Weekly Security Tools Digest
2001/06/01 to 2001/06/07

By Pascal Etienne (pascal.etienne at boran.com) for SecurityPortal


Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html

To receive this digest via Email:
http://securityportal.com/subscribe.html

This is a summary of changes to free security tools over the last week.


The Rundown

Updates to General free tools this week include MindTerm SSH, TCTUTILs and BIND.

Auditing and Intrusion Monitoring tools include SnortPlot, Nmap, SAINT, NEAT, NANS, Chkrootkit, PIKT, LIDS, Samhain and 3 other tools.

Firewalls for UNIX/Linux/BSD & Cross-platform include GShield, FloppyFw, IPfilter, PacketPlot and 2 other tools.

Tools for Linux/Unix/Cross Platform include Secure FTP, OpenCL and RSX.

Tools for Windows include AntiVir Personal Edition and Mailscanner for Postfix.


General Tools

SSH

MindTerm is an an implementation of a secure shell client in pure Java supporting both the ssh1 and the ssh2 protocols. MindTerm runs as a standalone application as well as an Applet. As an Applet MindTerm has been tested with Netscape Communicator 4.7x and Microsoft Internet Explorer 5.x. As an application MindTerm requires that a Java runtime environment (JRE) be installed and should work with any 1.1.x runtime on most platforms: Windows 95, 98, 98SE, ME, NT, 2000, Apple MacOS 7 or higher, Linux, Solaris SPARC and x86, HP-UX. MindTerm is free for personal use and for use in noncommercial settings.

Changes: release of MindTerm v2.0. MindTerm 2.0 features: 100% Java based, ability to run as an application and an Applet, support for SSH-1 and SSH-2 protocols, support for tunnels and port forwards, X11 forwarding, active tunnel display, integrated and full featured terminal emulator, ability to save passwords in encrypted files with a global password protecting all settings, ability to connect through HTTP & SOCKS proxies, support for keep-alive packets to keep the network connection open, integrated ftp proxy which allows the user to connect with a normal ftp client to an ftp server, integrated ftp to sftp proxy which allows the user to connect with a normal ftp client to an sftp enabled SSH-2 server, zlib compression, strict host key checking, supported ciphers: AES (128, 192, 256), Blowfish, Twofish, Cast, 3DES, Arcfour, key exchange support: Diffie-Hellman group-exchange protocol & Diffie-Hellman group1-sha1, key types: ssh-rsa & ssh-dss, ability to generate key pairs for DSA & RSA keys and supported macs: hmac-md5, hmac-sha1, hmac-sha1-96, hmac-md5-96, hmac-ripemd160.

 

TCTUTILs 1.01
Brian Carrier
http://www.cerias.purdue.edu/homes/carrier/forensics

TCTUTILs is a collection of utilities that adds functionality to The Coroners Toolkit (TCT). Features: list directory inode contents to view file, device, and directory names. This also allows deleted file names to be viewed and with some platforms an entire file that was recently deleted can be easily recovered. Get Modified, Accessed, and Created time data on deleted files (not possible on all systems) and merge the data into the mactimes output from TCT. Find the names of files and directories that are using a given inode. On some systems, deleted file names will also be given. Find the inode that is using a given block. On some systems, the inode may not even be allocated. Display the contents of a given block in several formats. Display the details of an inode (including all block numbers). TCTUTILs requires TCT 1.06 (or greater) and runs under OpenBSD (tested on 2.8), Linux (tested on Debian 2.2) and Solaris (tested on 2.7).

Changes: this new version calculates the original block number from a block in an image created by the unrm utility in TCT. This version also includes several minor changes, refer to the changelog file for more information.

 

BIND 9.1.2
Internet Software Consortium
http://www.isc.org/products/BIND

BIND (Berkeley Internet Name Domain) is an implementation of the Domain Name System (DNS) protocols and provides an openly re-distributable reference implementation of the major components of the Domain Name System, including: a Domain Name System server (named), a Domain Name System resolver library and tools for verifying the proper operation of the DNS server.

Changes: the latest version of BIND 8 is still version 8.2.4. Version 9.1.2 is still the current release but BIND 9.2.0a1 has been released as the first alpha release of BIND 9.2.0. It includes a number of new features over 9.1.


Auditing and Intrusion Monitoring Tools

Snort 1.7
Martin Roesch
http://www.snort.org

SnortPlot.pl is a Perl script that rework Snort logs to graphically plot attack signatures in 3D.

Note: first time in the Tools Digest.

 

Nmap 2.53 - Devel: 2.54beta25
Fyodor
http://www.insecure.org/nmap

Nmap is a utility for port scanning large networks, although it works fine for single hosts. Sometimes you need speed, other times you may need stealth. In some cases, bypassing firewalls may be required. Not to mention the fact that you may want to scan different protocols (UDP, TCP, ICMP, etc.). Nmap supports Vanilla TCP connect() scanning, TCP SYN (half open) scanning, TCP FIN, Xmas, or NULL (stealth) scanning, TCP ftp proxy (bounce attack) scanning, SYN/FIN scanning using IP fragments (bypasses some packet filters), TCP ACK and Window scanning, UDP raw ICMP port unreachable scanning, ICMP scanning (ping-sweep), TCP Ping scanning, Direct (non portmapper) RPC scanning, Remote OS Identification by TCP/IP Fingerprinting, and Reverse-ident scanning. Nmap also supports a number of  performance and reliability features such as dynamic delay time calculations, packet timeout and retransmission, parallel port scanning, detection of down hosts via parallel pings.

Changes: new development version 2.54beta25. Bug fixes and portability improvements are included. Added a whole bunch of new OS fingerprints (and adjustments) ranging from big important ones (Linux 2.4.X, OpenBSD 2.9, FreeBSD 4.3, Cisco 12.2.1, MacOS X, etc) to some that are more obscure. Upgraded Libpcap to the latest version, and fixed some issues with the new Libpcap under Linux.

 

SAINT 3.1.7
World Wide Digital Security, Inc.
http://www.wwdsi.com/saint

Saint is a security scanning tool based on Satan. Latest version of SAINT are now released only to SAINTwriter™ and SAINTexpress customers. The latest SAINT version is 3.3.1 (01/June/01). Some versions of SAINT are still released to all users.

Changes: version 3.1.7 has been released to all users (01/June/01). New vulnerability checks in this version: SNMP vulnerabilities in Cisco IOS and CatOS, Net.Commerce and WebSphere user enumeration and encryption vulnerabilities, PHP Nuke (base-64 encoded null character vulnerability), Interbase server backdoor account, MERCUR Mail Servers, CUPS print servers, new vulnerabilities in WFTP, post-query, anonymous FTP servers allowing directory traversal using ../ and new vulnerabilities in Icecast.

 

NetSaint Network Monitor 0.0.7 beta4
Ethan Galstad
http://www.netsaint.org

NEAT is a web administration interface for NetSaint written in Perl. Version 2.5 works for both the 0.0.4 and 0.0.5 releases of NetSaint, while version 4.5 works with NetSaint versions 0.0.6 and 0.0.7. NEAT allows you to add/edit/delete definitions in your host configuration file and restart NetSaint upon completion of the configuration changes. It does not require a database to store configuration data.

Changes: added even more checking for the VERIFY_COMMAND option, added commands.cfg to be a default config file in neat4.options and added a "Choose Type" item to the entity creation dropdown.

This add-on is designed to aggregate notifications from NetSaint, thereby preventing floods of alerts in large installations. It is a drop-in replacement that doesn't require any changes to the existing NetSaint configuration other than telling it to use NANS instead of your current notification commands. It is configurable on per-contact basis and allows for different levels of aggregation for epager vs. email notifications.

Note: first time in the Tools Digest.

 

Chkrootkit 0.33
Nelson Murilo
http://www.chkrootkit.org

Chkrootkit locally checks for signs of a rootkit. Includes detection of LKM rootkits, ifpromisc.c to check and see if the interface is in promisc mode, chklastlog.c to check lastlog for deletions, and chkwtmp.c to check wtmp for deletions. Tested on Linux, FreeBSD, Solaris, and OpenBSD. The following commands are examined: amd, basename, biff, chfn, chsh, cron, date, dirname, du, echo, egrep, env, find, fingerd, gpm, grep, identd, ifconfig, inetd, killall, login, ls, mail, mingetty, named, netstat, passwd, pidof, pop2, pop3, ps, pstree, rlogin, rpcinfo, rshd, sendmail, slogin, sshd, su, syslogd, tar, tcpd, telnetd, timed, top, traceroute and write.

Changes: this version includes new tests (amd, named, egrep and slogin), ShitC Worm detection, Omega Worm detection, Wormkit Worm detection, dsc-rootkit detection, new ports added to the bindshell test: 1524, 5665, 60001, 10008, 12321, chklastlog bug fix and some bug fixes.

 

PIKT - Problem Informant/Killer Tool 1.13.1
Robert Osterlund
http://pikt.uchicago.edu/pikt

PIKT is a cross-platform (AIX, FreeBSD, HP-UX, IRIX, Linux, Solaris, SunOS), multi-functional toolkit for monitoring systems, reporting and fixing problems, and managing system configurations. It consists of an embedded scripting language with unique, labor-saving features, a script and system config file preprocessor, a scheduler, an installer, and other tools.

Changes: release of version 1.13.1 which fixes some security flaws in master-slave network communications.

 

LIDS 0.9.1 - Devel: 0.10.0 (2.2.19 kernel) / 1.0.9 (2.4.5 kernel)
Xie Hua Gang
http://www.lids.org

The Linux Intrusion Detection System is a patch which enhances the kernel's security. When it's in effect, many system administration operations can be made impossible even for root. You can turn the security protection "on" or "off" on the fly and you can hide sensitive processes and prevent anyone from using ptrace or any other capability on your system. LIDS can also provide raw device and I/O access protection.

Changes: new version 1.0.9 for 2.4.5 kernels. This version move to kernel 2.4.5, bugfixed the initiatives of the CAP_INIT_KILL, make sent alert mail compatible with qmail, restrict LIDS mode switching to specified terminals and more code clean.

 

FreshMeat

Samhain 1.1.14
Rainer Wichmann
http://la-samhna.de/samhain

Samhain is a file system integrity checker that can optionally be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, tamper-resistant log file, and syslog) are available. Samhain has been tested on Linux, AIX 4.1, HP-UX 10.20, UnixWare 7.1.0, and Solaris 2.6.

Changes: fix an error in the setup consistency check, make target to uninstall runtime files, trustfile.c: check return code of readlink(), fix off-by-one error, sh_files.c: fix placement of terminator after readlink() call, sh_files.c: fix a missing set_suid()/unset_suid(), more debug statements in c/s code, avoid re-entry in sh_unix_sigexit, put a block around free() and malloc() in wrapper functions, ditto for glob()/globfree(), regcomp()/regfree(), fdopen()/fclose(), optimized the size of the configure script somewhat, modify the compile and hash test scripts, read '\0's in sh_unix_getline, exponential schedule for connection attempts, make stealth working properly with signed files, fix a race in using signed files, updated err messages for PWNULL, GRNULL, add missing shell script for test 11, add mandatory source file/line info with -p debug, add mandatory source line info with BADCONN and fix a latex error in the manual.

 

Flawfinder 0.15
David Wheeler
http://www.dwheeler.com/flawfinder

Flawfinder can scan source code and identify out potential security flaws, ranking them by likely severity. Flawfinder works on Unix-like systems (tested on GNU/Linux), and it should be easy to port to Windows systems. It requires Python to run.

Changes: several minor changes. Please refer to the changelog file for more information: http://www.dwheeler.com/flawfinder/ChangeLog

 

Nabou 1.8
Thomas Linden
http://www.nabou.org

Nabou is a Perl script which can be used to monitor changes to files and directories on your system using MD5 checksums. It can also watch crontabs, suid files, and user accounts for changes, and it stores all data in standard DBM databases. Nabou is highly configurable; you can exclude files from being checked, configure which file attributes it should look for, use custom checks, and much more.

Note: first time in the Tools Digest.

 

PacketStorm

StMichael_LKM 0.03
Tim Lawless
http://www.sourceforge.net/projects/stjude

StMichael is a Linux kernel module (LKM) that attempts to detect and divert attempts to install a kernel-module backdoor into a running Linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. This is a experimental version, and a spin off from the Saint Jude Project.

Changes: added md5 checksums to the contents of system calls, added cloaking to hide the presence of StMichael, and its symbols. Since StMichael cause the rootkits to not work as expected, we do not want to give away any useful debugging information.


Firewalls for UNIX/Linux/BSD & Cross-platform

GShield 2.6.6
R. Gregory
http://muse.linuxmafia.org/gshield.html

GShield is an aggressive, modular firewall script for IPtables which features easy configuration through a BSD-style configuration file, optional NAT support, TCP-wrapper-like functionality for service access, port forwarding, routable protection, DMZ support, and more.

Changes: added configurable options for UDP responses, added nice version logic, bugfixes for routables/DMZ, folded in sections of contributed patch, added ICMP/traceroute options for routables/DMZ, added verbosity to routable startup, added toggle for QoS marking, added toggle for SNAT/MASQUERADE, added proper copyright and license file, cleaned up directories (added docs and tools subdir).

 

FloppyFw 1.0.11 (kernel 2.2.18), 1.1.3 (kernel 2.2.17), 1.9.4 (kernel 2.4.0)
Thomas Lundquist
http://www.zelow.no/floppyfw

FloppyFw is a static router with the firewall-capabilities in Linux. Although it is called a firewall it does not have all the functionality we are expecting from a firewall of today. It is basically a Screening router or Package filtering firewall.

Changes: new version 1.9.4 for kernel 2.4.0. This new release includes support for kernel 2.4.5, IPtables 1.2.2, Busybox 0.52pre and tc/ip (iproute2) and rtmom (for traffic shaping, advanced routing, etc.).

 

IP Filter 3.4.18
Darren Reed
http://coombs.anu.edu.au/~avalon

IPfilter is a TCP/IP packet filter suitable for use in a firewall environment. To use, it can either be run as a loadable kernel module (recommended) or incorporated into your kernel. Scripts are provided to install and patch system files as required. IP Filter also supports transparent proxying via packet forwarding, including round-robin forwarding to achieve load-balanced proxy.

Changes: fix up parsing of "from ! host" where '!' is separate, disable hardware checksums for NetBSD, put ipftest temporary files in . rather than /tmp, modify FTP proxy to be more intelligent about moving between states and recognize new authentication commands, allow state/NAT table sizes to be externally influenced, print out host mapping table for NAT with ipnat -l, fix handling of hardware checksuming on Solaris, fix Makefiles for Solaris, update regression tests, fix surrender of SPL's for failure cases, include patches for OpenBSD's new timeout mechanism, default ipl_unreach to ICMP_UNREACH_FILTER_PROHIB if defined, else make it ICMP_UNREACH_FILTER, fix up handling of packets matching auth rules and interaction with state, add -q command line option to ipfstat on Solaris to list bound interfaces, add command line option to ipfstat/ipnat to select different core image, fix handling success for packets matching the auth rule, add ICMP router discovery message size recognition, fix packet length calculation for IPv6 and set CPUDIR when for install-sunos5 make target.

 

PacketPlot.pl
Angelos Karageorgiou
http://www.unix.gr

PacketPlot.pl is a 3D plotting engine for IPchains logs. PacketPlot.pl requires Gnuplot. 

Note: first time in the Tools Digest.

 

FreshMeat

EasyChains 0.9.4-3
Dejavo
http://dejavo.virtualave.net/djvlinux.html

EasyChains is a very easy-to-use GUI for the console firewall script. It makes it easy to create a custom firewall using the firewall generator, or you can add and remove custom rules from a numbered list. You can generate a monitor for the console and for X.

Changes: fixed the console monitor, fixed some wrong text in the XMonitor, fixed little thing in eggdrop monitor, fixed the hole script, fixed the chkfiles function, and added an option to create a script for updating your DNS host.

 

Sentry Firewall CD-ROM 1.0.5
Sentry Network Security
http://www.SentryFirewall.com

Sentry Firewall CD-ROM is a Linux-based bootable CD-ROM, suitable for use as an inexpensive and easy to maintain firewall or IDS(Intrusion Detection System) node. The system is designed to be immediately configurable for a variety of different operating environments via a configuration file located on a floppy disk or a local hard drive.

Note: first time in the Tools Digest.


Tools for UNIX/Linux/BSD & Cross-platform

Secure FTP 1.1b
Glub Tech, Inc.
http://www.glub.com/products/secureftp

Secure FTP is a client package that allows for a secure connection to be made to an FTP daemon. In this release, we support connecting via the Secure Sockets Layer, or SSL. Future releases may support other authentication mechanisms (e.g. Kerberos, one-time-passwords). This client is supported on Windows, MacOS X, and any Unix platform where a Java 2 (or Swing) runtime environment is present. It was written in 100% Pure Java and can act as either an application or an applet. The applet version will only run under Windows at this time, but we are looking into other solutions. Secure FTP is available in English, Japanese, Italian, French, and German.

Changes: fixed a bug related to modal dialogs hiding behind the application, fixed some MacOS X image icon issues and changed control key accelerators to use command on MacOS X.

 

FreshMeat

OpenCL 0.7.2
Jack Lloyd
http://opencl.sourceforge.net

OpenCL is a C++ cryptographic class library which aims for high portability and ease of use. It currently includes a wide selection of block and stream ciphers, hash functions, MACs, various utility functions and classes, and a high level filter interface.

Changes: build system supports modules, added modules for mlock, a /dev/random EntropySource, POSIX1.b timers, and bzip2, Makefile no longer needs GNU make (tested with 4.4BSD pmake and Solaris make), fixed minor bug in several of the hash functions, various other minor fixes and changes and updates to the documentation.

 

PacketStorm

RSX 0.20a
Paul Starzetz
http://www.ihaquer.com/software/rsx

RSX is a Linux LKM which stops most buffer overflow attacks. It is a Runtime addressSpace eXtender providing on the fly code remapping of existing Linux binaries in order to implement non-executable stack as well as non-exec short/long heap areas. RSX targets common buffer-overflow problems preventing code execution in mapped data-only areas. Currently a 2.4.x version of the kernel module is available.

Note: first time in the Tools Digest.


Tools for Windows

AntiVir Personal Edition 6.07.01.54
H+BEDV Datentechnik GmbH
http://www.free-av.com

AntiVir Personal Edition is an anti-virus software that is completely free of charge for private and individual use. AntiVir Personal Edition is available in German and English and runs under Windows 9x/ME/NT and 2000.

Changes: no information about the changes.

 

SecurityFocus

Mailscanner for Postfix 0.0.4
Peter Turczak
http://www.securityfocus.com/tools/2069

This program is invoked from the .forward file of a user and scans the incoming mails for .vbs .exe .com .bat, and similar attachments. If a message is clean, it is inserted into the users qmail-style Maildir. Otherwise, it is bounced. Mailscanner for Postfix runs under Windows 95/98 and Windows NT.

Note: first time in the Tools Digest.


Note: tools announced on forums are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.

© Copyright 2001, SecurityPortal Inc. & Pascal Etienne, All Rights Reserved, Last Update: 07 juin, 2001