jwa's mostly cruftified security hacks

jwa's crufty security tools

I like to write tools, security-related tools in particular. Most of them are lame and worthless; some of them have value only to me. But there are some that are more universally applicable. Here they are. If you use them, please report any bugs to me, jwa@jammed.com.

All are copylefted under the terms of the GNU General Public License (naturally.)

2001-07-17 - catm-dump.sex (expect script, 569 bytes) catm-clean.pl (perl, 4kb) -- grab & decode ATM packet dumps from a Cisco router (fuggly Cisco ATM sniffer)
2001-04-29 - asip-status (perl, 9kb) asip-status-doc.html (HTML, 4kb) -- asip-status is a perl script that sends a DSIGetStatus / FPGetSrvrInfo to a machine running AppleShare file services (AFP) over TCP port 548. I've also written a Nessus plug-in that does more or less the same thing.
2001-01-10 - httpscan.c (C, 17kb) -- Handed a list of hosts on stdin, httpscan will open a connection to each and record the response to HEAD / HTTP/1.0. Uses pthreads to work efficiently on hosts in parallel. Tested w/ up to 120 threads on Linux 2.2.16 and 2.4.0.
2000-12-17 - whisker-fp.diff (diff, 3kb) -- Patch to the very fine whisker CGI auditing tool that avoids false positives when scanning sites that return a HTTP code of 200 for a nonexistent page (as opposed to a 404 or a 302.)
2000-10-05 - tnscmd (perl, 5kb) tnscmd-doc.html (HTML, 16kb) -- updated 26 April 2001 - I was bored at work one day and decided to figure out how the Oracle 'tnsping' application worked. A little while later I had a working program that could ping and prod the TNS listener, and I'd discovered some security bugs in the process (interestingly enough, ISS released an advisory on this very problem at the end of October.) This has been rolled into a pair of Nessus plug-ins that report on potential Oracle tnslsnr security problems.
1998-05-28 - checksyslog (perl, 2kb) resort (perl, 751 bytes) checksyslog-doc.html (HTML, 7kb) example.rules (English, 8kb) v1.3 -- Updated 7 May 2001 - Analyze your syslogs for security or system problems by creating a list of normal behaviour to ignore; everything else is something you should be aware of. (aka "artificial ignorance"). Requires perl 5.
1997-06-15 - h_rpcinfo.c (C, 16kb) 00README (English, 527 bytes) -- While you're sitting smug behind your packet filter, Solaris rpcbind listens quietly on a high numbered UDP port just waiting for someone to talk to it. Inspired by the SNI (now part of the NAI b0rg) rpcbind advisory.
1996-03-29 - synsniff (perl, 7kb) 00README (English, 8kb) v1.0 -- monitors incoming SYN packets and flags connections that come from a non-local network. Useful for catching intrusion attempts. Also detects "stealth" TCP FIN scans from programs like nmap. Requires perl 5 and tcpdump.
1995-03-29 - natas.tar.gz (gzip'd tarball, 1541kb) :README (English, 6kb) -- an old SATAN-esque security scanner I wrote back in early '95. Doesn't seem to build under Linux 2.0, but still works under Solaris 2 (and probably SunOS 4). Not super current (it's nearly 6 years old!); I recommend nessus. Included here for giggles.
1994-05-04 - nfs-root.shar (shell archive, 39kb) -- This is a hacked up version of Leendert van Doorn's nifty nfsbug tool that wanders down the export list and tries to create a suid root shell.

jammed.com | my page | my hacks | my hacky security tools

page automatically built Tue Feb 5 22:23:43 PST 2002 by jwa @ nimue (/home/nimue/jwa/bin/hacks2html)