Wietse's tools and papers

This archive is located in the Netherlands at the Eindhoven University of Technology.

Some files have a (separate) PGP signature to protect you against trojanized versions.

This is my PGP public key. You can reach me personally as wietse@porcupine.org


Disclaimer

I wrote some of the tools in this archive, and I even use many of them, but I can't give any warranty on the absence of bugs. Use at your own risk.

Table of Contents


Wietse's Tools

SATAN (satan-1.1.1.tar.Z) | README file | PGP signature

For more than one year, the most famous piece of Internet vaporware. SATAN closes much of the knowledge gap between intruders and system administrators, by proposing how to fix problems. CERT-UU wrote a nice overview of the program, of vendor bulletins, and of alternative archive sites. Additional information can be found on this really slow site. This unusual program is the result of an even more unusual cooperation between unusual people: Wietse Venema and Dan Farmer.

TCP Wrapper (tcp_wrappers_7.6.tar.gz) | BLURB file | PGP signature

Wietse Venema's network logger, also known as TCPD or LOG_TCP. These programs log the client host name of incoming telnet, ftp, rsh, rlogin, finger etc. requests. Security options are: access control per host, domain and/or service; detection of host name spoofing or host address spoofing; booby traps to implement an early-warning system. The current version supports the System V.4 TLI network programming interface (Solaris, DG/UX) in addition to the traditional BSD sockets.

Chrootuid (chrootuid1.2.shar.Z) | BLURB file | PGP signature

Chrootuid makes it easy to run a network service at low privilege level and with restricted file system access. At Eindhoven University we use this program to run the gopher and www (world-wide web) network daemons in a minimal environment: the daemons have access only to their own directory tree, and run under a low-privileged userid. The arrangement greatly reduces the impact of possible loopholes in daemon software.

Portmap (portmap_4.tar.gz) | BLURB file | PGP signature

Replacement portmapper with access control. Makes it somewhat harder to attack your RPC daemons, for example to steal YP password maps or NFS file handles. Must be linked against a library produced with a recent tcp wrapper release (see above). Tested with SunOS 4.1.x. Also supports HP-UX 9.0, AIX 3.x (bsdcc compiler with -D_SUN), AIX 4.x and Digital UNIX (OSF/1). If you run SunOS 4, the securelib library (see above) is better because it can also cope with direct attacks on your RPC daemons (i.e. attacks without assistance from portmap).

Rpcbind (rpcbind_2.tar.gz) | README file | PGP signature

Replacement rpcbind program (the System V.4 portmapper) that prevents intruders from bypassing your NFS export restrictions. Derived from a legal copy of the SunOS 5.3 rpcbind source code. This version refuses requests sent by remote clients to TCP or UDP ports other than 111.

Logdaemon (logdaemon-5.6.tar.gz) | README file | PGP signature

Unproto (unproto5.shar.Z)

A wrapper program that upgrades your traditional C compiler to something that understands a very large subset of ANSI C, including stdarg-style variadic functions. The program is a wrapper around the C preprocessor that on the fly translates ANSI C to traditional C. It comes with a set of ANSI-compatible include files.

Yapasswd (yapasswd.tar.Z) | PGP signature

Yet another password command for SunOS 4.x and 5.x. No shadow support, uses insecure NIS, but we depend on it anyway.

Agetty (agetty.shar.Z)

A flexible getty (portmon) replacement for System V Release 2, SunOS 4.x, and SunOS 5.x. Automagically adapts to parity settings, erase characters etcetera. This is another program that my sanity depends on when I hook up modems or terminals to my own machines.

surrogate-syslog.tar.Z | PGP signature

For systems that have no syslog library (or one that does not work). This version logs directly to a file (default /usr/spool/mqueue/syslog). The fakesyslog that comes with nntp seems to be OK, too.

Wietse's Papers

murphy.ps.gz (postscript)
murphy.txt.gz (ascii)

"Murphy's law and computer security", a paper presented at the Sixth USENIX Security Symposium (San Jose, July 1996). The title should have been "Lessons learned from errors in my own software and from those by other people", but that did not sound as sexy.

admin-guide-to-cracking.101.Z (ascii)

Slightly updated version of an article that was posted to Usenet on December 2, 1993, titled: "Improving the security of your site by breaking into it." by Dan Farmer and Wietse Venema. The paper explains to the administrator what crackers have known for a long time.

The paper also announces a piece of security software called SATAN (Security Administrator Tool for Analyzing Networks). It took the authors more than a year to fulfill their promise.

SATAN demo release (satan_doc.tar.Z) | README file | PGP signature

Updated version of the SATAN documentation release on March 15, 1995. This archive contains a sample database that illustrates a lot of the problems that SATAN can find for you.

Risico's van internetwerken (wgkennis.ps)
ASCII version (wgkennis.txt)

Text (in Dutch) of a talk given at the "Wij geven kennis" congress on November 23, 1994, In Amsterdam. Explains to a less technical audience what kinds of risks one can expect when connecting the local network with networks of other organizations.

tcp_wrapper.ps.Z (postscript)
tcp_wrapper.txt.Z (ascii)

Presented at the 3rd UNIX Security Symposium (Baltimore, September 1992). Describes the development of the TCP Wrapper tool (aka the log_tcp package) to trace a malicious Dutch computer cracker (see also: An evening with Berferd by Bill Cheswick).

tcp_wrapper.dutch.ps.Z (postscript)
tcp_wrapper.dutch.txt.Z (ascii)

Text (in Dutch!) of a presentation given at the 23 april 1992 security meeting of the NLUUG (Dutch UNIX users group) and SURF (network provider for the Dutch universities).

Tools by other people

COPS (cops_104.tar.Z)

Primary archive: ftp://ftp.cis.ohio-state.edu/pub/cops/.

The UNIX security checker by Dan Farmer. Run this on your systems before someone else does.

Crack (crack5.0.tar.gz) | README

Primary archive: http://www.users.dircon.co.uk/~crypto/.

Password cracker by Alec Muffett. Run this one on your password files before someone else does.

A fine collection of word lists can be found on sable.ox.ac.uk:/pub/wordlists/.

Cracklib (cracklib26_small.tgz) | PGP signature

Primary archive: http://www.users.dircon.co.uk/~crypto/.

Proactive password security library by Alec Muffett. The idea is simple: try to prevent users from choosing passwords that could be guessed by "Crack" by filtering them out, at source.

Securelib (securelib.tar.Z) | README file

Primary archive: ftp://eecs.nwu.edu/pub/.

Protect your RPC daemons against access from arbitrary systems. Shared library for SunOS 4.1 and later with replacement routines for three kernel calls: accept, recvfrom, recvmsg. These replacements are compatible with the originals, with the additional functionality that they check the Internet address of the machine initiating the connection to make sure that it is "allowed" to connect. Written by William LeFebvre.

Tiger (tiger-2.2.3.tar.gz) | README file

Primary archive: ftp://net.tamu.edu/pub/security/TAMU/.

'tiger' is a set of scripts that scan a Un*x system looking for security problems, in the same fashion as Dan Farmer's COPS. 'tiger' was originally developed to provide a check of UNIX systems on the A&M campus that want to be accessed from off campus (clearance through the packet filter). As such, we needed something that *anyone* could run if they could figure out how to get it down to their machine.

Ipacl (ipacl.tar.Z) | README file

Primary archive: ftp://eunet.co.at/pub/network/ipacl/.

SYSV.4 streams module that implements packet filtering within the kernel. Fascinating stuff. Written by Gerhard Fuernkranz (fuer@siemens.co.at).

Loginlog (loginlog.c.Z)

A small program that watches the wtmp file and reports all logins to the syslogd. Written by Mark Mookie mark@blackplague.gmu.edu.

TCPR (tcpr-1.3.tar.gz) | BLURB file

Primary archive: ftp://ftp.alantec.com/pub/tcpr.

TCPR is a set of perl scripts that enable you to run ftp and telnet commands across a firewall. Forwarding takes place at the application level, so it's easy to control.

Netlog (netlog-1.2.tar.gz) | README file

Primary archive: ftp://net.tamu.edu/pub/security/TAMU.

An advanced network sniffer system to monitor your networks. These programs are a part of the network security system used by Texas A&M University. It can be used for locating suspicious network traffic. The following programs are included:

All three programs require an ANSI C compiler. Tcplogger and udplogger use the SunOS 4.x Network Interface Tap (nit).


Papers by other people

secure_del.html

Primary archive: http://www.cs.auckland.ac.nz/~pgut001/secure_del.html.

Peter Gutmann, "Secure Deletion of Data from Magnetic and Solid-State Memory", Proceedings of the Sixth USENIX Security Symposium, July 1996, San Jose.

Disks and tapes keep your data even when you overwrite them many times; RAM chips remember their data even after powered off. My favourite presentation of the 1996 Security USENIX.

You can find cool pictures of data between disk tracks etc. in the "NanoTheater" on http://www.di.com.

simple_tcp_active_attack.ps.gz

Primary archive: http://www.merit.edu/routing.arbiter/RA/security.

Laurent Joncheray, "A Simple Active Attack Against TCP", Proceedings of the Fifth USENIX UNIX Security Symposium, June 1995, Salt-lake City.

Why the use of one-time passwords alone is not sufficient anymore. This paper shows how to take over, use, and give back a connection without anyone ever noticeing it.

NIS_Paper.ps.Z

Primary archive: ftp://net.tamu.edu/pub/security/TAMU.

David Hess, David Safford, Udo Pooch, "A Unix Network Protocol Security Study: Network Information Service", ACM Computer Communications Review 22 (5), 1992.

How easy it is to spoof a connectionless protocol with poor or no authentication (in this case, NIS).

orange-book.Z (ASCII)

Source: ftp://ftp.cert.org/pub/info

The DOD orange book, defines various levels of security.

tamu-security-overview.ps.gz

Primary archive: ftp://net.tamu.edu/pub/security/TAMU.

How people at Texas A&M handled a severe case of intrusion.