David
A. Curry, An
Account Creation and Maintenance System for Distributed UNIX
Systems
Abstract: ACMAINT (An Account Creation and Maintenance
System for Distributed UNIX Systems) is a network-based,
centralized database system used to manage account creation and
maintenance similar to NIS/YP.
Hobbit,
L5
Abstract: L5 simply walks down Unix or DOS filesystems,
sort of like "ls -R" or "find" would, generating listings of
anything it finds there. It tells you everything it can about a
file's status, and adds on an MD5 hash of it. Its output is
rather "numeric", but it is a very simple format and is designed
to be post-treated by scripts that call L5.
Gary B. Edstrom, PGP
Abstract: PGP is a program that gives your electronic mail
something that it otherwise doesn't have: Privacy. It does this
by encrypting your mail so that nobody but the intended person
can read it. When encrypted, the message looks like a meaningless
jumble of random characters.
Texas A & M
University, SRA -
Secure RPC Authentication for TELNET and FTP
Abstract: This package provides drop in replacements for
telnet and ftp client and server programs, which use Secure RPC
code to provide encrypted authentication across the network, so
that plaintext passwords are not used. The clients and servers
negotiate the availability of SRA so that they work with
unmodified versions. These programs require no external keyserver
or ticket server, and work equally well for local or internet
wide connections.
David K. Hess, Douglas Lee Schales, David R. Safford,
Drawbridge 2.0
Keywords: ip filter, firewall, bridge
Abstract: Drawbridge is a copyrighted but freely
distributable bridging IP filter with a powerful syntax and good
performance. It uses a PC with either two Ethernet cards or two
FDDI cards to perform the filtering. It is composed of three
different tools: Filter, Filter Compiler and Filter Manager. This
distribution is version 2.0 which is a major overhaul of
Filter.
Texas A & M
University,
SPAR - Show Process Accounting Records
Abstract: 'spar' is used to select records from a UNIX
process accounting file. It is usually faster than most
'lastcomm's and significantly more flexible and powerful:
Kenneth Ingham, Watcher
Abstract: Watcher is a program to watch the system,
reporting only when it finds something amiss.
Timothy
E Hoff,
General purpose UNIX file wrapper
Keywords: file, wrapper, UNIX, authentication
Abstract: One of the issues faced by UNIX system
administrators is how to delegate routine functions such as
system backups without distributing root authorities to a large
group of staff and users. file-wrapper provides one approach to
addressing this administration challenge.
Paul Traina,
access_list_examples
Abstract: A series of Perl scripts that allow one to
quickly and easily configure ACL entries for filewall
routers.
Mark Henderson, anlpasswd
Abstract: A modified version of Larry Wall's Perl password
program that (supposedly) does the intelligent thing in an NIS
environment, allows for gecos changes, and also checks a sorted
list of all the "bad passwords".
Carter
Bullard, Chas
DiFatta, Argus 1.5
network monitoring tool
Keywords: monitoring, network, argus
Abstract: Argus, a generic IP network transaction auditing
tool. Argus runs as an application level daemon, promiscuously
reading network datagrams from a specified interface, and
generates network traffic status records for the network activity
that it encounters. Argus has been built and tested under SunOS
4.x, Solaris 2.3, and SGI IRIX5.2. The issue of portability has
been principally addressed by the use of libpcap-0.0.x. Argus,
enables a site to generate comprehensive network transaction
audit logs, in a fashion that provides for high degrees of data
reduction, and high degrees of semantic preservation. This has
allowed us to perform extensive analysis of our network traffic,
historically. The package includes two example programs for
analyzing the network transaction audit logs.
maf+@osu.edu, ARP
monitor
Abstract: arpmon does a popen() to tcpdump and collects
data. It writes its pid by default to /home/arpmon/arpmon.pid,
and dumps its data to /home/arpmon/addrs. Doing a kill -HUP `cat
arpmon.pid` creates or updates the addrs file. A kill -QUIT `cat
arpmon.pid` updates the addrs file and instructs the arpmon
process to die. You can change these pathnames by editing
paths.pl. ipreport will write a formatted report of the addrs
files to stdout. Do an ipreport -h for the other options.
LBL Network Research
Group, ARPWATCH
1.3
Abstract: This directory contains source code for
arpwatch, a tool that monitors ethernet activity and keeps a
database of ethernet/ip address pairings. It also reports certain
changes via email. Arpwatch uses libcap, a system-independent
interface for user-level packet capture. Before building tcpdump,
you must first retrieve and build libpcap, also from LBL, in:
ftp://ftp.ee.lbl.gov/libpcap-*.tar.Z.
Abdelaziz
Mounji, Advanced
Security audit trail Analysis on uniX
Abstract: ASAX 1.0: Advanced Security audit trail Analysis
on uniX 1.0 A package that allows you to analyse any form of
Audit Trail by customising the format description of your trail.
INTRODUCTION Analyzing substantial amounts of data and extract
ing relevant information out of huge sequential files has always
been a nightmare. And ... it will probably remain so, unless you
use ASAX, FUNDP' Advanced Security audit trail Analyzer on uniX.
Using highly sophisticated and powerful algorithms, ASAX
tremendously simplifies the intelligent analysis of sequential
files. Of course, the data should fit the analyzer. Therefore,
ASAX has defined a normalized audit file format (NADF) with
built-in flexibility to guarantee a simple and straightforward
translation of any stream of native data into the normalized
sequential files ASAX understands. But ASAX's real power is
unleashed by deploying its embedded, easy to use rule based
language RUSSEL; this tailor-made analysis tool solves very
intricate queries on any sequential data.
Vic
Abell,
Authentication Server Daemon
Abstract: Authd is an implementation of RFC 931, the
Authentication Server under BSD. RFC 931 provides the name of the
user owning a TCP connection. This helps network security: unless
TCP itself is compromised, it is impossible to forge mail or news
between computers supporting RFC 931. It also becomes much easier
to trace attackers than in the current, largely anonymous,
network. authd requires no changes to current code: every
connect() and accept() is authenticated automatically, with no
loss of efficiency.
Matt Bishop, RIACS
Auditing Package
Abstract: This is the RIACS Auditing Package - really, a
sophisticated file scanning system. It audits a file system for
possible security or accounting problems, scans the file system
FILESYS , and compares these results to information in the master
file LISTDIR /audit.lst.
University of
California, bsd-tftp
Abstract: A hacked copy of the BSD 4.3-tahoe tftpd
program.
Diego
Zamboni, New
COPS Analysis and Report Program (ncarp)
Abstract: (New COPS Analysis and Report Program) is a data
analysis tool that views and analyze multiple COPS result files
(important -- the COPS result files must have been created with
the -v flag; ncarp needs the extra information.) It's based on
the carp program included in the COPS package, and it produces
essentially the same information, but apart from the table
produced by carp, ncarp produces individual reports for each of
the systems examined. Each report contains a detailed description
of the problems found, and information about correcting the
problem.
Robert W. Baldwin,
cbw.tar.Z
Abstract: The Code Breaker's Workbench - break crypt(1)
encrypted files.
Julian P. Assange,
chalace
Abstract: "Chalace" is a intercept proof password
authentification system which can be used over normal
communications channels. Chalace is very, very portable, being
for the most part pure ANSI-C. However it will not run on a
terminal, or calculator alone. You must have secure access to a
LOCAL machine in order to run the response client. In an ideal
world, everyone would be running something like kerberos -
however kerberos is not very portable or, exportable, and runs
only over TCP/IP style connections. Chalace is useful under many
circumstances and not at all useful under others. Useful for:
Connecting from a local (or considered secure) machine to a
remote machine over a possibly insecure communications line,
without giving any intercepting agents access to your account
authentification information (password) and thus your account
itself. Not useful for: Protecting the data that is actually
transferred from the remote machine, Connection from a dumb
terminal, etc where no computer is nearby to run the Chalace
client.
Bob Vickers, checkXusers
Abstract: This script checks for people logged on to this
machine from insecure X servers. It is intended for systems
administrators to check up on whether users are exposing
themselves (and hence the system) to unacceptable risks. Like
many commands (e.g. finger(1)), it could potentially be used for
less honourable purposes; naturally I disapprove of this. It
should be run from an ordinary user account, not root (it should
work for root, but I haven't tried and it uses kill which is
pretty dangerous for a superuser). It assumes that the netstat
command is somewhere in the PATH.
Shabbir Safdar, chkacct
v1.1
Abstract: chkacct was designed to complement tools like
COPS and Tiger. Instead of checking for configuration problems in
the entire system, it is designed to check the settings and
security of the current user's account. It then prints
explanatory messages to the user about how to fix the problems.
It may be preferable to have a security administrator ask problem
users to run chkacct rather than directly alter files in their
home directories.
DFN-CERT, chklastlog
- check lastlog-file for deleted information
Abstract: chklastlog: Check the file /var/adm/lastlog and
the file /var/adm/wtmp for inconsistencies. The 'zap' utility
deletes the last entry for a given username from the
/var/adm/wtmp file and the entry in the lastlog file. If there
are other (non deleted) entries in the wtmp file this tool will
find the missing entry in the lastlog file.
Clyde
Hoover, Password
checking routine
Abstract: This is a password checking program that author
wrote after the infamous Internet Worm. He used the password
cracking algorithm the worm used in order to check the
obviousness of a password.
DFN-CERT, chkwtmp:
Check the file /var/adm/wtmp
Abstract: chkwtmp: Check the file /var/adm/wtmp for
entries that were overwritten with zeros. If such an entry is
found the entries above and following the entry are printed to
indicate the time range within the deletion has been made.
W.Z. Venema, chrootuid
Abstract: Chrootuid makes it easy to run a network service
at low privilege level and with restricted file system access. At
Eindhoven University they use this program to run the gopher and
www (world-wide web) network daemons in a minimal environment:
the daemons have access only to their own directory tree, and run
under a low-privileged userid. The arrangement greatly reduces
the impact of possible loopholes in daemon software.
Brian Mitchell, clog - TCP
SYN Scanner detector (A related WWW homepage exists for
this item)
Keywords: TCP SYN, scanner, logging
Abstract: clog is a program that logs all connections on
your subnet. It uses the pcap(3) packet capture library to log
any SYN packets to a logfile. The output format is designed to be
very easily parsed by various text processing tools. The logfiles
have the following format:
Dan
Farmer, cops
Abstract: COPS is a static security checking tool that
checks common procedural (non-bug) problems of a Un*x system. It
basically takes a snapshot of a system, and then generates a
report of it's findings.
Steve Romig, Perl
Cops
Abstract: This is a perl version of Dan's version of Bob
Baldwin's Kuang program (originally written as some shell scripts
and C programs). Features including Caches passwd/group file
entries in an associative array for faster lookups. This is
particularly helpful on insecure systems using YP where password
and group lookups are slow and you have to do a lot of them, can
specify target (uid or gid) on command line, can use -l option to
generate PAT for a goal, can use -f to preload file owner, group
and mode info, which is helpful in speeding things up and in
avoiding file system 'shadows'.
Carnegie Mellon
University, cpm
Abstract: Check for network interfaces in promiscuous
mode.
Alec
David Edward Muffett, crack
Abstract: Crack is a freely available program designed to
find standard Unix eight-character DES encrypted passwords by
standard guessing techniques. It is written to be flexible,
configurable and fast, and to be able to make use of several
networked hosts via the Berkeley rsh program (or similar), where
possible.
Alec
David Edward Muffett, cracklib
Abstract: A Pro Active Password Sanity Library. CrackLib
is a library containing C function which may be used in a
"passwd"-like program. The idea is simple: try to prevent users
from choosing passwords that could be guessed by "Crack" by
filtering them out, at source. CrackLib is an offshoot of the the
version 5 "Crack" software, and contains a considerable number of
ideas nicked from the new software.
George Carrette, crash
me
Abstract: The purpose of the crashme program is to cause
instruction faults that would otherwise be only rarely seen in
the normal operation of a system (where "normal" includes
conditions of user programs with bugs in them, and to executable
code corruption due to memory, disk, and network problems).
Antti Louko, DES
Package
Abstract: This program uses DES algorithm to reads and
writes the en/decrypted data. If file name is not given in
command line, des uses standard input or output. The is
transformed by a one-way function into a 8-byte key, which is
then used by the algorithm. If no is given on command line, des
asks one with getpass(3). Des encrypts when given flag and
decrypts with . With flag des encrypts normally, but it doesn't
produce any encrypted output, instead it prints 8-byte
cryptographic checksum of input data.
Dana How, Descore
Abstract: Descore is a package containing just the core
DES functionality: specifying keys, encryption and decryption. It
is for those who want to implement such things as DES filters,
rather than UNIX password crackers.
Dave Barrett, deslogin
Abstract: THIS PACKAGE IS NOT AVAILABLE ON OUR ARCHIVE DUE
TO ITAR RESTRICTIONS. SEE THE FILE
/pub/tools/unix/deslogin/DESLOGIN.README for details. This
package provides a network login service with more secure
authentication than telnet or rlogin. Also, all data transmitted
to and from the remote host in encrypted using the DES. Thus,
this package allows you to use a remote host across untrusted
networks without fear of network snooping.
Steve
Hotz, Paul
Mockapetris, Dig
Abstract: Dig (domain information groper) is a flexible
command line tool which can be used to gather information from
the Domain Name System servers. Dig has two modes: simple
interactive mode which makes a single query, and batch which
executes a query for each in a list of several query lines. All
query options are accessible from the command line.
der Mouse, Disabel
modload,modunload,modstat
Abstract: This tool was written in reply to the second
attack described in CERT advisory 95:01. -ChS When you want to
lock the door after all kosher modloads and kmem writes have
happened, attempt to open the device (for example, add "sh -c
'
David Barr, A DNS
Debugger
Abstract: dnswalk is a DNS debugger. It performs zone
transfers of specified domains, and checks the database in
numerous ways for internal consistency, as well as accuracy.
dnswalk requires perl and dig. (Tested under perl-4.036, dig 2.0,
and the dig shipped with BIND 4.9.x) If you do not have these
tools, get them. (perl is assumed to be in /usr/local/bin, edit
the first line of dnswalk if it is not)
Steve
Hotz, Paul
Mockapetris, Domain
Obscenity Control
Abstract: Doc (domain obscenity control) is a program
which diagnoses misbehaving domains by sending queries off to the
appropriate DNS nameservers, and performing simple analysis on
the responses. Doc is an automated tool for verifying (to an
extent) that a domain is configured and functioning correctly.The
only required parameter is the valid domain name of an domain.
IMPORTANT: Doc requires version 2.0 of the DNS query tool `dig`
(domain internet groper).
Shawn F. Mckay, Dummy
"su" program
Abstract: This program is intended to help an intruder who
does not know the system (many work from "cheat sheets") to trip
alarms so the rightful sysadmin folks can charge to the
rescue.
Eugene
H. Spafford, dump_lastlog
Abstract: Under most versions of Unix, there is a
"lastlog" file that records the time, and sometimes the terminal,
of the last login for each user. This is then printed as part of
the next login as information. Some systems also include
information on the number of invalid attempts on the account
since the last valid login. This Perl program dumps the file for
SunOS/Solaris systems (it works on both). If your lastlog format
is different, then you simply modify this. You may also need to
adjust the path to the lastlog file.
Mike Shanzer, New more
functional version of fingerd
Abstract: This is a new more functional version of
fingerd. What does this fingerd have to offer? - logging - access
control lists, so you can restrict finger requests to certain
hosts (and certain users if you trust identd) - a message of the
day file.
Kent
Landfield,
GATEWAY Access Utilities (gau)
Abstract: This package currently supports access to the
Internet through the use of a firewall system. All internal
systems are hidden behind a firewall (or gateway) from the
Internet. These utilities allow users from inside the network to
get to archives and services on the Internet without requiring
that they have an account on the gateway system.
Hobbit,
Fix kits
for sendmail, WU-ftpd, TCP Wrappers etc.
Abstract: Introduction to the "fix-kits" archive Here you
will find patches to various popular packages in common use
around the Internet, designed to increase security and
robustness. This was motivated by a desire to set up server
machines, plug them into the Internet, and have them be
reasonably secure on their own without hiding behind firewalls.
In some cases these servers would be part *of* a firewall system.
This quickly leads to the question of whether or not to trust
large complex daemons running in a privileged mode, and the only
answer was to rip into said daemons and try to verify their
operation for myself. Along the way several things were found
that could be changed or disabled to reduce the likelihood of
security holes.
SOS Corporation, Freestone
Keywords: firewall kit
Abstract: Freestone is a portable, fully-functional
firewall implementation. An enhanced, commercial version of it
(Brimstone) is used at several large customer sites. Using
Freestone source code, for example, FTP and Telnet proxies
extended with an access control list mechanism can be built. Note
however, that building and configuring the system requires deep
understanding and experience of Unix systems and security in
general.
Mike Schwartz, Fremont
Keywords: network, probe
Abstract: Fremont is a research prototype for discovering
key network characteristics, such as hosts, gateways, and
topology. It runs on SunOS, and has been tested on both Sun3 and
Sun4 hardware, on SunOS 4.1.1. The ARPwatch and RIPwatch Explorer
Modules use the Sun's Network Interface Tap. This directory
contains information, the latest version and patches.
Trusted Information
Systems, fwtk
Abstract: A software kit for building and maintaining
internetwork Firewalls. It is distributed in source code form,
with all modules written in the C programming language and runs
on many BSD UNIX derived platforms.
Kenr, Hobgoblin
Abstract: Hobgoblin checks file system consistency against
a description. Hobgoblin is a language and an interpreter. The
language describes properties of a set of hierarchically
organized files. The interpreter checks the description for
conformity between the described and actual file properties. The
description constitutes a model for this set of files.
Consistency Ondishko checking verifies that the real state of
these files corresponds to the model, flagging any exceptions.
Hobgoblin can verify conformity of system files on a large number
of systems to a uniform model. Relying on this verification,
system managers can deal with a small number of conceptual models
of systems, instead of a large number of unique systems. Also,
checking for conformity to an appropriate model can enhance
system reliability and security by detecting incorrect access
permissions or non-conforming program and configuration
files.
Rick Jones, Tom Murray, hp-tcpdump
(hp-ux capable tcpdump)
Abstract: This directory contains a version of the tcpdump
executable which should run under hp-ux 9.0(1) and hp-ux 9.0* and
10.0.
Peter
Eriksson, ident
Abstract: The ident package contains the following:
identify - This is a small program that can be used to log
"ident" info in conjunction with the "inetd" daemon. idlookup -
This is a small tool that can be used to look up the identifier
associated with a particular TCP/IP connection if the remote site
is running an Ident server. tcplist - Makes a list of tcp
connections to and from the local machine, displaying the user
name associated with the local end, and making use of rfc931
services if available to determine the "user" at the other end.
tcplocate - Identifies the process(es) that have sockets that are
either connected to a remote TCP port, or are bound to a given
local TCP port.
Dave Goldsmith, ident-scan
[v0.15]
Abstract: This TCP scanner has the additional
functionality of retrieving the username that owns the daemon
running on the specified port. It does this by by attempting to
connect to a TCP port, and if it succeeds, it will send out an
ident request to identd on the remote host. I believe this to be
a flaw in the design of the protocol, and if it is the developers
intent to allow 'reverse' idents, then it should have been stated
clearer in the rfc(rfc1413). USES: It can be useful to determine
who is running daemons on high ports that can be security risks.
It can also be used to search for misconfigurations such as httpd
running as root, other daemons running under the wrong uids.
COMPILES: Compiles fine under Linux, BSDI and SunOS 4.1.x.
Archive Note: Compiles find under Solaris 2.x
David
A. Curry, ifstatus
Abstract: This program can be run on a UNIX system to
check the network interfaces for any that are in debug or
promiscuous mode. This may be the sign of an intruder performing
network monitoring to steal passwords and the like (see
CERTdvisory CA-94:01).
Darren
Reed, IP packet
filter for SunOs
Abstract: If you have a multihomed Sun server/workstation
(2 or more ethernet interfaces) which performs routing and wonder
how you are meant to stop the problem with IP headers being
forged with no router to help you, then this package will allow
you to setup packet filters for each interface, much like those
which can be setup in Ciscos and others. Packets going in, or out
can be filtered. They can just be logged, blocked or passed. You
can filter on any combination of TCP flags, the various ICMP
types as well as the standard variations on IP
Darren
Reed,
IP Filter (A related WWW
homepage exists for this item)
Keywords: Firewalls, IP filtering
Abstract: IP Filter is a TCP/IP packet filter, suitable
for use in a firewall environment. To use, it can either be used
as a loadable kernel module or incorporated into your UNIX
kernel; use as a loadable kernel module where possible is highly
recommended. Scripts are provided to install and patch system
files, as required.
Darren
Reed, Julian
Assange,
IP Filter (A related WWW homepage exists
for this item)
Keywords: IP filter, tcp/ip, packet filter, firewall
Abstract: IP Filter is a TCP/IP packet filter, suitable
for use in a firewall environment. To use, it can either be used
as a loadable kernel module or incorporated into your UNIX
kernel; use as a loadable kernel module where possible is highly
recommended. Scripts are provided to install and patch system
files, as required.
Gerhard Fuernkranz,
ipacl
Abstract: SYSV.4 streams module that implements packet
filtering within the kernel. Written by Gerhard Fuernkranz
(fuer@siemens.co.at).
Danny Boulet,
ipfirewall (A related
WWW homepage exists for this item)
Keywords: packet filter, firewall
Abstract: ipfirewall is an IP packet filtering tool which
is similar to the packet filtering facilities provided by most
commercial routers. Once the facility has been installed on a
host computer, the system administrator defines a set of blocking
filters and a set of forwarding filters. The blocking filters
determine which packets are to be accepted by the host. The
forwarding filters determine which packets are to be forwarded by
the host.
Darren
Reed,
IP Send -- A program to send nasty IP packets
Keywords: ip
Abstract: iptest basically does lots of nasty things,
including attempting to send huge packets, etc. It does it using
NIT/BPF and DLPI Only tested on Solaris, BSD and Linux
Christopher
William Klaus, Internet
Security Scanner (A related WWW homepage exists for this
item)
Keywords: scanner, vulnerabilities, internet
security
Abstract: Internet Security Scanner (ISS) is one of the
first multi-level security scanners available to the public. It
was designed to be flexible and easily portable to many unix
platforms and do its job in a reasonable amount of time. It
provides information to the administrator that will fix obvious
security misconfigurations. ISS does a multi-level scan of
security, not just searching for one weakness in the system. To
provide this to the public or at least to the security conscious
crowd may cause people to think that it is too dangerous for the
public, but many of the (cr/h)ackers are already aware of these
security holes and know how to exploit them.
Barry Jaspan, kerberos
Abstract: Kerberos is a network authentication system for
use on physically insecure networks, based on the key
distribution model presented by Needham and Schroeder. It allows
entities communicating over networks to prove their identity to
each other while preventing eavesdropping or replay attacks. It
also provides for data stream integrity (detection of
modification) and secrecy (preventing unauthorized reading) using
cryptography systems such as DEs DES.
Doug Hughes, Klaxon
Abstract: Here's a modification of rexec source that I
call klaxon. It is extremely useful for detecting portscanner
attacks like those perpetrated by ISS and SATAN, among others. It
also has optional IDENT (RFC931) support for finding out the
remote user (where applicable).
Eric Young, libdes,
Version 3.00 93/10/07
Abstract: This kit builds a DES encryption library and a
DES encryption program. It suports ecb, cbc, ofb, cfb, triple
ecb, triple cbc and MIT's pcbc encryption modes and also has a
fast implementation of crypt(3). It contains support routines to
read keys from a terminal, generate a random key, generate a key
from an arbitary length string, read/write encrypted data from/to
a file descriptor. The implementation was written so as to
conform with the manual entry for the des_crypt(3) library
routines from MIT's project Athena.
Craig
H. Rowland,
Logcheck (A related WWW homepage
exists for this item)
Keywords: audit, intrusion
Abstract: new software package for UNIX that automates log
file auditing for unusual activity and security violations. This
package works very well with Firewall Tool Kit from TIS, as well
as stand-alone systems running the TCP wrapper and similiar
utilities. This package is essentially a clone of the
"frequentcheck.sh" scripts from the TIS Gauntlet system, but has
been _completely_ re-written and implemented in a slightly
different manner to make it more generic for systems not running
FWTK
Wietse
Venema, logdaemon
Abstract: This archive contains the result of years of
gradual transformations on BSD source. (1) rsh and rlogin daemons
that log the remote user name and perform logging and access
control in tcp/ip daemon wrapper style. (2) ftpd, rexecd and
login software with fascist login failure logging and with
support for optional S/Key one-time passwords.
mark@blackplague.gmu.edu, loginlog.c.Z
Abstract: A small program that tails the wtmp file and
reports all logins to the syslogd. Written by Mark
mark@blackplague.gmu.edu.
Vic
Abell, lsof
Abstract: Lsof version 3 lists open files for running UNIX
processes. It is a descendent of ofiles, fstat, lsof version 1,
and lsof version 2.
lucre, -lucre
Keywords: ecash, C library
Abstract: This is version 0.8.1 of -lucre (We pronounce it
``dash lucre''; you can pronounce it however you like), the
Unofficial Cypherpunks Release of Ecash (or ``Coderpunks'', if
you want). As the ``-l'' indicates, this is a C library that
implements the protocols of DigiCash's ecash (version 1.8.5, the
kind used by Mark Twain Bank, not EUnet). This is an ALPHA
release. That is, future release may not even adhere to the same
API. This library was developed for, and is provided for,
research purposes; adjust your expectations of support
accordingly. As far as we know, - -lucre will only work on
Unix-style machines; it is unlikely that we will release a
Windows or Mac version.
Jim Ellis, md5
Abstract: MD5 - New Message Digest Algorithm is a new
message-digest algorithm.
The Regents of the
University of California, md5check
Abstract: Check to see if existing binary files match
their appropriate cryptographic signatures.
Zygo
Blaxell,
LRU /tmp garbage collector (A related
WWW homepage exists for this item)
Keywords: LRU, garbage collector, daemon
Abstract: This script is designed to maintain a particular
amount of free disk space on a partition by deleting files in a
directory structure. For example, if you wanted to always have 3
free space in /tmp, use: filereaper 3 /tmp
Scott Leadley, Make
shadow password file
Abstract: Script to set up shadow password files on Sun
systems.
mudge@l0pht.com, MONKEY
- MONitor s/keys
Keywords: s/key, skey, cracker, l0pht
Abstract: MONKEY is a program that works similarly in
nature to Alec Muffet's CRACK. In essence it takes the md4 value
in either HEX or English words and compares it to a dictionary.
Once the secret password is known, one time password schemes
based off of it are useless as the appropriate response can be
generated based upon the current challenge.
Casper Dik, Enhanced
mountd for Solaris 2.3
Abstract: This mountd for Solaris 2.3 does reserved port
checking. As an added feature it also logs denied mount
requests.
Matt Bishop, msystem.tar.Z
Abstract: The file msystem.c contains a version of
system(3), popen(3), and pclose(3) that provide considerably more
security than the standard C functions. They are named msystem,
mpopen, and mpclose, respectively. While the author does not
guarantee them to be PERFECTLY secure, they do constrain the
environment of the child quite tightly, tightly enough to close
the obvious holes.
Hobbit,
Netcat
software
Keywords: network, tool, debugging, exploration
Abstract: Netcat is a simple Unix utility which reads and
writes data across network connections, using TCP or UDP
protocol. It is designed to be a reliable "back-end" tool that
can be used directly or easily driven by other programs and
scripts. At the same time, it is a feature-rich network debugging
and exploration tool, since it can create almost any kind of
connection you would need and has several interesting built-in
capabilities. Perhaps some equivalent to netcat, or "nc" as I
prefer to name the actual program, should have been written and
distributed ten years earlier as another one of those cryptic but
fundamental Unix tools that we all use daily without even
thinking about it.
Texas A & M
University, netlog
Abstract: An advanced network sniffer system to monitor
your networks. These programs are a part of the network security
system used by Texas A&M University. It can be used for
locating suspicious network traffic. The following programs are
included: tcplogger - Log all TCP connections on a subnet
udplogger - Log all UDP sessions on a subnet extract - Process
log files created by tcplogger or udplogger netwatch - Realtime
network monitor All three programs require an ANSI C compiler.
Tcplogger and udplogger use the SunOS 4.x Network Interface Tap
(nit).
Laurent
Demailly, Icmpinfo
Abstract: icmpinfo is a tool for looking at the icmp
messages received on the running host. The source code is written
by Laurent Demailly, and comes from a heavily modified BSD ping
source; it comes AS IS - no warranty, etc...
Mike Schulze, Craig Farrell, Network
monitoring and visualisation tools
Abstract: A set of tools which may be used to monitor and
"display" network communications. Two of the tools provide a
real-time picture of network communications, while the other
provides retrospective packet analysis. The tools: Etherman is an
X11 based tool which displays a representation of real-time
Ethernet communications. Interman focusses on IP connectivity
within a single segment. Packetman is a retrospective Ethernet
packet analyser. Loadman is a network load monitor which utilises
the loadring algorithm developed by Jeff Mogul at DEC Western
Research Labs. Geotraceman is a Visual Traceroute tool which
build on traceroute developed by Van jacobson at Lawrence
Berkeley Labs. Analyser is a network segmentation tool which
recommends LAN partitioning configurations and visualises
them.
Vikas
Aggarwal, Network
Operation Center On-Line (NOCOL)
Abstract: NOCOL (Network Operation Center On-Line) is a
network monitoring package that runs on Unix platforms. It can
monitor various network variables such as ICMP or RPC
reachability, nameservers, ethernet load, port reachability, host
performance, SNMP traps, modem line usage, appletalk & novell
routes and services, BGP peers, etc. The software is extensible
and new monitors can be added easily.
Leendert van Doorn,
Test
hosts for well known NFS problems/bugs
Abstract: Test hosts for well known NFS problems/bugs.
Among these tests are: find world wide exportable file systems,
determine whether the export list really works, determine whether
we can mount file systems through the portmapper, try to guess
file handles, excercise the mknod bug, and the uid masking
bug.
David
A. Curry, Jeff Mogul,
nfswatch
Abstract: It lets you monitor NFS requests to any given
machine, or the entire local network. It mostly monitors NFS
client traffic (NFS requests); it also monitors the NFS reply
traffic from a server in order to measure the response ti
Michele D. Crabb, noshell
Abstract: This program is designed to provide the system
administrator with additional information about who is logging
into disabled accounts. Traditionally, accounts have been
disabled by changing the shell field of the password entry to
"/bin/sync" or some other benign program. Noshell provides an
informative alternative to this method by specifying the noshell
program as the login shell in the password entry for any account
which has been disabled.
David Koblas, Op
Abstract: Op is a tool designed to allow customizable
super user access, you can do everthing from emulating giving a
super user shell for nothing to only allowing one or two users
access via login names, or special passwords that are neither
root, nor their own. Plus, as an added bonus, for those commands
that you would like users to be able to use, but need to place
restrictions on the arguments, you can configure that as well.
(ie. if you want your users to be able to mount NFS file
systems).
Mike
Neuman, osh
Abstract: The Operator Shell (Osh) is a setuid root,
security enhanced, restricted shell for providing fine-grain
distribution of system privileges for a wide range of usages and
requirements.
Anders Ellefsrud, passwdd
Abstract: This package consists of two parts. One server
based passwd/chsh/chfn replacement, and a server based /etc/group
editor which gives each and every user the ability to privately
manage one group on his own.
Clyde
Hoover,
npasswd
Abstract: Npasswd is a pretty-much-plug-compatable
replacement for passwd(1). This version incorporates a password
checking system that disallows simple-minded passwords.
mouse@collatz.mcrcim.mcgill.edu, Generate
(pseudo)random TCP sequence numbers
Abstract: Here's something I concocted for sun4c machines
under SunOS 4.1.2; I believe it should work for any 4.1.x system,
possibly with minor tweaks. It treats tcp_iss as a CRC
accumulator into which it hashes every IP output packet. This is
perhaps not as strong as it might be, but it's a hell of a lot
better than what we used to have, and if the machine is at all
busy on the network the attacker faces essentially random
sequence numbers. (Perhaps I should also call uniqtime and hash
that in too.) It does cost some cpu cycles for each output
packet, it's true. Nobody has to run it. This is designed to be
dropped into some two-level directory under /sys. I use
/sys/local/OBJ; you can move it anywhere you like by changing the
path in the Makefile that fetches ip_output out of the OBJ
directory. You will need to do this anyway if you're building for
other than sun4c kernel architecture.
deraadt@cpsc.ucalgary.ca,
Permissions
Abstract: In a basic BSD environemt only three utilities
let people onto a machine: login, rshd, and ftpd. These three
programs are modified to check a YP map called 'permissions'
which determines whether a person is allowed to login. Control
over login is given based on four parameters: hostname, ttyname,
login, and groups.
Ray
W. Hiltbrand, Doug
Hughes, Paul Danckaert, Pierre Beyssac,
phf prober perl script (A related WWW
homepage exists for this item)
Keywords: phf, cgi
Abstract: phf perl script is used to try to find out as
much information from the person calling the script as possible.
The only reason for using phf on the system is to exploit a bug
to execute commands.
Wietse
Venema, Portmap
v3 (A related WWW homepage exists
for this item)
Keywords: portmapper, tcp wrapper, SunOs, access control,
logging
Abstract: This is the 3rd enhanced portmapper release. The
code compiles fine with SunOS 4.1.x, Ultrix 4.x and ESIX System V
release 4.0, but it will work with many other UNIX flavours.
Tested with SunOS 4.1.1; an earlier version was also tested with
Ultrix 3.0. SysV.4 uses a different program that the portmapper,
however; rpcbind is the name, and it can do much more than the
old portmapper. This is a portmapper replacement with access
control in the style of the tcp wrapper (log_tcp) package. It
provides a simple mechanism to discourage access to the NIS (YP),
NFS, and other services registered with the portmapper. In some
cases, better or equivalent alternatives are available: The SunOS
portmap that is provided with patch id 100482-02 should close the
same security holes. In addition, it provides NIS daemons with
their own access control lists. This is better than just
portmapper access control. The "securelib" shared library
(eecs.nwu.edu:/pub/securelib.tar) implements access control for
all kinds of (RPC) services, not just the portmapper. Reportedly,
Irix 4.0.x already has a secured portmapper. However, many
vendors still ship portmap implementations that allow anyone to
read or modify its tables and that will happily forward any
request so that it appears to come from the local system.
Michael Shields, Portable,
secure, public domain passphrase generator
Keywords: passphrase, generator, password
Abstract: ppgen generates passphrases using strings of
words, long enough to have an arbitrary level of entropy. It can
use any dictionary and the best available source of randomness,
including PGP's cryptographic RNG if you have version 2.6.2. It
is written in portable C, and it is fairly fast.
H. Morrow Long, TCP
port probing program
Abstract: A TCP port probing program. It is fairly
self-explanatory. It is known to work on Unix workstations but
the C code should be fairly portable.
Don Libes, pwdiff
Abstract: Pwdiff takes multiple password files and
compares them in an intelligent way. For instance, it will report
on different names with the same uid, but let pass the same name
with the same uid.
Livingston Enterprises
Inc., Remote
Authentication Dial In User Service (A related WWW homepage
exists for this item)
Keywords: authentication, UNIX tool, remote network
access, dial in
Abstract: Every time a modem is added to a computer or
communications server on a corporate network, that network
becomes more vulnerable to security breaches. Network
Administrators are left with few tools to guard against
break-ins. State of the art security systems generally require
special hardware or are only compatible with a small number of
products. This problem is multiplied several times in large
networks with many points of access.
Michele D. Crabb, Raudit
Abstract: raudit is a Perl script which audits each user's
.rhosts file and reportson various findings. Without arguments
raudit will report on the total number of rhosts entries, the
total number of non-operations entries (entries for which the
hosts is listed in the /etc/hosts.equiv file, the total number of
remote entries (entries for which the host is a non-NAS host.
raudit will also report on any entries which may be illegal. An
entrie is considered illegal if the username does not mach the
username from the password file or if the entry contains a "+" or
a "-". Raudit is normally run on a weekly basis via a cron job
which runs rhosts.audit. The output is mailed to the NAS security
analyst(s).
James Seng, Logging
fingerd in PERL
Keywords: fingerd, loggin, rfc931
Abstract: This finger deamon is written in perl to do
addition logging into a file called /var/log/trap/fingerd. It
contain additional information like who is at the other end of
the connect (via rfc931 : read authuser), who does he/she finger
and any other information which his send through the finger port.
It is programmed to deny chain fingering, and stop immediately if
it detects special symbol like "|<>..." in the input
stream. It can be easily modified to filter out information, deny
fingering of certain person, deny fingering from certain host,
filter finger information etc without the trouble of
recompilation since it is written in perl.
Sun Microsystems, rpc.pcnfsd
Abstract: New RPC PC NFS daemon.
Wietse
Venema, Rpcbind
Abstract: This is an rpcbind replacement with access
control in the style of the tcp/ip daemon wrapper (log_tcp)
package. It provides a simple mechanism to discourage remote
access to the NIS (YP), NFS, and other rpc services. It has the
following featuers: - host access control on IP addresses. The
local host is considered authorized. Host access control requires
the libwrap.a library that comes with recent tcp/ip daemon
wrapper (log_tcp) implementations. - requests that are forwarded
by the rpcbind process will be forwarded through an unprivileged
port. - the rpcbind process refuses to forward requests to rpc
daemons that do (or should) verify the origin of the request: at
present, the list includes most of the calls to the NFS
mountd/nfsd daemons and the NIS daemons.
Mark Riordan, Rabin
Privacy Enhanced Mail(RPEM)
Abstract: This distribution makes available a (nearly)
public-domain public key encryption system. Included are
functions implementing the algorithm, functions implementing
related capabilities (including a DES implementation for
recipients in the USA), and a program, rpem, that implements a
simple Privacy Enhanced Mail system. The principal applications
provided are: rpem - program to encrypt a file into an
encapsulated, printable form suitable for inclusion into a mail
message. The program is somewhat compatible with RFC 1113. (I
couldn't make it completely compatible because I am not using RSA
or RSA-style certificates.) makerkey - program to create public
keys (both public and private components) for use with rpem.
There are also some miscellaneous applications thrown in for your
interest.
Wietse
Venema, Eindhoven
University of Technology, fake-rshd
Abstract: Echo the specified arguments to the remote
system after satisfying a minimal subset of the rshd protocol.
Works with the TCP Wrapper to send an arbitrary message back to
someone trying to make an rsh/rlogin connection.
Lionel Cons, Rsucker
Abstract: A perl scirpt that acts as a fake r* daemon and
log the attempt is syslog. Byte sucker for r* commands.
CIAC,
Courtney (A related WWW
homepage exists for this item)
Keywords: SATAN, Courtney, Network Scanning
Abstract: Courtney
Unknown, screend
Abstract: Internet (IP) gateway screening daemon that is
used in conjunction with the gateway screen facility to decide
which IP packets should be forwarded, when the system is acting
as an IP gateway.
David Safford, Secure_Sun
- Check/Fix Fourteen Common Sun Security Holes
Abstract: This program checks for 14 common SunOS
configuration security loopholes. It has been tested only on
SunOS4.0.3 on Sun4, Sun3, and Sun386i machines. Each test reports
its findings, and will offer to fix any problem found. The
program must be run as root if you want it to fix any of the
problems, But it can be run from any account if you reply \'n\'
to any fix requests.
William LeFebvre, securelib
Abstract: This package contains replacement routines for
these three kernel calls: accept, recvfrom, recvmsg. These
replacements are compatible with the originals, with the
additional functionality that they check the Internet address of
the machine initiating the connection to make sure that it is
"allowed" to connect.
Nate Sammons, Security
Scanner for IRIX on SGIs (A related
WWW homepage exists for this item)
Keywords: scanning, vulnerabilities, IRIX, SGI
Abstract: This tools performs a variety of checks on SGI
machines running IRIX for potential security vulnerabilties. It
looks for such common vulnerabilities as exporting file-systems
read-only, sendmail bugs, suid scripts and YP problems. It checks
for problems reported in CERT advisories.
Laurent
Demailly, sfingerd
Abstract: sfingerd is a secure replacement for the
standard unix finger daemon. The goal is to have the smallest and
safest code.
Marc Chatel, S4
Kit - The Secure System Setup Script
Keywords: secure systems
Abstract: the ultimate goal of S4 is to be a complete
system security solution that can be installed quickly over a
large number of machines. A lot of good tools and techniques
exist now, but sysadmins everywhere are constantly asked to do
more work in less time, and cannot reasonably be expected to
install by hand 32 security tools. Anything that contributes to
achieve this goal is good. The current S4 kit includes no
binaries and compiles everything as it goes. An important change
to be done in future versions of S4, for example, is to ALSO
include binaries so that a sysadmin can reduce install time by
choosing not to compile selected tools.
Chiaki Ishikawa,
showid
Keywords: set UID, UID, SUID, GID
Abstract: This is a tool for examining the effective and
actual user id and group id of a program once it is
executing.
Neil M. Haller, Philip R. Karn, skey
Abstract: The S/KEY one-time password system provides
authentication over networks that are subject to
eavesdropping/reply attacks.
Eric Allman, smrsh
Abstract: smrsh is a restricted shell utility that
provides the ability to specify, through a configuration, an
explicit list of executable programs. When used in conjunction
with send mail, smrsh effectively limits sendmail's scope of
program execution to only those programs specified in smrsh's
configuration.
Xerox Corp., Snefru
2.5
Abstract: This is an implementation of Snefru. Snefru is a
one-way hash function that provides authentication. It does not
provide secrecy.
Marshall
T. Rose,
SNMP-UPGRADE
Abstract: This work was partially supported by the U.S.
Defense Advanced Force Systems Command under contract number
F30602--88--C-0016.The content of the information contained
herein does not necessarily reflect the position or the policy of
the U.S.Government, and no official endorsement should be
inferred. The purpose of this paper is simply to point out where
you can find the various components in the 4BSD/ISODE SNMP
package.
Dan Bernstein, Snuffle
Abstract: Snuffle - generic hash-based encryption and
decryption programs snuffle and unsnuffle turn any good one-way
hash function (such as Merkle's Snefru) into a reasonably fast
private-key encryption method. You must have Snefru, or something
providing the same Hash512() interface, for snuffle and unsnuffle
to work. Past that, snuffle and unsnuffle should be perfectly
portable.
David Koblas, Ying-Da Lee, socks
Abstract: SOCKS is a package that allows hosts behind a
firewall to gain full access to the Internet without requiring
direct IP reach ability. It works by redirecting requests to talk
to Internet sites to a server, who authorizes the connection and
passes data back and forth.
Thomas Koenig, Ssh
(Secure Shell) FAQ - Frequently asked questions (A
related WWW
homepage exists for this item)
Keywords: secure shell, encryption, faq
Abstract: Ssh (Secure Shell) is a program to log into
another computer over a network, to execute commands in a remote
machine, and to move files from one machine to another. It
provides strong authentication and secure communications over
insecure channels. It is intended as a replacement for rlogin,
rsh, and rcp.
Julian
Assange, STROBE
v1.01 Super Optimised TCP port surveyor
Abstract: strobe is a security/network tool that locates
and describes all listening tcp ports on a (remote) host or on
many hosts in a bandwidth utilisation maximising, and pro- cess
resource minimising manner.
sudo-bugs@cs.colorado.edu, CU version
of sudo, release 1.3.1
Abstract: Sudo is a program designed to allow a sysadmin
to give limited root privileges to users and log root activity.
The basic philosophy is to give as few privileges as possible but
still allow people to get their work done. The purpose of sudo is
to make make super-user access easier, self-documenting and
controlled. The sudo control file is called
/usr/local/adm/sudoers. You were given 'all' permissions which
means you have unlimited super-user access. You may have already
been given a lecture at some point as to the moral and social
etiquette that you should observe as a super-user. With
super-user permissions, It is possible to do great damage by
accident. Use extra premeditation before doing anything. Some
famous sudo boo-boo's include removing /etc or killing init. Lots
of fun. With super-user permissions you may look at any file you
wish. Resist all temptation to look in other people's personal
files. Even if they haven't locked them up properly.
Wietse
Venema, surrogate-syslog
Abstract: For systems that have no syslog library. This
version logs directly to a file (default
/usr/spool/mqueue/syslog). The fake syslog that comes with nntp
seems to be OK, too.
Todd Atkins, swatch
Abstract: A simple watcher that is designed to monitor
system activity.
James W. Abendschan,
Synsniff
(A related WWW
homepage exists for this item)
Keywords: intrusion detection, port scan detector
Abstract: Monitors incoming SYN packets and flags
connections that come from a non-local network. Useful for
catching intrusion attempts. (requires tcpdump)
Simon Ney, STREAMS
pushable-module/driver tap.
Abstract: This is the STREAMS pushable-module/driver tap.
- this driver is a kernel-loadable-module. (==>no reboot
required) - it is a combination of a STREAMS-module and a
STREAMS-driver. - the pushed-tap-module pass all downstream
M_DATA messages comming from above to the tapc0-driver upstream
on the read-side. and all upstream M_DATA message comming from
below to the tapc1-driver upstream on the read_side. - all
messages coming downstream from the tapc?-driver are
discarded.
Wietse
Venema, tcp_wrappers
Abstract: With this package you can monitor and filter
incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN,
RSH, EXEC, TFTP, TALK, and other network services.
Laurence Berkeley
Laboratory Network Research Group, TCP
Dump
Keywords: tcp, probe
Abstract: This directory contains source code for tcpdump,
a tool for network monitoring and data acquisition. The original
distribution is available via anonymous ftp to ftp.ee.lbl.gov, in
tcpdump-*.tar.Z.
G. Paul Ziemba, tcpr
Abstract: Tcpr is a set of Perl scripts that enable you to
run ftp and telnet commands across a firewall. Forwarding takes
place at the application level, so it's easy to control.
Mike
Ryan, tcpshow
v1.0
Keywords: tcpdump
Abstract: Quickie to decode a "tcpdump" savefile. The
application data is displayed as ASCII -- application protocols
are not decoded. The data captured by "tcpdump" might be less
than in the original packet. We kludge a solution to this with
setjmp()/longjmp(). Although written to read tcpdump savefiles,
with tcpdump itself as a front-end, it'll decode any hex dump
that adheres to the format expected. Some programs which capture
network data offer an option to save the trace to a file in hex
format -- this can often be massaged easily with Perl/awk/sh
scripts to turn it into the format expected. As a special case,
"tcpdump -s 1518 -lenx | tcpshow -cooked" works rather well, and
"tcpdump -s 1518 -lenx | tcpshow -cooked -data" is nice for
watching the data traffic in real time.
Scott M. Ballew, TCP/IP
Trivial File Transfer Protocol server
Abstract: This version of tftpd is hacked from the 4.3
Reno tftpd. The author modified original source code since all of
the versions that did a chroot() were unable to then syslog who
got what file because of a rather obnoxious subtlety in the way
4.3 syslog works. This version has the following improvements: -
chroot() to a restricted subdirectory - syslog() all accesses
(and failures) to include the accessor, the file, and the access
type (read or write), even when chroot() was in effect - have the
ability to control which files or subdirectories of the tftp
directory were accessible to which clients based on the incoming
IP address
Doug Schales, tiger
Abstract: 'tiger' is a set of scripts that scan a Un*x
system looking for security problems, in the same fashion as Dan
Farmer's COPS. 'tiger' was originally developed to provide a
check of UNIX systems on the A&M campus that want to be
accessed from off campus (clearance through the packet
filter).
Doug Hughes, tklogger
(A related WWW
homepage exists for this item)
Keywords: logging, audit, Tk
Abstract: A utility for watching logs. It's all in tcl/tk
it's easily extensible to do what you want. Watches the logs
generated by the tcp wrapper and displays changes in multiple
colors in real time.
Doug Hughes, tocsin -
TCP SYN probe detection tool (A related WWW
homepage exists for this item)
Keywords: TCP, SYN, probe, network monitor
Abstract: In light of the recent revival of interest in
the TCP SYN probe that were undetected by conventional daemon
means (e.g. klaxon), I wrote a promiscuous network monitor that
runs as a packet filter and will catch any packet on the network
that matches services that are given to the program as command
line arguments. So far it runs on SunOS4.1.X (NIT) and
Solaris2.X(DLPI). Individuals interested in running it on other
architectures would need to do some porting. The DLPI code should
be portable to other DLPI implementations. On SunOS and Solaris
all you have to do is type Make. The README explains options,
history, and implementation.
Tom
Limoncelli, Alphanumeric
pager via email
Abstract: "tpage" or "Tom's Pager System" is a set of
programs that let you send messages to alpha-numeric pagers using
the "IXO" protocol. It supports a dialing directory, a "who's on
duty now" schedule, and can do special tricks with RFC822-format
email. The system has the following features: ...sends pages to
any pager system that supports the IXO protocol. ...additional
protocols can be added. (I'll write the touch-tone protocol
soon). ...can parse email messages and extract the interesting
info from them resulting in shorter messages. ...can copy it's
input to stdout and therefore can be used as a "tee".
...maintains a directory of people's phone numbers/PINs. ...can
page "the person on duty" (searches a schedule). ...schedule can
have slots that are empty, but find someone anyway if the message
is marked "urgent". ...with programs like procmail, permits you
to send certain email messages to your pager. ...a list of modems
can be given to the daemon.
Van Jacobson, Traceroute
- Tracing IP packet routes
Keywords: network, IP routing
Abstract: Traceroute is a system administrators utility to
trace the route ip packets from the current system take in
getting to some destination system. See the comments at the front
of the program for a description of its use. This program a) can
only be run by root (it uses raw ip sockets). b) REQUIRES A
KERNEL MOD to the raw ip output code to run.
Danny Mitzel, TCP
Traffic Monitoring Software
Abstract: The research we are currently pursuing involves
characterizing the communication patterns of applications which
use the TCP transport protocol. This analysis requires
information from the IP and TCP network headers. We are currently
pursuing collection of this type of data at several different
Internet sites. Two programs are used in the data collection
process. Collect is a shell script which invokes the tcpdump
program to collect the IP and TCP headers of packets denoting the
start and end of a TCP conversation (packets having the TCP SYN,
FIN, or RST flag set). Tcpdump uses the Sun Network Interface Tap
(NIT) streams module in promiscuous mode to collect packets on a
Ethernet. The collected packets are passed through a filter
function, to collect only the desired packet headers [I'd like to
thank Vern Paxson at LBL for his tcpdump help, especially the AWK
scripts he provided to parse the tcpdump output]. It is important
that the collection routine be run on a machine on the ethernet
segment connected to the sites internetwork gateway, so that all
internet packets can be observed.
David
A. Curry, trimlog
Abstract: Trimlog is used to trim system log files to keep
them from growing without bound. When invoked, it reads commands
from the file which tell it which files to trim, how to trim
them, and by how much they should be trimmed.
Bruce Barnett, trojan.pl
Abstract: Trojan.pl is a trojan horse checking program. It
examines your searchpath and looks at all of the executables in
your searchpath, looking for people who can create a trojan
hource you can execute.
Mike
Neuman, ttywatcher
1.0 (A related WWW
homepage exists for this item)
Keywords: monitor ttys, control ttys
Abstract: TTY-Watcher is a utility to monitor and control
users on a single system. It is based on our IP-Watcher utility,
which can be used to monitor and control users on an entire
network. It is similar to advise or tap, but with many more
advanced features and a user friendly (either X-Windows or text)
interface. TTY-Watcher allows the user to monitor every tty on
the system, as well as interact with them by: to the real owner
of the TTY without interfering with the commands he's typing. The
message will only be displayed on his screen and will not be sent
to the underlying process. Aside from monitoring and controlling
TTYs, individual connections can be logged to either a raw
logfile for later playback (somewhat like a VCR) or to a text
file.
Tom Fitzgerald,
UDP packet relayer
Abstract: This package consists of 2 components. udprelay
is a daemon process which runs on a bastion system and forwards
UDP packets in and out of a firewalled network, as directed by a
configuration file. Rsendto.c provides routines Rsendto and
Rrecvfrom, which allow tunnelling through the bastion to
arbitrary outside hosts. Rsendto/Rrecvfrom communicate with
udprelay using UDP packets encapsulated in a wrapper that
includes the address of the remote host/port to transfter traffic
to.
Michael Glad, UFC-crypt:
ultra fast 'crypt' implementation
Abstract: This crypt implementation plugin compatible with
crypt(3)/fcrypt, Extremely highperformance when used for password
cracking. Portable to most 32 bit machines, startup time/mixed
salt performance not critical, uuns 25-45 times faster than
crypt(3) when invoked repeated times with the same salt and
varying passwords. With alternating salts, performance is only
about 4 times that of crypt(3). Tested on
68000,386,SPARC,MIPS,HP-PA and RS/6000 systems, it Requires 280
kb for tables.
Robert Morris Jr.,
The
Internet Worm Source Code
Abstract: This is a decompiled C version of the infamous
Internet Worm released in November 1988. It's not very readable,
thankfully so!
der Mouse, X Connection
Monitor
Abstract: This program monitors X connections: - It uses
RFC931 to display usernames, when the client host supports
RFC931. - It allows the user to freeze (and unfreeze)
connections, or kill them, independent of the client, and very
importantly independent of the server. The KillClient request can
be used to forcibly disconnect a client from the server, but only
if the client has created a resource, which (for example) neither
xkey nor xcrowbar does. - It monitors the connection, and if it
sees certain dubious requests (currently configurable only by
hacking on the source), it pops up a little menu with which the
user can allow the request, have it replaced with a NoOperation
request, or kill the connection. The dubious requests are, at
present, requests to change the host access list, requests to
enable or disable access control, and ChangeWindowAttributes
requests operating on non-root windows not created by the same
client.
Chuck Murcko, xinetd
v2.1.4
Keywords: inetd
Abstract: Xinetd is an inetd, /tcp_wrapper that also adds
many other features, including UDP service access logging,
verification, and control. It was originally written for SunOS
and Ultrix operating systems. The current version is 2.1.4-OS.3,
where OS is one of the mentioned OSs..
Matthew Scott,
Yppapasswd
Abstract: Yppapasswd is designed to do proactive password
checking based upon the passwd program given in the O'Reilly book
on perl (ISBN 0-937175-64-1). This program has a subroutine
called 'goodenough' that can easily be extended to perform any
type of password checks that you feel are necessary, that aren't
already being done. Yppapasswd extends this program to be used
with Network Information System (NIS). To accomplish this there
is a daemon, yppapasswdd that runs on the NIS master in
replacement of yppasswdd. Yppapasswd supports -f and -s options
that change finger and shell information. This also works across
the NIS domain so that you do not have to be on the NIS master
server to change your passwd info.
Rob J. Nauta, YPX - A
utility to transfer NIS maps beyond a local (broadcast)
network.
Abstract: ypx is a utility to transfer a NIS map from any
host running a ypserv daemon. ypx is similar to ypcat, with some
additions. To be able to transfer a map, a domainname must be
specified. There unfortunately is no way to ask the remote host
about its domainname, so it must be known already or guessed to
transfer a map successfully. If none is specified, the hostname
of the remote host is used as the domainname. ypx is able to
guess at the remote domainname, by trying parts of the hostname,
if guessing is enabled with the -g option. If the -s option is
used, ypx will connect to the sendmail daemon, read the hostname,
and parse that too, to be used as additional guesses. Finally,
any additional strings on the commandline will be added to the
list of domainname guesses.
RokK Industries, Zap
Abstract: This program will fill the wtmp and utmp entires
corresponding to the entered Username. It also Zeros out the last
login data for the specific user, fingering that user will show
'Never Logged In'.
Patrick
Powell, LPRng
- An Enhances Printer Spooler (A related WWW homepage exists
for this item)
Keywords: print spooler, LPR, Kerberos V, PGP
authentication
Abstract: The LPRng sofware is an enhanced, extended, and
portable implementation of the Berkeley LPR print spooler
functionality. While providing the same interface and meeting
RFC1179 requirements, the implementation is completely new and
provides support for the following features: lightweight (no
databases needed) lpr, lpc, and lprm programs; dynamic
redirection of print queues; automatic job holding; highly
verbose diagnostics; multiple printers serving a single queue;
client programs do not need to run SUID root; greatly enhances
security checks; and a greatly improved permission and
authorization mechanism. For users that require secure and/or
authenticated printing support, LPRng supports Kerberos V and/or
PGP authentication methods. Additional authentication support is
extremely simple to add.
Built by Mark Crosbie and Ivan Krsul.