Weekly Security Tools Digest
2001/03/23 to 2001/03/29

By Pascal Etienne (pascal.etienne at boran.com) for SecurityPortal


Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html

To receive this digest via Email:
http://securityportal.com/subscribe.html

This is a summary of changes to free security tools over the last week.


The Rundown

Updates to General free tools this week include TTSSH, OpenSSH, OpenSSL, PureTLS, TrustedBSD and Linux Kernel.

Auditing and Intrusion Monitoring tools include Snort, ACID, SCRAM, SAINT, SARA, Chkrootkit, PIKT, LIDS, BigBrother and 3 other tools.

Firewalls for UNIX/Linux/BSD & Cross-platform include Zorp, IPtables Linux Firewall and rTables Linux Firewall.

Tools for Linux/Unix/Cross Platform include Bastille Linux, SILC, Openwall Linux kernel patch and 4 other tools.

Tools for Windows include PatchWork, DumpReg, DumpSec, PromiScan and WinPcap.


General Tools

SSH

TTSSH is a free SSH client for Windows. It is implemented as an extension DLL for Teraterm Pro. Teraterm Pro is a superb free terminal emulator/telnet client for Windows, and its source is available. TTSSH has been developed entirely in Australia, and can be exported from here to anywhere in the world. TTSSH includes the following features: compatible with SSH protocol version 1.5, ciphers: 3DES, Blowfish, DES (RC4 and IDEA are also included but must not be used), server authentication using the ssh_known_hosts database (including the option of adding a server's key to the database), authentication using password, RSA, rhosts, rhosts+RSA, TIS challenge/response, compression support and connection forwarding, including full support for X connection forwarding.

Changes: this version provides some protection against traffic analysis by padding the transmitted SSH password with NULs.

This is a Unix/Linux port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups. OpenSSH also features an independent implementation of the SSH2 protocol.

Changes: release of version 2.5.2p2. Consult ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/ChangeLog for more information about the changes.

 

SSL

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson.

Changes: no information about the changes in this new version.

PureTLS is a free Java-only implementation of the SSLv3 and TLSv1 (RFC2246) protocols, with a number of cipher suites. PureTLS is able to read keys out of a subset of OpenSSL-style keyfiles, which makes generating keying material easy (i.e., use OpenSSL). Both client authentication and renegotiations are supported. PureTLS was developed by Eric Rescorla for Claymore Systems, Inc. but is being distributed for free because we believe that basic network security is a public good and should be a commodity.

Changes: support for Cryptix 3.2 and JDK 1.3. Support for SSLv2 backwards compatible ClientHello. Abstracted I/O, which lets you provide your own non-socket InputStream and OutputStream to create an SSLSocket. Bug fixes and support for key generation in Netscape SPKAC format using the COM.claymoresystems.cert.CertRequest class.

 

TrustedBSD Project
Robert Watson & Ilmar S. Habibulin
http://www.trustedbsd.org/downloads

TrustedBSD provides a set of trusted operating system extensions to the FreeBSD operating system, targeting the Common Criteria for Information Technology Security Evaluation (CC). The targeted features include: Extensible and audited authorization framework for integrating third-party authorization modules, include general-purpose subject and object labeling and centralized policy management. Fine-grained capabilities for system functions so as to implement least-privilege and reduce the risks of compromise. Mandatory access control for privacy and integrity, allowing FreeBSD to be used in environments hosting mutually suspicious parties and multi-level security models. Access control lists for the file system and other kernel resources allowing fine-grained and manageable discretionary access control. Event auditing support, and single-host modular IDS system to monitor security events and notify administrators in the event of irregularities.

Changes: pre-release for revised MAC (Mandatory Access Control) implementation, including label enforcement for file system operations on UFS/FFS,
and inter-process signaling, visibility, and debugging. This is highly experimental; it requires a FreeBSD 5.0-CURRENT checkout from December 17, 2000. A substantial rewrite is in progress and will be released in mid-April. Note: the remainder of the ACL utilities, library code, and kernel patches have been integrated into the base FreeBSD source tree, and as such will not be independently available on the TrustedBSD Downloads page any longer.

 

Linux-2.4.2 and Linux-2.2.19
http://www.kernel.org

Changes: new version 2.2.19 of Linux Kernel. This is the newest stable release in the 2.2 branch. Includes two important local security fixes fixed since the release of 2.2.18, in addition to many small bug fixes.


Auditing and Intrusion Monitoring Tools

Snort 1.7
Martin Roesch
http://www.snort.org

Snort is a lightweight network intrusion detection system, capable of performing real-time  traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much  more. Snort  uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine  that  utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.

Changes: information about LION Worm is now available on the web site. A rule was written by Max Vision based on the exploit code, this rule is included in both the vision.conf and snort.conf (under exploit.rules) rulesets. General information: Silicon Defense (http://www.silicondefense.com) now offers Commercial Support for Snort! Ruleset Re-Release, Jim Forster has updated the ruleset and has also added many web-related rules to the set. Database updates are underway, but do not currently reflect this set.

ACID stands for Analysis Console for Intrusion Databases and is a PHP-based analysis engine to search and process a database of security incidents generated by the NIDS Snort. The features currently include: search interface for finding alerts matching practically any criteria, this includes arrival time, signature time, source/dest address/port, flags, payload, etc. furthermore, these queries can be made arbitrarily complex to satisfy almost any parameters. Alert Groups: allow for a logical grouping of alerts on which analysis can be done, it is a quick way to combine multiple searches or to associate a comment with an alert or group of alerts. Alert purging to remove false positives. Statistics: snapshot statistics to assess current network state, aggregate statistics on a per sensor, IP, or alert basis and graphing alert arrival over time. All analysis is done in real-time.

Changes: reference tag support, additional bug fixes. Signatures are now always printed as follows: [reference1] ... [reference-n], where [reference-x] is hyperlinked text like "Bugtraq", "cve", etc. pointing to the appropriate link on the site. DB schema v100 support.

SCRAM (Snort Capture Reporting And Maintenance) script keeps the Snort Alert logs maintainable, by not letting them grow too large. When run as a cron job, it will mail out a consolidated logfile. SCRAM cleans up the log directory, keeps a weeks worth of consolidated unachieved data, and a months worth that's gzipped. It will also send out the snort_portscan.log (optional).

Changes: no information about the changes in this new version.

 

SAINT 3.1.8 beta 1
World Wide Digital Security, Inc.
http://www.wwdsi.com/saint

Saint is a security scanning tool based on Satan.

Changes: this new version checks for the Lion worm.

 

SARA 3.3.5
Advanced Research Corporation
http://www-arc.com/sara

Security Auditor's Research Assistant (SARA) is a security analysis tool based on Satan. Checks for common old holes, backdoors, trust relationships, default CGI, common logins, open shares, and much more.

Changes: added tests for Linux Lion worm which is the result of a Linux compromise (usually through a bind attack). Added test for the SunOS snmpXdmid vulnerability. Updated SSH testing for new vulnerabilities. Included OpenSSH signature to SSH testing. Fixed Lynx problem in html.pl. Improved telnet login performance and expanded to non telnet ports.

 

Chkrootkit 0.3
Nelson Murilo
http://www.chkrootkit.org

Chkrootkit locally checks for signs of a rootkit. Includes detection of LKM rootkits, ifpromisc.c to check and see if the interface is in promisc mode, chklastlog.c to check lastlog for deletions, and chkwtmp.c to check wtmp for deletions. Tested on Linux, FreeBSD, Solaris, and OpenBSD. The following commands are examined: basename, biff, chfn, chsh, cron, date, dirname, du, echo, env, find, fingerd, grep, identd, ifconfig, inetd, killall, login, ls, mail, netstat, passwd, pidof, pop2, pop3, ps, pstree, rpcinfo, rshd, sendmail, sshd, su, syslogd, tar, tcpd, telnetd, timed, top, traceroute and write.

Changes: this version includes a lot of new features: new tests: basename, dirname, traceroute, rpcinfo, rexedcs, date, echo, env, timed, identd, pop2, pop3, write, tar, mail, biff and grep. RK17 detection. Lion Worm detection.

 

PIKT - Problem Informant/Killer Tool 1.12.1 - Devel: 1.13.0pre6
Robert Osterlund
http://pikt.uchicago.edu/pikt

PIKT is a cross-platform (AIX, FreeBSD, HP-UX, IRIX, Linux, Solaris, SunOS), multi-functional toolkit for monitoring systems, reporting and fixing problems, and managing system configurations. It consists of an embedded scripting language with unique, labor-saving features, a script and system config file preprocessor, a scheduler, an installer, and other tools.

Changes: sixth pre-release of the 1.13.0 series: added the #setdef and '!' variant define preprocessor directives. Fixed a bug where, if standard directories between master and slave differ, files might not get installed or otherwise handled properly. Fixed (we hope) some long-standing problems with timing/sequencing of parent and child processes. Improved debug logging. Fixed various minor bugs.

 

LIDS 0.9.1 - Devel: 0.9.15 (2.2.19 kernel) / 1.0.6 (2.4.2 kernel)
Xie Hua Gang
http://www.lids.org

The Linux Intrusion Detection System is a patch which enhances the kernel's security. When it's in effect, many system administration operations can be made impossible even for root. You can turn the security protection on or off on the fly and you can hide sensitive processes and prevent anyone from using ptrace or any other capability on your system. LIDS can also provide raw device and I/O access protection.

Changes: new development version 0.9.15 for 2.2.19. This version upgrade to 2.2.19, bug fixed sysctl and add a lids.conf format checker in lidsadm.

 

BigBrother 1.7a for UNIX, 1.07e for NT WS, 2.2a for NT SRV
Sean McGuire
http://bb4.com/index.html

BigBrother is a system and network monitor. It use a web-based monitoring notification & reporting. Big Brother uses a client-server architecture combined with methods which both push and pull data. Network testing is done by polling all monitored services from a single machine, and reporting these results to a central location (the BBDISPLAY). If you want local system information, you can install a BB client on the local machine, which will send CPU, process, disk space, and logfile status reports in periodically. Each report is timestamped with an expiration date (like milk). This lets us know when a report is no longer valid, which is usually an indication of a more serious problem.

Changes: new version 1.07e for NT workstation. No information about the changes.

 

FreshMeat

Procwatch 1.0
Adam G.
http://www.speakeasy.net/~aguyot/procwatch

Procwatch is security monitor written in Perl that watches a /proc filesystem for new processes. When a process is created, Procwatch reports the time, the username, the PID, and the binary that was run. Its output is suitable for logging to log files and is geared for system administrators who are testing a new but as yet untrusted UNIX system. Although it cannot detect, and is not proof against, hacked loadable kernel modules that have modified /proc, it is useful in watching for possible rogue binaries.

Note: first time in the Tools Digest.

 

PacketStorm

Sentinel 1.2.1
Zurk Industrial Estates
http://zurk.sourceforge.net/zfile.html

Sentinel is a fast file integrity checker similar to Tripwire or Viperdb with built in authentication using the RIPEMD 160 bit MAC hashing function. It uses a single database similar to Tripwire, maintains file integrity using the RIPEMD algorithm and also produces secure, signed logfiles. Its main design goal is to detect intruders modifying files. It also prevents intruders with root/superuser permissions from tampering with its log files and database.

Note: first time in the Tools Digest.

 

SecurityFocus

Gate
Stas Lanford
http://www.securityfocus.com/tools/384

Gate is a network security scanner for Linux and Solaris. Unlike most other scanners, however, it is modular is design. Modules can easily be added and deleted to customize the checks the scanner performs, and modules can easily be written by the end users. By default, it comes with some simple NFS, web and port scan modules.

Note: first time in the Tools Digest.


Firewalls for UNIX/Linux/BSD & Cross-platform

Zorp 0.8.1
Balazs Scheidler
http://www.balabit.hu/products/zorp

Zorp is a new-generation modular proxy firewall suite to fine tune proxy decisions with its built in script language, fully analyze complex protocols (like SSH with several forwarded TCP connections), and utilize outband authentication techniques (unlike common practices where proxy authentication had to be hacked into the protocol).

Changes: whois proxy module added (though this seems to be a new feature, it is simply a new plugin for Zorp and doesn't affect the core). Small cosmetic changes in finger. Some dead-lock/race suspicious code was changed, the new one is backported from 0.9. Implemented thread pools, to avoid problems with excessive thread usage.

 

FreshMeat

IPtables Linux Firewall  4.3f - Devel: 4.4d
Patrik Hildingsson
http://my.netfilter.se

IPtables Linux Firewall is a firewall that uses NetFilter in Linux 2.4. It features easy configuration and a DMZ option, logs portscans (limited so they won't flood the logfile), and has stateful inspection, masquerading, and general NAT support.

Changes: new development version 4.4d: allow_ports-internal applies both to DMZ and internal interface. Reads reserved IPs from separate file. Checks ports already in forward chain. Disables tcp-timestamping. Another Bugfix in FORWARD chain.

 

rTables Linux Firewall 1.03.28.0 (Devel)
Rebby
http://rtables.rebby.com

rTables is a detailed, custom, IPtables firewall for Linux 2.4.x, easily implemented on boxes with one to three network interfaces. It is currently set up to handle a single external LAN, single internal LAN, and a single internal DMZ with support for multiple LANs/DMZs to follow.

Changes: major code rewrite (removed some functions that did nothing but call other functions). Altered the setup of the tables to decrease end table size. Added support for lpd. Moved default install locations to prevent script from breaking if /usr/local is not mounted for some reason.


Tools for UNIX/Linux/BSD & Cross-platform

Bastille Linux v1.1.1 - Devel: 1.2.0.pre22
Jay Beale
http://www.bastille-linux.org

The Bastille Hardening System attempts to "harden" or "tighten" the Linux operating system. It currently supports Red Hat and Mandrake systems. We attempt to provide the most secure, yet usable, system possible.

Changes: new development release 1.2.0.pre22. This is much more stable than past releases -- expect rapid development of future versions.

 

FreshMeat

SILC 20010326 (Devel)
Pekka Riikonen
http://silc.pspt.fi

SILC (Secure Internet Live Conferencing) is a protocol which provides secure conferencing services in the Internet over insecure channels. SILC superficially resembles IRC, although they are very different internally. The purpose of SILC is to provide secure conferencing services. Strong cryptographic methods are used to secure all traffic.

Changes: a lot of changes since the previous version. Please refer to http://silc.pspt.fi/changes.txt for more details.

 

Openwall Linux kernel patch 2.2.19-ow1 (Default) - 2.0.39-ow3 (Linux 2.0)
Solar Designer
http://www.openwall.com/linux

The Secure-Linux patch adds a few security features to the kernel which, while not a complete method of protection, will stop most of the 'cookbook' buffer overflow exploits cold. It also adds the option of restricting the use of symlinks and named pipes in +t (temp) directories which fixes most tmp-race exploits as well. It can also add a little bit more privacy to the system by restricting access to parts of /proc to root so that users may not see who else is logged on or what they're doing. Also tightens down file descriptors 0, 1, and 2, implements process limits and shared memory destruction, and privileged IP aliases for kernel 2.0.

Changes: no information regarding the changes.

 

Viralator Proxy Virus Scanner 0.7
Loddington
http://viralator.loddington.com

Viralator interfaces your network's squid proxy server with a virus scanner. Before a user can download a file, the proxy passes the file to the Viralator script which, in turn, uses a virus scanner (Inoculate for the first release) to scan, disinfect or delete the download. This is especially good for stopping virus infected files from free email sites like hotmail, etc. Future enhancements will include other types of antivirus scanners, speed improvements and limiting downloads to approved users. Support has now been added for AntiVir, AVP, RAV and Sophos antivirus scanners, password protected sites, and filenames with spaces and special characters.

Note: first time in the Tools Digest.

 

Tinyproxy 1.3.3b
Robert James Kaes
http://tinyproxy.sourceforge.net

Tinyproxy is a lightweight HTTP proxy designed to do the job with a minimum of system resource use. It's ideal for small networks in which a larger HTTP proxy such as Squid might be overkill or a security risk. This simplicity also makes Tinyproxy an ideal candidate for customization; it takes very little time to read and understand the Tinyproxy source, and you can start adding your own desired features in short order.

Note: first time in the Tools Digest.

 

SecurityFocus

Access List Examples
Paul Traina
http://www.securityfocus.com/tools/99

A series of Perl scripts that allow one to quickly and easily configure ACL entries for Cisco routers.

Note: first time in the Tools Digest.

 

SMSotp 0.1.0
Lukasz Luzar
http://developers.of.pl/projects/smsotp

SMSotp is an authorization system based on SMS (Short Message Service). The system is the most reliable way of secure authorization. It eliminates all disadvantages of a typical login/password and any other OTP implementations. When you want to log into the server from an untrusted network, then you send a SMS message with your real login and password (e.g. "john 12blah45") in the body of message to the GSM phone connected to the server. When the server receive a message, the SMSotp daemon process the request in the following steps: checks if the user is permitted to authorize from the user's phone number (checks /etc/smsotp.access file). When the user is not permitted to use the SMSotp authorization, no special actions are performed (except a warning via syslog()). Otherwise the daemon do login/password authorization and if the authorization is successful then it creates a ticket for the user in /var/smsotp directory and save there temporary access code (e.g. "4f21"). Finally it sends the code to the user's mobile-phone. Otherwise the user receives the message "password incorrect". When the user receive the SMS with the code, then he is able to log into the system with new temporary password.

Note: first time in the Tools Digest.


Tools for Windows

PatchWork 1.1
Center for Internet Security
http://www.cisecurity.org/patchwork.html

PatchWork checks for the vulnerabilities listed by the FBI, and if any are found, points you directly to the Microsoft patches. Then PatchWork allows you to verify that they were installed correctly. PatchWork has gone through an extensive series of tests on an enormous number of systems, but software often needs to be updated.

Note: first time in the Tools Digest.

 

DumpReg 1.1
SomarSoft
http://www.systemtools.com/somarsoft

DumpReg is a program for Windows NT and Windows 95 that dumps the registry, making it easy to find keys and values containing a string. For Windows NT, the registry entries can be sorted by reverse order of last modified time, making it easy to see changes made by recently installed software, for example. Must-have product for Windows NT systems administrators. Very useful to audit systems.

Note: first time in the Tools Digest.

 

DumpSec
SomarSoft
http://www.systemtools.com/somarsoft

DumpSec is a security auditing program for Microsoft Windows NT. It dumps the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers and shares in a concise, readable list box format, so that holes in system security are readily apparent. DumpSec also dumps user, group and replication information. DumpSec is a must-have product for Windows NT systems administrators and computer security auditors.

Note: first time in the Tools Digest.

 

PacketStorm

PromiScan 0.20
Daiji
http://www.securityfriday.com/promiscan_doc.html

PromiScan searches for promiscuous nodes on the local net. It does not create a heavy load on the network. PromiScan runs under Windows2000 professional.

Note: first time in the Tools Digest.

 

SecurityFocus

WinPcap 2.1
Loris Degioanni, Piero Viano and Fulvio Risso
http://netgroup-serv.polito.it/winpcap

WinPcap is an architecture for packet capture and network analysis for the Win32 platforms. It includes a kernel-level packet filter, a low-level dynamic link library (packet.dll), and a high-level and system-independent library (wpcap.dll, based on libpcap version 0.5). The packet filter is a device driver that adds to Windows 95, Windows 98, Windows ME, Windows NT and Windows 2000 the ability to capture and send raw data from a network card, with the possibility to filter and store in a buffer the captured packets. Packet.dll is an API that can be used to access directly the functions of the packet driver, offering a programming interface independent from the Microsoft OS. Wpcap.dll exports a set of high level capture primitives that are compatible with libpcap, the famous UNIX capture library. These functions allow to capture packets in a way independent from the underlying network hardware and operating system.

Note: first time in the Tools Digest.


Note: tools announced on forums are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.

© Copyright 2001, SecurityPortal Inc. & Pascal Etienne, All Rights Reserved, Last Update: 29 mars, 2001