail 8.10 / 8.11 and will alter or delete various parts of a MIME message according to a flexible configuration file.

Changes: a lot of changes since last version in December 2000. Please consult the changelog file attached to the tar file for more information.

 

FreshMeat

NSA Security-enhanced Linux 200103151617 (Devel)
NSA
http://www.nsa.gov/selinux

NSA Security-enhanced Linux is a set of patches to the Linux kernel and some utilities to incorporate a strong, flexible mandatory access control  architecture into the major subsystems of the kernel. It provides a mechanism to enforce the separation of information based on confidentiality and integrity requirements, which allows threats of tampering and bypassing of application security mechanisms to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications. It includes a set of sample security policy configuration files designed to meet common, general-purpose security goals.

Changes: kernel patches are now provided for 2.4.2 and 2.2.18: the 2.4.2 patch includes changes to virtualize the persistent SID mapping interfaces and the file mandatory access controls; the 2.2.18 patch includes several bug fixes to the old 2.2-based patch. It also includes a new implementation of System V IPC mandatory access controls, these controls have not yet been ported to the 2.4 kernel; both the 2.2.18 and 2.4.2 patches incorporate a change in the implementation of the new system calls that is not backward compatible with the old implementation. Hence, the updated libsecure must be
compiled and all modified utilities must be relinked against it. The util-linux patch is now provided for the util-linux-2.10s sources from http://www.kernel.org. The procps patch is now provided for the procps-010114 sources from http://www.cs.uml.edu/~acahalan/procps. The vixie-cron patch is now provided for the vixie-cron-3.0.1-61 sources from Redhat. A small fix was made to the spasswd wrapper program to ensure that it is not mistakenly used by an administrator to try to change another user's password; a README was added to explain the purpose of this program. The shadow password file is no longer moved by the installation scripts, and the modified versions of libpwdb, sulogin, and the shadow utilities are no longer provided; the relocation of the shadow password file was creating compatibility problems with a number of applications despite the updated libpwdb; a different approach for maintaining a separate security context on the shadow password file will be implemented in the future. The modified versions of rshd and wu-ftpd were removed from the distribution and each of these daemons were limited to their initial domain in the example policy configuration.

 

Linux VPN 1.2
Alex Fiori
http://anti.someone.net

Linux VPN is an easy way to set up a VPN using pppd over encrypted ssh tunnels with Linux.

Changes: changed src/scripts to src/example, changed src/scripts/net-192.168.1.1.sh to src/example/net-example.sh, changed whole directory tree. Added new documentation in file INSTALL, added log system in vpn-server and VPN client (see directory log), added security in vpn-wrapper and vpn-keepalive.

 

SILC 20010319 (Devel)
Pekka Riikonen
http://silc.pspt.fi

SILC (Secure Internet Live Conferencing) is a protocol which provides secure conferencing services in the Internet over insecure channels. SILC superficially resembles IRC, although they are very different internally. The purpose of SILC is to provide secure conferencing services. Strong cryptographic methods are used to secure all traffic.

Changes: a lot of changes since the previous version. Please refer to http://silc.pspt.fi/changes.txt for more details.

 

Libmcrypt 2.4.10
Nikos Mavroyanopoulos
http://mcrypt.hellug.gr

Libmcrypt is a library which provides a uniform interface to several symmetric encryption algorithms. It is intended to have a simple interface to access encryption algorithms in OFB, CBC, CFB, and ECB modes. The algorithms it supports are DES, 3DES, RIJNDAEL, Twofish, IDEA, GOST, CAST-256, ARCFOUR, SERPENT, SAFER+, and more. The algorithms and modes are also modular so you can add and remove them on the fly without recompiling the library.

Changes: no information about the changes.

 

Passwords On Card 1.1
Henning Koester
http://poc.crackinghacking.de

With Passwords On Card you can manage passwords on smartcards. The passwords are stored encrypted on the card.

Changes: backup_card.c: added chmod(). lang.h: added error message for chmod fail. tiger.c: changed to the 'original' code. I never got correct hashes.

 

Logplay 2.0
Rando Christensen
http://projects.babblica.net/logplay

Logplay is a simple system of a Perl script that runs in the background, and a FIFO which it reads from. Syslog pipes logs to the FIFO for Logplay; Logplay will then play sounds when certain customizable events happen. It has support for .wav, .au, and .mp3 formats, and can work with the speechd utility to speak out loud.

Changes: no information about the changes.

 

Fwipe 0.3
Len Budney
http://www.pobox.com/~lbudney/linux/software/fwipe.html

Fwipe overwrites your file a specified number of times (default: 5) and then deletes it. It is extremely secure; it will not be confused by filenames containing special characters, and is suitable for use in cleanup scripts by system administrators.

Note: first time in the Tools Digest.

 

PacketStorm

Saint Jude LKM 0.11
Tim Lawless
http://freshmeat.net/projects/stjude

Saint Jude LKM is a Linux kernel module that implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local, and ultimately, remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occurring. This is done without checking for attack signatures of known exploits, and thus should work for both known and unknown exploits.

Changes: this is the most stable version yet. Tested with kernel 2.4. Added Learning Parser to facilitate the generation of the rulebase from the Learning Mode output. Combined with the Override directive, remote root attacks may be thwarted.


Tools for Windows

Winfingerprint 0.1.0
Vacuum
http://winfingerprint.sourceforge.net.

Winfingerprint is an advanced remote windows OS detection. Current features are: determine OS using SMB Queries: PDC (Primary Domain Controller), BDC (Backup Domain Controller), NT member server, NT workstation, SQL server, NOVELL NetWare server, Windows for Workgroups, Windows 9x). Enumerate Shares including Administrative ($), enumerate users, displays active services, enumerate transports, enumerate sessions, establish NULL IPC$ sessions, Service Pack & hotfixes and group enumeration.

Changes: wfple (Limited Edition GUI) and the full featured winfingerprintclassic (Command Line) have been merged into Winfingerprint.


Note: tools announced on forums are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.

© Copyright 2001, SecurityPortal Inc. & Pascal Etienne, All Rights Reserved, Last Update: 21 mars, 2001