By Pascal Etienne (pascal.etienne at boran.com) for SecurityPortal
Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html
To receive this digest via Email:
http://securityportal.com/subscribe.html
This is a summary of changes to free security tools over the last week.
Updates to General free tools this week include OpenSSH SecurID patch and PGPi.
Auditing and Intrusion Monitoring tools include IDScenter, PIKT, John the Ripper, Samhain, Cheops, Check-ps and 5 other tools.
Firewalls for UNIX/Linux/BSD & Cross-platform include GShield, Astaro Security Linux, Securepoint Firewall Server SB, MonMotha's IPtables, Iridium Firewall, PCX Firewall, Firewall Monitor and 2 other tools.
Tools for Linux/Unix/Cross Platform include SILC, Averist, Crank and 2 other tools.
Tools for Windows includes IRCR and Athena-2k. Both tools seem interesting.
SSH
- OpenSSH 2.5.2p2 + SecurID patch 1.0 - Theo Schlossnagle
This patch integrates SecurID authentication services directly into the OpenSSH daemon, allowing users to use SecurID tokens directly as their passwords instead of relying on the clunky sdshell.
http://www.omniti.com/~jesus/projectsNote: first time in the Tools Digest.
PGP
- PGPi 7.0.3 hotfix 1 - PGP International
PGPi is the international variant of PGP (Pretty Good Privacy), a public key encryption program. PGP is the de-facto standard for email encryption today, with millions of users worldwide. The international PGP versions differ slightly from the US versions, but otherwise they are completely interoperable.
http://www.pgpi.orgChanges: this hotfix corrects a bug in the Windows version of PGP 7.0.3 which made it possible for an attacker to create a .sig file containing a DLL and trick PGP into loading this DLL instead of the system DLL. This hotfix will force the PGP component DLLs to always load from the directory they were installed in. Additionally, it will force a "Save As" dialog for any extracted files with a .dll, .sys, or .vxd extension.
Snort 1.7 - Martin Roesch
http://www.snort.org
- IDScenter 1.08b - Ueli Kistler
IDScenter is a tool for setting up Snort for Win32. It is a tool for managing, controlling, and monitoring the Snort IDS. IDScenter support alarm sound functions and has error checking procedures. If Snort is killed, IDScenter restarts Snort immediately. It runs under Windows 2000, Windows 95/98 and Windows NT. Its features are: all features of snort.panel are implemented. The IP / Interface detection is possible. It includes an integrated Alertviewer and an external viewer can be set. An alarm sound can be started if an alert occurs (WAV/Beep). An EXE-File can be started (this is also possible to set in RULES) in case of alert. The autostart in Registry\RUN can be set in IDScenter. Non-visible FORMS, only an icon with alert/stop/start-Status is visible in the taskbar.
http://www.snort.org/snort-files.htmChanges: new features of version 1.08b: all Snort 1.7 options are now supported. Print button in alert log window. Alarm situation: double-clicking on the tray-icon of IDScenter opens the Alert.log. Bug fixed: after Windows restart and automatically start of IDScenter, the directory of IDScenter was not correctly set!
PIKT - Problem Informant/Killer Tool 1.12.1 - Devel: 1.13.0pre9 - Robert Osterlund
PIKT is a cross-platform (AIX, FreeBSD, HP-UX, IRIX, Linux, Solaris, SunOS), multi-functional toolkit for monitoring systems, reporting and fixing problems, and managing system configurations. It consists of an embedded scripting language with unique, labor-saving features, a script and system config file preprocessor, a scheduler, an installer, and other tools.
http://pikt.uchicago.edu/piktChanges: ninth (and hopefully last) pre-release (beta) of the 1.13.0 series: resolved most AIX problems (especially relating to master operations). Fixed a bug where embedded quotes in a #popen() command string might cause problems. Fixed a bug where 'piktc -R' operations might occasionally fail. Fixed several other minor bugs.
John the Ripper 1.6 - Devel: 1.6.24 - Openwall Project
John the Ripper is a password cracker, currently available for UNIX, DOS, Win32. Its primary purpose is to detect weak UNIX passwords.
http://www.openwall.com/johnChanges: Bonus: "Strip" cracker included in the default john.conf (john.ini).
Samhain 0.9.16 - Devel: 1.1.11 - Rainer Wichmann
Samhain is a file system integrity checker that can optionally be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, tamper-resistant log file, and syslog) are available. Samhain has been tested on Linux, AIX 4.1, HP-UX 10.20, UnixWare 7.1.0, and Solaris 2.6.
http://la-samhna.de/samhainChanges: new stable version 0.9.16: verifying the integrity of the log file has become more convenient, alignment for the memory profiling code has been fixed to make it work on Solaris, and some bugs have been fixed. There is also a new development version 1.1.11: make log file verification more convenient. Fix problem with message classes in stealth mode. Linux: do not try to read file attributes for devices. Handle the root directory correctly (avoid "//" in listing). Fix problems with blocking on FIFOs/char dev (open in nonblocking mode for read, the set to blocking - open file only if regular). Fix alignment in memory profiler.
Cheops-ng 0.1.4 - Brent Priddy
Cheops-ng is a graphical network management tool for mapping and monitoring your network. It has host/network discovery functionality, OS detection, and it also does a port scan of each computer to tell what services are running, so you can use or administer them.
http://cheops-ng.sourceforge.netChanges: added libpcap and adns to the sourcetree so there is no worries about what version people use when compiling Cheops-ng. Some problems have been found in the event handling code and the Unix Domain sockets.
Dr. Morena Firewall Checker 0.0.2 - Mitsu
Dr.Morena is a tool to confirm the rule configuration of a Firewall. This tool can check the rules without depending on the way of the Firewall is configured.
http://www.securityfriday.com/fwchecker_doc.htmlNote: first time in the Tools Digest.
SecureIT 0.4.1 - Brendon M. Maragia
SecureIT uses MD5 to generate fingerprints of some commonly-manipulated system files and alerts the system administrator via email if they have been altered. It lets you specify the most commonly-trojaned system files for fingerprinting and filing.
http://www.commaflex.com/projects.htmlNote: first time in the Tools Digest.
NO SHell 1.1.0 - Adel I. Mirzazhanov
NOSH is a program that logs to a file, or sends e-mail when logins are attempted to disabled accounts. It includes configurable settings for the SMTP server, mail address (for e-mail notification), and user message location.
http://www.adel.nursat.kz/noshNote: first time in the Tools Digest.
Check-ps 1.3.2 - Duncan Simpson
Check-ps is a program that is designed to detect rootkit versions of ps that fail to tell you about selected processes. It currently requires /proc but other scanning methods can be implemented. The program will run in the background or one-shot mode. Check-ps has grown rather to better resist increasingly sophisticated attacks, generate more useful reports, and implement more detection methods.
http://checkps.alcom.co.ukNote: first time in the Tools Digest.
Attackwatch 0.0.1 - Beck Datentechnik
Attackwatch is intended for enhancing the security of small private networks that are already protected by a restrictively configured firewall but which still have a few ports open. Attackwatch will analyze the firewall-output in near-real-time and will run scripts in response to incoming packets that got logged. Note that Attackwatch is intended for expert people.
http://www.bedatec.de/programme/software.htmlNote: first time in the Tools Digest.
Snoopy.pl 0.5 - Jacob Shaw
Snoopy.pl is a simple SNMP scanner written in PERL, and making use of the Net::SNMP module. It will scan a list of hosts, and report the system id back if a valid community string is found.
http://www.sps.lane.edu/~jshaw/snoopy.plNote: first time in the Tools Digest.
GShield 2.4 - R. Gregory
GShield is an aggressive, modular firewall script for IPtables which features easy configuration through a BSD-style configuration file, optional NAT support, TCP-wrapper-like functionality for service access, port forwarding, routable protection, DMZ support, and more.
http://muse.linuxmafia.org/gshield.htmlChanges: added warnings concerning ftp and RELATED. Added run-time options: blacklists, highport, and client access. Broadcasts are automatically dropped and logged. Some kernel-specific ip-sysctl options are now configurable via gShield.conf (rp_filter, source-routing, ICMP redirects, martian connection logging, syncookies, and ECN). Additional documentation concerning run-time options.
Astaro Security Linux 1.807 - Astaro AG
Astaro Security Linux is a new firewall solution. It does stateful inspection, packet filtering, content filtering, virus scanning, VPN with IPsec, and much more. With its Web-based management tool and the ability to pull updates over the Internet, it it is pretty easy to manage. It is based on a special hardened Linux 2.4 distribution where most daemons are running in change-roots and are protected by kernel capabilities.
http://www.astaro.com/products/index.htmlChanges: new virus pattern files.
Securepoint Firewall Server SB 1.165 Patch 1 - Lutz Hausmann
The Securepoint Firewall Server is a high-performance, commercial-grade application designed to offer full protection for network assets. The Securepoint is a complete software system with an operation system, based on a secure Linux. You can use the firewall on a standard PC with two or three network cards, and is easy to install and administer.
http://www.securepoint.ccChanges: an small error in routing of internal to external networks has been corrected.
MonMotha's IPtables Masquerading Firewall 2.3.6 - MonMotha and Steff
MonMotha's IPtables firewall is a shell script that implements masquerading and basic security using IPtables. It is easily configurable by modifying the options near the beginning and does not need to be rerun every time your IP address changes, making it perfect for users with dialup connections. Many features, such as SSH rulesets and limited flood protection, are available. There are three branches: the default branch (actual version is 2.3.6), the IPtables-insecure branch (actual version is 2.0.1) and the IPtables 2.2 branch (actual version is 2.2.1).
http://t245.dyndns.org/~monmotha/firewallChanges: new version 2.3.6 for default branch: this version includes the following changes: add TTL mangling, fix in the DMZOUT chain and fix FTP stuff. New version 2.2.1 for IPtables 2.2 branch: this new version checks for support before enabling IP SynCookies.
Iridium Firewall 1.49b - Devel: 1.5pre12-test3 - Ryan Edwards
Iridium Firewall is a script which uses the IPchains facility in Linux 2.2 to perform network packet filtering in an attempt to protect against network-based computer attacks. It's written so that users that know what they are doing can easily configure the script themselves, but it also offers a beginner many convenience flags to turn common features on and off. Iridium Firewall is packed with features, and it is heavily commented with instructions and explanations in an easy-to-read format.
http://www.karynova.com/iridiumChanges: new stable version 1.49b: fixed a nasty bug where ftp connections were not being accepted when the FTP_SERVER flag was set and were falling through to the default DENY rule. This caused massive filling of the logs. Updated version number to comply with scheme used in all other branches. Renamed the 'rc.firewall' file to 'iridium' for better recognition. Moved the README and INSTALL out of the script and into their own files and added a LICENSE and changelog file. Improved some of the commenting and stdout formatting of the script. New development version: 1.5pre12-test3: improved the logging options greatly. Instead of 'on' and 'off', there are now 4 levels of logging: none (nothing is logged), basic (for now, this is the same as 'None'), normal (this logs packets coming from illegal networks, reserved networks, illegal ICMP packets, and anything that is not caught or accepted by another rule) and verbose (this logs Samba, CIFS, NFS and Multicast packets, as well as all those logged in the 'Normal' logging mode. This will quickly fill up your log files). Added checks before loading any module or LooseUDP to see if it actually exists. If the module is not found, a warning is posted in the log file and the script moves on. Added support (and associated flags) to allow Finger and Hotline traffic through the firewall to servers running on the firewall machine itself. Added many more comments and explanations to the Masquerading section of the configuration file. Updated the installer to support Red Hat slightly better. Minor bug fix in the Database Parser.
PCX Firewall 2.1 - James A. Pattie
PCX Firewall is an IPtables firewalling solution that uses Perl to generate static shell scripts based upon the user's configuration settings. This allows the firewall to startup quickly, as it does not have to parse config files every time it starts.
http://pcxfirewall.sourceforge.netChanges: complete rewrite, provides API to Filter, NAT and Mangle tables. Version 2.1 includes a better error output (Module name is now displayed), checks for max length of chain and log-prefix values and includes updated rules (more default rules and include some missing rules).
Firewall Monitor 1.0.5 - Gianni Tedesco
Fwmon is a firewall monitor for Linux. It integrates with IPchains to give you real-time notification of firewall events. It has fairly customizable output, allowing you to display a packet summary, hex, and ASCII data dumps to stdout, a logfile, or Tcpdump-style capture files. It also boasts some simple security features such as the ability to chroot itself, and operate in a non-root environment.
http://www.sourceforge.net/projects/firestorm-idsChanges: version 1.0.4 and 1.0.5 were released during this week. Changes for version 1.0.4 are: fixed printing to wrong FD: output was sent to stdin all this time. This has been changed to print to stdout as it should. Fwmon support in to IPtables. The latest IPtables package contains all the relevant code (NETLINK target support). Documentation update and code audit. Several general bugs fixed. Removed the need for firewall marks, as the rest of the code was ignoring them anyway. Fixed some braindamage in dump_packet(). Version 1.0.5 corrects some minor security bugs, and behavior bugs as version 1.0.4 was not entirely bugfixed.
Dynfw 1.0 - Daniel Robbins
Dynfw (dynamic firewall scripts) is a collection of robust bash scripts that automate common IPtables firewall-related tasks, such as blocking hosts, rate limiting access to services, rate limiting specific hosts, preventing a user on the system from generating any network data, and more. These scripts have been designed to work with virtually any type of IPtables-based Linux firewall. All tools record the IP/UIDs currently blocked/limited to allow for easy rule modification.
http://www.gentoo.org/projects/dynfw.htmlNote: first time in the Tools Digest.
Fwanalog 0.2 - Balázs Bárány
Fwanalog is a shell script that parses and summarizes firewall logfiles. It understands logs from BSD ipf, Linux 2.2 IPchains and 2.4 IPtables. It uses the excellent log analysis program Analog (also free software) to create its reports. It does so by converting the firewall log into a fake web server log and calling Analog with a modified configuration.
http://tud.at/programm/fwanalogNote: first time in the Tools Digest.
SILC 0.1 - Pekka Riikonen
SILC (Secure Internet Live Conferencing) is a protocol which provides secure conferencing services in the Internet over insecure channels. SILC superficially resembles IRC, although they are very different internally. The purpose of SILC is to provide secure conferencing services. Strong cryptographic methods are used to secure all traffic.
http://silc.pspt.fiChanges: first stable release of SILC. This version has the functional server and router linking support.
Averist 1.4.0.0 - Devel: 1.5.0.0 - Henrik Edlund
Averist is a module that adds an authentication layer to any CGI application written in Perl. It supports initial authentication through CGI (form), and it can use CGI (hidden form fields) or cookies for re-authentication after a configurable timeout. It can also use an SQL database or DBM file for storing session tickets for increased security. The username and password check at the initial authentication can be done via a DBM file, an LDAP directory, NIS, an SQL database, or a passwd-style file. Averist is written in Perl for easy customization and expansion.
http://www.edlund.org/hacks/averistChanges: this is the third stable release (equal to 1.3.1.1, Averist example script 1.2.0.0). The development version 1.5.0.0 equals to version 1.3.1.1, this is simply a new development tree.
Grsecurity 0.81b - Spender
Grsecurity consists of security patches based on code from hap-linux and Openwall which have been ported to the 2.4 kernel. It features a no-syscall stack, /proc restrictions, chroot restrictions, linking and FIFO restrictions, exec and set*id logging, secure file descriptors, stealth networking enhancements, signal logging, failed fork logging, time change logging, and others. Read the help file while compiling the kernel for more information.
http://www.getrewted.netNote: first time in the Tools Digest.
Scas 0.1 - Henning Koester
Scas is a PAM module allowing you to authenticate using smartcards.
http://crackinghacking.de/~henning/scasNote: first time in the Tools Digest.
Crank 0.0.5 - Devel: 0.1.3 - Matthew Russell
Crank is a project to provide a GUI toolkit to facilitate (and where possible, automate) the breaking of classical (pen-and-paper) cryptosystems. Initial focus is on the cryptanalysis of mono-alphabetic substitution ciphers.
http://crank.sourceforge.netChanges: new development version 0.1.3: transposition.grid-controls added. Steganalysis.word-gaps added (hidden cipher breaker). Cosmetic changes. Made source pane editable updating view pane dynamically, got rid of old "edit source" option. Moved hillclimb-cracker's progress bar onto widget display. Description area in plugin-viewer. Plugins share variables by not using 'static'. New plugin->menu_string and menu items. Added optional source pane to make the source/view idea more obvious.
IRCR - John McLeod
IRCR is a collection of tools that gathers and/or analyzes forensic data on a Microsoft Windows system. You can think of this as a snapshot of the system in the past. It is similar to TCT by Dan Farmer and Wietse Venema, as most of the tools are oriented towards data collection rather than analysis. The idea of IRCR is that anyone could run the tool and send the output to a skilled Windows forensic security person for further analysis.
http://www.incident-response.org/IRCR.htmNote: first time in the Tools Digest.
Athena-2k - Jacob Shaw
This is a Windows 2000 SNMP auditing tool written in PERL. This tool will allow an administrator/security engineer to pull mass amounts of information from a remote Windows 2000 host running the SNMP Service with a known community string. This tool is a Perl script that utilizes the Net::SNMP module. It's purpose is to retrieve A LOT of information out of a remote Windows 2000 machine running the SNMP Service with a known community string. Many people will be amazed at the amount of information the SNMP Service shares with the world on a misconfigured (read: default) setup. Among the items one can retrieve from such a server is: Server Name & Primary Domain/Workgroup, OS version, CPU type (& if it's Multiprocessor or not), SNMP Contact & Location information (If defined), system uptime, date/time, list of all user accounts, storage devices, volume label, device type, & partition type, running processes & process id's, installed applications & the date they were each installed, list of services, list of network interfaces (Description, HW Address, Int Speed, IP address, netmask, Bytes In/Out, Status), list of all share names, file system location, & comments, routing table, TCP connections & listening ports, UDP listening ports, etc.
http://www.sps.lane.edu/~jshawNote: first time in the Tools Digest.
Note: tools announced on forums are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.
© Copyright 2001, SecurityPortal Inc. & Pascal Etienne, All Rights Reserved, Last Update: 25 avril, 2001 |