The Center for Education and Research in Information Assurance and Security, or CERIAS, is the world's foremost University center for multidisciplinary research and education in areas of information security. Our areas of research include computer, network, and communications security as well as information assurance.

This site's design is only visible in a graphical browser that supports web standards, but its content is accessible to any browser or Internet device. (Why?)

Center for Education and Research in Information Assurance and Security

COAST Security Archive Logo Category Index: /pub/tools/unix

No Pointing!

This WWW page was generated automatically. Link makers should not point their links to this page. If you must, please make a link to the search entry point.

David A. Curry, An Account Creation and Maintenance System for Distributed UNIX Systems
Abstract: ACMAINT (An Account Creation and Maintenance System for Distributed UNIX Systems) is a network-based, centralized database system used to manage account creation and maintenance similar to NIS/YP.

Hobbit, L5
Abstract: L5 simply walks down Unix or DOS filesystems, sort of like "ls -R" or "find" would, generating listings of anything it finds there. It tells you everything it can about a file's status, and adds on an MD5 hash of it. Its output is rather "numeric", but it is a very simple format and is designed to be post-treated by scripts that call L5.

Gary B. Edstrom, PGP
Abstract: PGP is a program that gives your electronic mail something that it otherwise doesn't have: Privacy. It does this by encrypting your mail so that nobody but the intended person can read it. When encrypted, the message looks like a meaningless jumble of random characters.

Texas A & M University, SRA - Secure RPC Authentication for TELNET and FTP
Abstract: This package provides drop in replacements for telnet and ftp client and server programs, which use Secure RPC code to provide encrypted authentication across the network, so that plaintext passwords are not used. The clients and servers negotiate the availability of SRA so that they work with unmodified versions. These programs require no external keyserver or ticket server, and work equally well for local or internet wide connections.

David K. Hess, Douglas Lee Schales, David R. Safford, Drawbridge 2.0
Keywords: ip filter, firewall, bridge
Abstract: Drawbridge is a copyrighted but freely distributable bridging IP filter with a powerful syntax and good performance. It uses a PC with either two Ethernet cards or two FDDI cards to perform the filtering. It is composed of three different tools: Filter, Filter Compiler and Filter Manager. This distribution is version 2.0 which is a major overhaul of Filter.

Texas A & M University, SPAR - Show Process Accounting Records
Abstract: 'spar' is used to select records from a UNIX process accounting file. It is usually faster than most 'lastcomm's and significantly more flexible and powerful:

Kenneth Ingham, Watcher
Abstract: Watcher is a program to watch the system, reporting only when it finds something amiss.

Timothy E Hoff, General purpose UNIX file wrapper
Keywords: file, wrapper, UNIX, authentication
Abstract: One of the issues faced by UNIX system administrators is how to delegate routine functions such as system backups without distributing root authorities to a large group of staff and users. file-wrapper provides one approach to addressing this administration challenge.

Paul Traina, access_list_examples
Abstract: A series of Perl scripts that allow one to quickly and easily configure ACL entries for filewall routers.

Mark Henderson, anlpasswd
Abstract: A modified version of Larry Wall's Perl password program that (supposedly) does the intelligent thing in an NIS environment, allows for gecos changes, and also checks a sorted list of all the "bad passwords".

Carter Bullard, Chas DiFatta, Argus 1.5 network monitoring tool
Keywords: monitoring, network, argus
Abstract: Argus, a generic IP network transaction auditing tool. Argus runs as an application level daemon, promiscuously reading network datagrams from a specified interface, and generates network traffic status records for the network activity that it encounters. Argus has been built and tested under SunOS 4.x, Solaris 2.3, and SGI IRIX5.2. The issue of portability has been principally addressed by the use of libpcap-0.0.x. Argus, enables a site to generate comprehensive network transaction audit logs, in a fashion that provides for high degrees of data reduction, and high degrees of semantic preservation. This has allowed us to perform extensive analysis of our network traffic, historically. The package includes two example programs for analyzing the network transaction audit logs., ARP monitor
Abstract: arpmon does a popen() to tcpdump and collects data. It writes its pid by default to /home/arpmon/, and dumps its data to /home/arpmon/addrs. Doing a kill -HUP `cat` creates or updates the addrs file. A kill -QUIT `cat` updates the addrs file and instructs the arpmon process to die. You can change these pathnames by editing ipreport will write a formatted report of the addrs files to stdout. Do an ipreport -h for the other options.

LBL Network Research Group, ARPWATCH 1.3
Abstract: This directory contains source code for arpwatch, a tool that monitors ethernet activity and keeps a database of ethernet/ip address pairings. It also reports certain changes via email. Arpwatch uses libcap, a system-independent interface for user-level packet capture. Before building tcpdump, you must first retrieve and build libpcap, also from LBL, in:*.tar.Z.

Abdelaziz Mounji, Advanced Security audit trail Analysis on uniX
Abstract: ASAX 1.0: Advanced Security audit trail Analysis on uniX 1.0 A package that allows you to analyse any form of Audit Trail by customising the format description of your trail. INTRODUCTION Analyzing substantial amounts of data and extract ing relevant information out of huge sequential files has always been a nightmare. And ... it will probably remain so, unless you use ASAX, FUNDP' Advanced Security audit trail Analyzer on uniX. Using highly sophisticated and powerful algorithms, ASAX tremendously simplifies the intelligent analysis of sequential files. Of course, the data should fit the analyzer. Therefore, ASAX has defined a normalized audit file format (NADF) with built-in flexibility to guarantee a simple and straightforward translation of any stream of native data into the normalized sequential files ASAX understands. But ASAX's real power is unleashed by deploying its embedded, easy to use rule based language RUSSEL; this tailor-made analysis tool solves very intricate queries on any sequential data.

Vic Abell, Authentication Server Daemon
Abstract: Authd is an implementation of RFC 931, the Authentication Server under BSD. RFC 931 provides the name of the user owning a TCP connection. This helps network security: unless TCP itself is compromised, it is impossible to forge mail or news between computers supporting RFC 931. It also becomes much easier to trace attackers than in the current, largely anonymous, network. authd requires no changes to current code: every connect() and accept() is authenticated automatically, with no loss of efficiency.

Matt Bishop, RIACS Auditing Package
Abstract: This is the RIACS Auditing Package - really, a sophisticated file scanning system. It audits a file system for possible security or accounting problems, scans the file system FILESYS , and compares these results to information in the master file LISTDIR /audit.lst.

University of California, bsd-tftp
Abstract: A hacked copy of the BSD 4.3-tahoe tftpd program.

Diego Zamboni, New COPS Analysis and Report Program (ncarp)
Abstract: (New COPS Analysis and Report Program) is a data analysis tool that views and analyze multiple COPS result files (important -- the COPS result files must have been created with the -v flag; ncarp needs the extra information.) It's based on the carp program included in the COPS package, and it produces essentially the same information, but apart from the table produced by carp, ncarp produces individual reports for each of the systems examined. Each report contains a detailed description of the problems found, and information about correcting the problem.

Robert W. Baldwin, cbw.tar.Z
Abstract: The Code Breaker's Workbench - break crypt(1) encrypted files.

Julian P. Assange, chalace
Abstract: "Chalace" is a intercept proof password authentification system which can be used over normal communications channels. Chalace is very, very portable, being for the most part pure ANSI-C. However it will not run on a terminal, or calculator alone. You must have secure access to a LOCAL machine in order to run the response client. In an ideal world, everyone would be running something like kerberos - however kerberos is not very portable or, exportable, and runs only over TCP/IP style connections. Chalace is useful under many circumstances and not at all useful under others. Useful for: Connecting from a local (or considered secure) machine to a remote machine over a possibly insecure communications line, without giving any intercepting agents access to your account authentification information (password) and thus your account itself. Not useful for: Protecting the data that is actually transferred from the remote machine, Connection from a dumb terminal, etc where no computer is nearby to run the Chalace client.

Bob Vickers, checkXusers
Abstract: This script checks for people logged on to this machine from insecure X servers. It is intended for systems administrators to check up on whether users are exposing themselves (and hence the system) to unacceptable risks. Like many commands (e.g. finger(1)), it could potentially be used for less honourable purposes; naturally I disapprove of this. It should be run from an ordinary user account, not root (it should work for root, but I haven't tried and it uses kill which is pretty dangerous for a superuser). It assumes that the netstat command is somewhere in the PATH.

Shabbir Safdar, chkacct v1.1
Abstract: chkacct was designed to complement tools like COPS and Tiger. Instead of checking for configuration problems in the entire system, it is designed to check the settings and security of the current user's account. It then prints explanatory messages to the user about how to fix the problems. It may be preferable to have a security administrator ask problem users to run chkacct rather than directly alter files in their home directories.

DFN-CERT, chklastlog - check lastlog-file for deleted information
Abstract: chklastlog: Check the file /var/adm/lastlog and the file /var/adm/wtmp for inconsistencies. The 'zap' utility deletes the last entry for a given username from the /var/adm/wtmp file and the entry in the lastlog file. If there are other (non deleted) entries in the wtmp file this tool will find the missing entry in the lastlog file.

Clyde Hoover, Password checking routine
Abstract: This is a password checking program that author wrote after the infamous Internet Worm. He used the password cracking algorithm the worm used in order to check the obviousness of a password.

DFN-CERT, chkwtmp: Check the file /var/adm/wtmp
Abstract: chkwtmp: Check the file /var/adm/wtmp for entries that were overwritten with zeros. If such an entry is found the entries above and following the entry are printed to indicate the time range within the deletion has been made.

W.Z. Venema, chrootuid
Abstract: Chrootuid makes it easy to run a network service at low privilege level and with restricted file system access. At Eindhoven University they use this program to run the gopher and www (world-wide web) network daemons in a minimal environment: the daemons have access only to their own directory tree, and run under a low-privileged userid. The arrangement greatly reduces the impact of possible loopholes in daemon software.

Brian Mitchell, clog - TCP SYN Scanner detector (A related WWW homepage exists for this item)
Keywords: TCP SYN, scanner, logging
Abstract: clog is a program that logs all connections on your subnet. It uses the pcap(3) packet capture library to log any SYN packets to a logfile. The output format is designed to be very easily parsed by various text processing tools. The logfiles have the following format:

Dan Farmer, cops
Abstract: COPS is a static security checking tool that checks common procedural (non-bug) problems of a Un*x system. It basically takes a snapshot of a system, and then generates a report of it's findings.

Steve Romig, Perl Cops
Abstract: This is a perl version of Dan's version of Bob Baldwin's Kuang program (originally written as some shell scripts and C programs). Features including Caches passwd/group file entries in an associative array for faster lookups. This is particularly helpful on insecure systems using YP where password and group lookups are slow and you have to do a lot of them, can specify target (uid or gid) on command line, can use -l option to generate PAT for a goal, can use -f to preload file owner, group and mode info, which is helpful in speeding things up and in avoiding file system 'shadows'.

Carnegie Mellon University, cpm
Abstract: Check for network interfaces in promiscuous mode.

Alec David Edward Muffett, crack
Abstract: Crack is a freely available program designed to find standard Unix eight-character DES encrypted passwords by standard guessing techniques. It is written to be flexible, configurable and fast, and to be able to make use of several networked hosts via the Berkeley rsh program (or similar), where possible.

Alec David Edward Muffett, cracklib
Abstract: A Pro Active Password Sanity Library. CrackLib is a library containing C function which may be used in a "passwd"-like program. The idea is simple: try to prevent users from choosing passwords that could be guessed by "Crack" by filtering them out, at source. CrackLib is an offshoot of the the version 5 "Crack" software, and contains a considerable number of ideas nicked from the new software.

George Carrette, crash me
Abstract: The purpose of the crashme program is to cause instruction faults that would otherwise be only rarely seen in the normal operation of a system (where "normal" includes conditions of user programs with bugs in them, and to executable code corruption due to memory, disk, and network problems).

Antti Louko, DES Package
Abstract: This program uses DES algorithm to reads and writes the en/decrypted data. If file name is not given in command line, des uses standard input or output. The is transformed by a one-way function into a 8-byte key, which is then used by the algorithm. If no is given on command line, des asks one with getpass(3). Des encrypts when given flag and decrypts with . With flag des encrypts normally, but it doesn't produce any encrypted output, instead it prints 8-byte cryptographic checksum of input data.

Dana How, Descore
Abstract: Descore is a package containing just the core DES functionality: specifying keys, encryption and decryption. It is for those who want to implement such things as DES filters, rather than UNIX password crackers.

Dave Barrett, deslogin
Abstract: THIS PACKAGE IS NOT AVAILABLE ON OUR ARCHIVE DUE TO ITAR RESTRICTIONS. SEE THE FILE /pub/tools/unix/deslogin/DESLOGIN.README for details. This package provides a network login service with more secure authentication than telnet or rlogin. Also, all data transmitted to and from the remote host in encrypted using the DES. Thus, this package allows you to use a remote host across untrusted networks without fear of network snooping.

Steve Hotz, Paul Mockapetris, Dig
Abstract: Dig (domain information groper) is a flexible command line tool which can be used to gather information from the Domain Name System servers. Dig has two modes: simple interactive mode which makes a single query, and batch which executes a query for each in a list of several query lines. All query options are accessible from the command line.

der Mouse, Disabel modload,modunload,modstat
Abstract: This tool was written in reply to the second attack described in CERT advisory 95:01. -ChS When you want to lock the door after all kosher modloads and kmem writes have happened, attempt to open the device (for example, add "sh -c '

David Barr, A DNS Debugger
Abstract: dnswalk is a DNS debugger. It performs zone transfers of specified domains, and checks the database in numerous ways for internal consistency, as well as accuracy. dnswalk requires perl and dig. (Tested under perl-4.036, dig 2.0, and the dig shipped with BIND 4.9.x) If you do not have these tools, get them. (perl is assumed to be in /usr/local/bin, edit the first line of dnswalk if it is not)

Steve Hotz, Paul Mockapetris, Domain Obscenity Control
Abstract: Doc (domain obscenity control) is a program which diagnoses misbehaving domains by sending queries off to the appropriate DNS nameservers, and performing simple analysis on the responses. Doc is an automated tool for verifying (to an extent) that a domain is configured and functioning correctly.The only required parameter is the valid domain name of an domain. IMPORTANT: Doc requires version 2.0 of the DNS query tool `dig` (domain internet groper).

Shawn F. Mckay, Dummy "su" program
Abstract: This program is intended to help an intruder who does not know the system (many work from "cheat sheets") to trip alarms so the rightful sysadmin folks can charge to the rescue.

Eugene H. Spafford, dump_lastlog
Abstract: Under most versions of Unix, there is a "lastlog" file that records the time, and sometimes the terminal, of the last login for each user. This is then printed as part of the next login as information. Some systems also include information on the number of invalid attempts on the account since the last valid login. This Perl program dumps the file for SunOS/Solaris systems (it works on both). If your lastlog format is different, then you simply modify this. You may also need to adjust the path to the lastlog file.

Mike Shanzer, New more functional version of fingerd
Abstract: This is a new more functional version of fingerd. What does this fingerd have to offer? - logging - access control lists, so you can restrict finger requests to certain hosts (and certain users if you trust identd) - a message of the day file.

Kent Landfield, GATEWAY Access Utilities (gau)
Abstract: This package currently supports access to the Internet through the use of a firewall system. All internal systems are hidden behind a firewall (or gateway) from the Internet. These utilities allow users from inside the network to get to archives and services on the Internet without requiring that they have an account on the gateway system.

Hobbit, Fix kits for sendmail, WU-ftpd, TCP Wrappers etc.
Abstract: Introduction to the "fix-kits" archive Here you will find patches to various popular packages in common use around the Internet, designed to increase security and robustness. This was motivated by a desire to set up server machines, plug them into the Internet, and have them be reasonably secure on their own without hiding behind firewalls. In some cases these servers would be part *of* a firewall system. This quickly leads to the question of whether or not to trust large complex daemons running in a privileged mode, and the only answer was to rip into said daemons and try to verify their operation for myself. Along the way several things were found that could be changed or disabled to reduce the likelihood of security holes.

SOS Corporation, Freestone
Keywords: firewall kit
Abstract: Freestone is a portable, fully-functional firewall implementation. An enhanced, commercial version of it (Brimstone) is used at several large customer sites. Using Freestone source code, for example, FTP and Telnet proxies extended with an access control list mechanism can be built. Note however, that building and configuring the system requires deep understanding and experience of Unix systems and security in general.

Mike Schwartz, Fremont
Keywords: network, probe
Abstract: Fremont is a research prototype for discovering key network characteristics, such as hosts, gateways, and topology. It runs on SunOS, and has been tested on both Sun3 and Sun4 hardware, on SunOS 4.1.1. The ARPwatch and RIPwatch Explorer Modules use the Sun's Network Interface Tap. This directory contains information, the latest version and patches.

Trusted Information Systems, fwtk
Abstract: A software kit for building and maintaining internetwork Firewalls. It is distributed in source code form, with all modules written in the C programming language and runs on many BSD UNIX derived platforms.

Kenr, Hobgoblin
Abstract: Hobgoblin checks file system consistency against a description. Hobgoblin is a language and an interpreter. The language describes properties of a set of hierarchically organized files. The interpreter checks the description for conformity between the described and actual file properties. The description constitutes a model for this set of files. Consistency Ondishko checking verifies that the real state of these files corresponds to the model, flagging any exceptions. Hobgoblin can verify conformity of system files on a large number of systems to a uniform model. Relying on this verification, system managers can deal with a small number of conceptual models of systems, instead of a large number of unique systems. Also, checking for conformity to an appropriate model can enhance system reliability and security by detecting incorrect access permissions or non-conforming program and configuration files.

Rick Jones, Tom Murray, hp-tcpdump (hp-ux capable tcpdump)
Abstract: This directory contains a version of the tcpdump executable which should run under hp-ux 9.0(1) and hp-ux 9.0* and 10.0.

Peter Eriksson, ident
Abstract: The ident package contains the following: identify - This is a small program that can be used to log "ident" info in conjunction with the "inetd" daemon. idlookup - This is a small tool that can be used to look up the identifier associated with a particular TCP/IP connection if the remote site is running an Ident server. tcplist - Makes a list of tcp connections to and from the local machine, displaying the user name associated with the local end, and making use of rfc931 services if available to determine the "user" at the other end. tcplocate - Identifies the process(es) that have sockets that are either connected to a remote TCP port, or are bound to a given local TCP port.

Dave Goldsmith, ident-scan [v0.15]
Abstract: This TCP scanner has the additional functionality of retrieving the username that owns the daemon running on the specified port. It does this by by attempting to connect to a TCP port, and if it succeeds, it will send out an ident request to identd on the remote host. I believe this to be a flaw in the design of the protocol, and if it is the developers intent to allow 'reverse' idents, then it should have been stated clearer in the rfc(rfc1413). USES: It can be useful to determine who is running daemons on high ports that can be security risks. It can also be used to search for misconfigurations such as httpd running as root, other daemons running under the wrong uids. COMPILES: Compiles fine under Linux, BSDI and SunOS 4.1.x. Archive Note: Compiles find under Solaris 2.x

David A. Curry, ifstatus
Abstract: This program can be run on a UNIX system to check the network interfaces for any that are in debug or promiscuous mode. This may be the sign of an intruder performing network monitoring to steal passwords and the like (see CERTdvisory CA-94:01).

Darren Reed, IP packet filter for SunOs
Abstract: If you have a multihomed Sun server/workstation (2 or more ethernet interfaces) which performs routing and wonder how you are meant to stop the problem with IP headers being forged with no router to help you, then this package will allow you to setup packet filters for each interface, much like those which can be setup in Ciscos and others. Packets going in, or out can be filtered. They can just be logged, blocked or passed. You can filter on any combination of TCP flags, the various ICMP types as well as the standard variations on IP

Darren Reed, IP Filter (A related WWW homepage exists for this item)
Keywords: Firewalls, IP filtering
Abstract: IP Filter is a TCP/IP packet filter, suitable for use in a firewall environment. To use, it can either be used as a loadable kernel module or incorporated into your UNIX kernel; use as a loadable kernel module where possible is highly recommended. Scripts are provided to install and patch system files, as required.

Darren Reed, Julian Assange, IP Filter (A related WWW homepage exists for this item)
Keywords: IP filter, tcp/ip, packet filter, firewall
Abstract: IP Filter is a TCP/IP packet filter, suitable for use in a firewall environment. To use, it can either be used as a loadable kernel module or incorporated into your UNIX kernel; use as a loadable kernel module where possible is highly recommended. Scripts are provided to install and patch system files, as required.

Gerhard Fuernkranz, ipacl
Abstract: SYSV.4 streams module that implements packet filtering within the kernel. Written by Gerhard Fuernkranz (

Danny Boulet, ipfirewall (A related WWW homepage exists for this item)
Keywords: packet filter, firewall
Abstract: ipfirewall is an IP packet filtering tool which is similar to the packet filtering facilities provided by most commercial routers. Once the facility has been installed on a host computer, the system administrator defines a set of blocking filters and a set of forwarding filters. The blocking filters determine which packets are to be accepted by the host. The forwarding filters determine which packets are to be forwarded by the host.

Darren Reed, IP Send -- A program to send nasty IP packets
Keywords: ip
Abstract: iptest basically does lots of nasty things, including attempting to send huge packets, etc. It does it using NIT/BPF and DLPI Only tested on Solaris, BSD and Linux

Christopher William Klaus, Internet Security Scanner (A related WWW homepage exists for this item)
Keywords: scanner, vulnerabilities, internet security
Abstract: Internet Security Scanner (ISS) is one of the first multi-level security scanners available to the public. It was designed to be flexible and easily portable to many unix platforms and do its job in a reasonable amount of time. It provides information to the administrator that will fix obvious security misconfigurations. ISS does a multi-level scan of security, not just searching for one weakness in the system. To provide this to the public or at least to the security conscious crowd may cause people to think that it is too dangerous for the public, but many of the (cr/h)ackers are already aware of these security holes and know how to exploit them.

Barry Jaspan, kerberos
Abstract: Kerberos is a network authentication system for use on physically insecure networks, based on the key distribution model presented by Needham and Schroeder. It allows entities communicating over networks to prove their identity to each other while preventing eavesdropping or replay attacks. It also provides for data stream integrity (detection of modification) and secrecy (preventing unauthorized reading) using cryptography systems such as DEs DES.

Doug Hughes, Klaxon
Abstract: Here's a modification of rexec source that I call klaxon. It is extremely useful for detecting portscanner attacks like those perpetrated by ISS and SATAN, among others. It also has optional IDENT (RFC931) support for finding out the remote user (where applicable).

Eric Young, libdes, Version 3.00 93/10/07
Abstract: This kit builds a DES encryption library and a DES encryption program. It suports ecb, cbc, ofb, cfb, triple ecb, triple cbc and MIT's pcbc encryption modes and also has a fast implementation of crypt(3). It contains support routines to read keys from a terminal, generate a random key, generate a key from an arbitary length string, read/write encrypted data from/to a file descriptor. The implementation was written so as to conform with the manual entry for the des_crypt(3) library routines from MIT's project Athena.

Craig H. Rowland, Logcheck (A related WWW homepage exists for this item)
Keywords: audit, intrusion
Abstract: new software package for UNIX that automates log file auditing for unusual activity and security violations. This package works very well with Firewall Tool Kit from TIS, as well as stand-alone systems running the TCP wrapper and similiar utilities. This package is essentially a clone of the "" scripts from the TIS Gauntlet system, but has been _completely_ re-written and implemented in a slightly different manner to make it more generic for systems not running FWTK

Wietse Venema, logdaemon
Abstract: This archive contains the result of years of gradual transformations on BSD source. (1) rsh and rlogin daemons that log the remote user name and perform logging and access control in tcp/ip daemon wrapper style. (2) ftpd, rexecd and login software with fascist login failure logging and with support for optional S/Key one-time passwords., loginlog.c.Z
Abstract: A small program that tails the wtmp file and reports all logins to the syslogd. Written by Mark

Vic Abell, lsof
Abstract: Lsof version 3 lists open files for running UNIX processes. It is a descendent of ofiles, fstat, lsof version 1, and lsof version 2.

lucre, -lucre
Keywords: ecash, C library
Abstract: This is version 0.8.1 of -lucre (We pronounce it ``dash lucre''; you can pronounce it however you like), the Unofficial Cypherpunks Release of Ecash (or ``Coderpunks'', if you want). As the ``-l'' indicates, this is a C library that implements the protocols of DigiCash's ecash (version 1.8.5, the kind used by Mark Twain Bank, not EUnet). This is an ALPHA release. That is, future release may not even adhere to the same API. This library was developed for, and is provided for, research purposes; adjust your expectations of support accordingly. As far as we know, - -lucre will only work on Unix-style machines; it is unlikely that we will release a Windows or Mac version.

Jim Ellis, md5
Abstract: MD5 - New Message Digest Algorithm is a new message-digest algorithm.

The Regents of the University of California, md5check
Abstract: Check to see if existing binary files match their appropriate cryptographic signatures.

Zygo Blaxell, LRU /tmp garbage collector (A related WWW homepage exists for this item)
Keywords: LRU, garbage collector, daemon
Abstract: This script is designed to maintain a particular amount of free disk space on a partition by deleting files in a directory structure. For example, if you wanted to always have 3 free space in /tmp, use: filereaper 3 /tmp

Scott Leadley, Make shadow password file
Abstract: Script to set up shadow password files on Sun systems., MONKEY - MONitor s/keys
Keywords: s/key, skey, cracker, l0pht
Abstract: MONKEY is a program that works similarly in nature to Alec Muffet's CRACK. In essence it takes the md4 value in either HEX or English words and compares it to a dictionary. Once the secret password is known, one time password schemes based off of it are useless as the appropriate response can be generated based upon the current challenge.

Casper Dik, Enhanced mountd for Solaris 2.3
Abstract: This mountd for Solaris 2.3 does reserved port checking. As an added feature it also logs denied mount requests.

Matt Bishop, msystem.tar.Z
Abstract: The file msystem.c contains a version of system(3), popen(3), and pclose(3) that provide considerably more security than the standard C functions. They are named msystem, mpopen, and mpclose, respectively. While the author does not guarantee them to be PERFECTLY secure, they do constrain the environment of the child quite tightly, tightly enough to close the obvious holes.

Hobbit, Netcat software
Keywords: network, tool, debugging, exploration
Abstract: Netcat is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities. Perhaps some equivalent to netcat, or "nc" as I prefer to name the actual program, should have been written and distributed ten years earlier as another one of those cryptic but fundamental Unix tools that we all use daily without even thinking about it.

Texas A & M University, netlog
Abstract: An advanced network sniffer system to monitor your networks. These programs are a part of the network security system used by Texas A&M University. It can be used for locating suspicious network traffic. The following programs are included: tcplogger - Log all TCP connections on a subnet udplogger - Log all UDP sessions on a subnet extract - Process log files created by tcplogger or udplogger netwatch - Realtime network monitor All three programs require an ANSI C compiler. Tcplogger and udplogger use the SunOS 4.x Network Interface Tap (nit).

Laurent Demailly, Icmpinfo
Abstract: icmpinfo is a tool for looking at the icmp messages received on the running host. The source code is written by Laurent Demailly, and comes from a heavily modified BSD ping source; it comes AS IS - no warranty, etc...

Mike Schulze, Craig Farrell, Network monitoring and visualisation tools
Abstract: A set of tools which may be used to monitor and "display" network communications. Two of the tools provide a real-time picture of network communications, while the other provides retrospective packet analysis. The tools: Etherman is an X11 based tool which displays a representation of real-time Ethernet communications. Interman focusses on IP connectivity within a single segment. Packetman is a retrospective Ethernet packet analyser. Loadman is a network load monitor which utilises the loadring algorithm developed by Jeff Mogul at DEC Western Research Labs. Geotraceman is a Visual Traceroute tool which build on traceroute developed by Van jacobson at Lawrence Berkeley Labs. Analyser is a network segmentation tool which recommends LAN partitioning configurations and visualises them.

Vikas Aggarwal, Network Operation Center On-Line (NOCOL)
Abstract: NOCOL (Network Operation Center On-Line) is a network monitoring package that runs on Unix platforms. It can monitor various network variables such as ICMP or RPC reachability, nameservers, ethernet load, port reachability, host performance, SNMP traps, modem line usage, appletalk & novell routes and services, BGP peers, etc. The software is extensible and new monitors can be added easily.

Leendert van Doorn, Test hosts for well known NFS problems/bugs
Abstract: Test hosts for well known NFS problems/bugs. Among these tests are: find world wide exportable file systems, determine whether the export list really works, determine whether we can mount file systems through the portmapper, try to guess file handles, excercise the mknod bug, and the uid masking bug.

David A. Curry, Jeff Mogul, nfswatch
Abstract: It lets you monitor NFS requests to any given machine, or the entire local network. It mostly monitors NFS client traffic (NFS requests); it also monitors the NFS reply traffic from a server in order to measure the response ti

Michele D. Crabb, noshell
Abstract: This program is designed to provide the system administrator with additional information about who is logging into disabled accounts. Traditionally, accounts have been disabled by changing the shell field of the password entry to "/bin/sync" or some other benign program. Noshell provides an informative alternative to this method by specifying the noshell program as the login shell in the password entry for any account which has been disabled.

David Koblas, Op
Abstract: Op is a tool designed to allow customizable super user access, you can do everthing from emulating giving a super user shell for nothing to only allowing one or two users access via login names, or special passwords that are neither root, nor their own. Plus, as an added bonus, for those commands that you would like users to be able to use, but need to place restrictions on the arguments, you can configure that as well. (ie. if you want your users to be able to mount NFS file systems).

Mike Neuman, osh
Abstract: The Operator Shell (Osh) is a setuid root, security enhanced, restricted shell for providing fine-grain distribution of system privileges for a wide range of usages and requirements.

Anders Ellefsrud, passwdd
Abstract: This package consists of two parts. One server based passwd/chsh/chfn replacement, and a server based /etc/group editor which gives each and every user the ability to privately manage one group on his own.

Clyde Hoover, npasswd
Abstract: Npasswd is a pretty-much-plug-compatable replacement for passwd(1). This version incorporates a password checking system that disallows simple-minded passwords., Generate (pseudo)random TCP sequence numbers
Abstract: Here's something I concocted for sun4c machines under SunOS 4.1.2; I believe it should work for any 4.1.x system, possibly with minor tweaks. It treats tcp_iss as a CRC accumulator into which it hashes every IP output packet. This is perhaps not as strong as it might be, but it's a hell of a lot better than what we used to have, and if the machine is at all busy on the network the attacker faces essentially random sequence numbers. (Perhaps I should also call uniqtime and hash that in too.) It does cost some cpu cycles for each output packet, it's true. Nobody has to run it. This is designed to be dropped into some two-level directory under /sys. I use /sys/local/OBJ; you can move it anywhere you like by changing the path in the Makefile that fetches ip_output out of the OBJ directory. You will need to do this anyway if you're building for other than sun4c kernel architecture., Permissions
Abstract: In a basic BSD environemt only three utilities let people onto a machine: login, rshd, and ftpd. These three programs are modified to check a YP map called 'permissions' which determines whether a person is allowed to login. Control over login is given based on four parameters: hostname, ttyname, login, and groups.

Ray W. Hiltbrand, Doug Hughes, Paul Danckaert, Pierre Beyssac, phf prober perl script (A related WWW homepage exists for this item)
Keywords: phf, cgi
Abstract: phf perl script is used to try to find out as much information from the person calling the script as possible. The only reason for using phf on the system is to exploit a bug to execute commands.

Wietse Venema, Portmap v3 (A related WWW homepage exists for this item)
Keywords: portmapper, tcp wrapper, SunOs, access control, logging
Abstract: This is the 3rd enhanced portmapper release. The code compiles fine with SunOS 4.1.x, Ultrix 4.x and ESIX System V release 4.0, but it will work with many other UNIX flavours. Tested with SunOS 4.1.1; an earlier version was also tested with Ultrix 3.0. SysV.4 uses a different program that the portmapper, however; rpcbind is the name, and it can do much more than the old portmapper. This is a portmapper replacement with access control in the style of the tcp wrapper (log_tcp) package. It provides a simple mechanism to discourage access to the NIS (YP), NFS, and other services registered with the portmapper. In some cases, better or equivalent alternatives are available: The SunOS portmap that is provided with patch id 100482-02 should close the same security holes. In addition, it provides NIS daemons with their own access control lists. This is better than just portmapper access control. The "securelib" shared library ( implements access control for all kinds of (RPC) services, not just the portmapper. Reportedly, Irix 4.0.x already has a secured portmapper. However, many vendors still ship portmap implementations that allow anyone to read or modify its tables and that will happily forward any request so that it appears to come from the local system.

Michael Shields, Portable, secure, public domain passphrase generator
Keywords: passphrase, generator, password
Abstract: ppgen generates passphrases using strings of words, long enough to have an arbitrary level of entropy. It can use any dictionary and the best available source of randomness, including PGP's cryptographic RNG if you have version 2.6.2. It is written in portable C, and it is fairly fast.

H. Morrow Long, TCP port probing program
Abstract: A TCP port probing program. It is fairly self-explanatory. It is known to work on Unix workstations but the C code should be fairly portable.

Don Libes, pwdiff
Abstract: Pwdiff takes multiple password files and compares them in an intelligent way. For instance, it will report on different names with the same uid, but let pass the same name with the same uid.

Livingston Enterprises Inc., Remote Authentication Dial In User Service (A related WWW homepage exists for this item)
Keywords: authentication, UNIX tool, remote network access, dial in
Abstract: Every time a modem is added to a computer or communications server on a corporate network, that network becomes more vulnerable to security breaches. Network Administrators are left with few tools to guard against break-ins. State of the art security systems generally require special hardware or are only compatible with a small number of products. This problem is multiplied several times in large networks with many points of access.

Michele D. Crabb, Raudit
Abstract: raudit is a Perl script which audits each user's .rhosts file and reportson various findings. Without arguments raudit will report on the total number of rhosts entries, the total number of non-operations entries (entries for which the hosts is listed in the /etc/hosts.equiv file, the total number of remote entries (entries for which the host is a non-NAS host. raudit will also report on any entries which may be illegal. An entrie is considered illegal if the username does not mach the username from the password file or if the entry contains a "+" or a "-". Raudit is normally run on a weekly basis via a cron job which runs rhosts.audit. The output is mailed to the NAS security analyst(s).

James Seng, Logging fingerd in PERL
Keywords: fingerd, loggin, rfc931
Abstract: This finger deamon is written in perl to do addition logging into a file called /var/log/trap/fingerd. It contain additional information like who is at the other end of the connect (via rfc931 : read authuser), who does he/she finger and any other information which his send through the finger port. It is programmed to deny chain fingering, and stop immediately if it detects special symbol like "|<>..." in the input stream. It can be easily modified to filter out information, deny fingering of certain person, deny fingering from certain host, filter finger information etc without the trouble of recompilation since it is written in perl.

Sun Microsystems, rpc.pcnfsd
Abstract: New RPC PC NFS daemon.

Wietse Venema, Rpcbind
Abstract: This is an rpcbind replacement with access control in the style of the tcp/ip daemon wrapper (log_tcp) package. It provides a simple mechanism to discourage remote access to the NIS (YP), NFS, and other rpc services. It has the following featuers: - host access control on IP addresses. The local host is considered authorized. Host access control requires the libwrap.a library that comes with recent tcp/ip daemon wrapper (log_tcp) implementations. - requests that are forwarded by the rpcbind process will be forwarded through an unprivileged port. - the rpcbind process refuses to forward requests to rpc daemons that do (or should) verify the origin of the request: at present, the list includes most of the calls to the NFS mountd/nfsd daemons and the NIS daemons.

Mark Riordan, Rabin Privacy Enhanced Mail(RPEM)
Abstract: This distribution makes available a (nearly) public-domain public key encryption system. Included are functions implementing the algorithm, functions implementing related capabilities (including a DES implementation for recipients in the USA), and a program, rpem, that implements a simple Privacy Enhanced Mail system. The principal applications provided are: rpem - program to encrypt a file into an encapsulated, printable form suitable for inclusion into a mail message. The program is somewhat compatible with RFC 1113. (I couldn't make it completely compatible because I am not using RSA or RSA-style certificates.) makerkey - program to create public keys (both public and private components) for use with rpem. There are also some miscellaneous applications thrown in for your interest.

Wietse Venema, Eindhoven University of Technology, fake-rshd
Abstract: Echo the specified arguments to the remote system after satisfying a minimal subset of the rshd protocol. Works with the TCP Wrapper to send an arbitrary message back to someone trying to make an rsh/rlogin connection.

Lionel Cons, Rsucker
Abstract: A perl scirpt that acts as a fake r* daemon and log the attempt is syslog. Byte sucker for r* commands.

CIAC, Courtney (A related WWW homepage exists for this item)
Keywords: SATAN, Courtney, Network Scanning
Abstract: Courtney

Unknown, screend
Abstract: Internet (IP) gateway screening daemon that is used in conjunction with the gateway screen facility to decide which IP packets should be forwarded, when the system is acting as an IP gateway.

David Safford, Secure_Sun - Check/Fix Fourteen Common Sun Security Holes
Abstract: This program checks for 14 common SunOS configuration security loopholes. It has been tested only on SunOS4.0.3 on Sun4, Sun3, and Sun386i machines. Each test reports its findings, and will offer to fix any problem found. The program must be run as root if you want it to fix any of the problems, But it can be run from any account if you reply \'n\' to any fix requests.

William LeFebvre, securelib
Abstract: This package contains replacement routines for these three kernel calls: accept, recvfrom, recvmsg. These replacements are compatible with the originals, with the additional functionality that they check the Internet address of the machine initiating the connection to make sure that it is "allowed" to connect.

Nate Sammons, Security Scanner for IRIX on SGIs (A related WWW homepage exists for this item)
Keywords: scanning, vulnerabilities, IRIX, SGI
Abstract: This tools performs a variety of checks on SGI machines running IRIX for potential security vulnerabilties. It looks for such common vulnerabilities as exporting file-systems read-only, sendmail bugs, suid scripts and YP problems. It checks for problems reported in CERT advisories.

Laurent Demailly, sfingerd
Abstract: sfingerd is a secure replacement for the standard unix finger daemon. The goal is to have the smallest and safest code.

Marc Chatel, S4 Kit - The Secure System Setup Script
Keywords: secure systems
Abstract: the ultimate goal of S4 is to be a complete system security solution that can be installed quickly over a large number of machines. A lot of good tools and techniques exist now, but sysadmins everywhere are constantly asked to do more work in less time, and cannot reasonably be expected to install by hand 32 security tools. Anything that contributes to achieve this goal is good. The current S4 kit includes no binaries and compiles everything as it goes. An important change to be done in future versions of S4, for example, is to ALSO include binaries so that a sysadmin can reduce install time by choosing not to compile selected tools.

Chiaki Ishikawa, showid
Keywords: set UID, UID, SUID, GID
Abstract: This is a tool for examining the effective and actual user id and group id of a program once it is executing.

Neil M. Haller, Philip R. Karn, skey
Abstract: The S/KEY one-time password system provides authentication over networks that are subject to eavesdropping/reply attacks.

Eric Allman, smrsh
Abstract: smrsh is a restricted shell utility that provides the ability to specify, through a configuration, an explicit list of executable programs. When used in conjunction with send mail, smrsh effectively limits sendmail's scope of program execution to only those programs specified in smrsh's configuration.

Xerox Corp., Snefru 2.5
Abstract: This is an implementation of Snefru. Snefru is a one-way hash function that provides authentication. It does not provide secrecy.

Marshall T. Rose, SNMP-UPGRADE
Abstract: This work was partially supported by the U.S. Defense Advanced Force Systems Command under contract number F30602--88--C-0016.The content of the information contained herein does not necessarily reflect the position or the policy of the U.S.Government, and no official endorsement should be inferred. The purpose of this paper is simply to point out where you can find the various components in the 4BSD/ISODE SNMP package.

Dan Bernstein, Snuffle
Abstract: Snuffle - generic hash-based encryption and decryption programs snuffle and unsnuffle turn any good one-way hash function (such as Merkle's Snefru) into a reasonably fast private-key encryption method. You must have Snefru, or something providing the same Hash512() interface, for snuffle and unsnuffle to work. Past that, snuffle and unsnuffle should be perfectly portable.

David Koblas, Ying-Da Lee, socks
Abstract: SOCKS is a package that allows hosts behind a firewall to gain full access to the Internet without requiring direct IP reach ability. It works by redirecting requests to talk to Internet sites to a server, who authorizes the connection and passes data back and forth.

Thomas Koenig, Ssh (Secure Shell) FAQ - Frequently asked questions (A related WWW homepage exists for this item)
Keywords: secure shell, encryption, faq
Abstract: Ssh (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels. It is intended as a replacement for rlogin, rsh, and rcp.

Julian Assange, STROBE v1.01 Super Optimised TCP port surveyor
Abstract: strobe is a security/network tool that locates and describes all listening tcp ports on a (remote) host or on many hosts in a bandwidth utilisation maximising, and pro- cess resource minimising manner., CU version of sudo, release 1.3.1
Abstract: Sudo is a program designed to allow a sysadmin to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow people to get their work done. The purpose of sudo is to make make super-user access easier, self-documenting and controlled. The sudo control file is called /usr/local/adm/sudoers. You were given 'all' permissions which means you have unlimited super-user access. You may have already been given a lecture at some point as to the moral and social etiquette that you should observe as a super-user. With super-user permissions, It is possible to do great damage by accident. Use extra premeditation before doing anything. Some famous sudo boo-boo's include removing /etc or killing init. Lots of fun. With super-user permissions you may look at any file you wish. Resist all temptation to look in other people's personal files. Even if they haven't locked them up properly.

Wietse Venema, surrogate-syslog
Abstract: For systems that have no syslog library. This version logs directly to a file (default /usr/spool/mqueue/syslog). The fake syslog that comes with nntp seems to be OK, too.

Todd Atkins, swatch
Abstract: A simple watcher that is designed to monitor system activity.

James W. Abendschan, Synsniff (A related WWW homepage exists for this item)
Keywords: intrusion detection, port scan detector
Abstract: Monitors incoming SYN packets and flags connections that come from a non-local network. Useful for catching intrusion attempts. (requires tcpdump)

Simon Ney, STREAMS pushable-module/driver tap.
Abstract: This is the STREAMS pushable-module/driver tap. - this driver is a kernel-loadable-module. (==>no reboot required) - it is a combination of a STREAMS-module and a STREAMS-driver. - the pushed-tap-module pass all downstream M_DATA messages comming from above to the tapc0-driver upstream on the read-side. and all upstream M_DATA message comming from below to the tapc1-driver upstream on the read_side. - all messages coming downstream from the tapc?-driver are discarded.

Wietse Venema, tcp_wrappers
Abstract: With this package you can monitor and filter incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services.

Laurence Berkeley Laboratory Network Research Group, TCP Dump
Keywords: tcp, probe
Abstract: This directory contains source code for tcpdump, a tool for network monitoring and data acquisition. The original distribution is available via anonymous ftp to, in tcpdump-*.tar.Z.

G. Paul Ziemba, tcpr
Abstract: Tcpr is a set of Perl scripts that enable you to run ftp and telnet commands across a firewall. Forwarding takes place at the application level, so it's easy to control.

Mike Ryan, tcpshow v1.0
Keywords: tcpdump
Abstract: Quickie to decode a "tcpdump" savefile. The application data is displayed as ASCII -- application protocols are not decoded. The data captured by "tcpdump" might be less than in the original packet. We kludge a solution to this with setjmp()/longjmp(). Although written to read tcpdump savefiles, with tcpdump itself as a front-end, it'll decode any hex dump that adheres to the format expected. Some programs which capture network data offer an option to save the trace to a file in hex format -- this can often be massaged easily with Perl/awk/sh scripts to turn it into the format expected. As a special case, "tcpdump -s 1518 -lenx | tcpshow -cooked" works rather well, and "tcpdump -s 1518 -lenx | tcpshow -cooked -data" is nice for watching the data traffic in real time.

Scott M. Ballew, TCP/IP Trivial File Transfer Protocol server
Abstract: This version of tftpd is hacked from the 4.3 Reno tftpd. The author modified original source code since all of the versions that did a chroot() were unable to then syslog who got what file because of a rather obnoxious subtlety in the way 4.3 syslog works. This version has the following improvements: - chroot() to a restricted subdirectory - syslog() all accesses (and failures) to include the accessor, the file, and the access type (read or write), even when chroot() was in effect - have the ability to control which files or subdirectories of the tftp directory were accessible to which clients based on the incoming IP address

Doug Schales, tiger
Abstract: 'tiger' is a set of scripts that scan a Un*x system looking for security problems, in the same fashion as Dan Farmer's COPS. 'tiger' was originally developed to provide a check of UNIX systems on the A&M campus that want to be accessed from off campus (clearance through the packet filter).

Doug Hughes, tklogger (A related WWW homepage exists for this item)
Keywords: logging, audit, Tk
Abstract: A utility for watching logs. It's all in tcl/tk it's easily extensible to do what you want. Watches the logs generated by the tcp wrapper and displays changes in multiple colors in real time.

Doug Hughes, tocsin - TCP SYN probe detection tool (A related WWW homepage exists for this item)
Keywords: TCP, SYN, probe, network monitor
Abstract: In light of the recent revival of interest in the TCP SYN probe that were undetected by conventional daemon means (e.g. klaxon), I wrote a promiscuous network monitor that runs as a packet filter and will catch any packet on the network that matches services that are given to the program as command line arguments. So far it runs on SunOS4.1.X (NIT) and Solaris2.X(DLPI). Individuals interested in running it on other architectures would need to do some porting. The DLPI code should be portable to other DLPI implementations. On SunOS and Solaris all you have to do is type Make. The README explains options, history, and implementation.

Tom Limoncelli, Alphanumeric pager via email
Abstract: "tpage" or "Tom's Pager System" is a set of programs that let you send messages to alpha-numeric pagers using the "IXO" protocol. It supports a dialing directory, a "who's on duty now" schedule, and can do special tricks with RFC822-format email. The system has the following features: ...sends pages to any pager system that supports the IXO protocol. ...additional protocols can be added. (I'll write the touch-tone protocol soon). ...can parse email messages and extract the interesting info from them resulting in shorter messages. ...can copy it's input to stdout and therefore can be used as a "tee". ...maintains a directory of people's phone numbers/PINs. ...can page "the person on duty" (searches a schedule). ...schedule can have slots that are empty, but find someone anyway if the message is marked "urgent". ...with programs like procmail, permits you to send certain email messages to your pager. ...a list of modems can be given to the daemon.

Van Jacobson, Traceroute - Tracing IP packet routes
Keywords: network, IP routing
Abstract: Traceroute is a system administrators utility to trace the route ip packets from the current system take in getting to some destination system. See the comments at the front of the program for a description of its use. This program a) can only be run by root (it uses raw ip sockets). b) REQUIRES A KERNEL MOD to the raw ip output code to run.

Danny Mitzel, TCP Traffic Monitoring Software
Abstract: The research we are currently pursuing involves characterizing the communication patterns of applications which use the TCP transport protocol. This analysis requires information from the IP and TCP network headers. We are currently pursuing collection of this type of data at several different Internet sites. Two programs are used in the data collection process. Collect is a shell script which invokes the tcpdump program to collect the IP and TCP headers of packets denoting the start and end of a TCP conversation (packets having the TCP SYN, FIN, or RST flag set). Tcpdump uses the Sun Network Interface Tap (NIT) streams module in promiscuous mode to collect packets on a Ethernet. The collected packets are passed through a filter function, to collect only the desired packet headers [I'd like to thank Vern Paxson at LBL for his tcpdump help, especially the AWK scripts he provided to parse the tcpdump output]. It is important that the collection routine be run on a machine on the ethernet segment connected to the sites internetwork gateway, so that all internet packets can be observed.

David A. Curry, trimlog
Abstract: Trimlog is used to trim system log files to keep them from growing without bound. When invoked, it reads commands from the file which tell it which files to trim, how to trim them, and by how much they should be trimmed.

Bruce Barnett,
Abstract: is a trojan horse checking program. It examines your searchpath and looks at all of the executables in your searchpath, looking for people who can create a trojan hource you can execute.

Mike Neuman, ttywatcher 1.0 (A related WWW homepage exists for this item)
Keywords: monitor ttys, control ttys
Abstract: TTY-Watcher is a utility to monitor and control users on a single system. It is based on our IP-Watcher utility, which can be used to monitor and control users on an entire network. It is similar to advise or tap, but with many more advanced features and a user friendly (either X-Windows or text) interface. TTY-Watcher allows the user to monitor every tty on the system, as well as interact with them by: to the real owner of the TTY without interfering with the commands he's typing. The message will only be displayed on his screen and will not be sent to the underlying process. Aside from monitoring and controlling TTYs, individual connections can be logged to either a raw logfile for later playback (somewhat like a VCR) or to a text file.

Tom Fitzgerald, UDP packet relayer
Abstract: This package consists of 2 components. udprelay is a daemon process which runs on a bastion system and forwards UDP packets in and out of a firewalled network, as directed by a configuration file. Rsendto.c provides routines Rsendto and Rrecvfrom, which allow tunnelling through the bastion to arbitrary outside hosts. Rsendto/Rrecvfrom communicate with udprelay using UDP packets encapsulated in a wrapper that includes the address of the remote host/port to transfter traffic to.

Michael Glad, UFC-crypt: ultra fast 'crypt' implementation
Abstract: This crypt implementation plugin compatible with crypt(3)/fcrypt, Extremely highperformance when used for password cracking. Portable to most 32 bit machines, startup time/mixed salt performance not critical, uuns 25-45 times faster than crypt(3) when invoked repeated times with the same salt and varying passwords. With alternating salts, performance is only about 4 times that of crypt(3). Tested on 68000,386,SPARC,MIPS,HP-PA and RS/6000 systems, it Requires 280 kb for tables.

Robert Morris Jr., The Internet Worm Source Code
Abstract: This is a decompiled C version of the infamous Internet Worm released in November 1988. It's not very readable, thankfully so!

der Mouse, X Connection Monitor
Abstract: This program monitors X connections: - It uses RFC931 to display usernames, when the client host supports RFC931. - It allows the user to freeze (and unfreeze) connections, or kill them, independent of the client, and very importantly independent of the server. The KillClient request can be used to forcibly disconnect a client from the server, but only if the client has created a resource, which (for example) neither xkey nor xcrowbar does. - It monitors the connection, and if it sees certain dubious requests (currently configurable only by hacking on the source), it pops up a little menu with which the user can allow the request, have it replaced with a NoOperation request, or kill the connection. The dubious requests are, at present, requests to change the host access list, requests to enable or disable access control, and ChangeWindowAttributes requests operating on non-root windows not created by the same client.

Chuck Murcko, xinetd v2.1.4
Keywords: inetd
Abstract: Xinetd is an inetd, /tcp_wrapper that also adds many other features, including UDP service access logging, verification, and control. It was originally written for SunOS and Ultrix operating systems. The current version is 2.1.4-OS.3, where OS is one of the mentioned OSs..

Matthew Scott, Yppapasswd
Abstract: Yppapasswd is designed to do proactive password checking based upon the passwd program given in the O'Reilly book on perl (ISBN 0-937175-64-1). This program has a subroutine called 'goodenough' that can easily be extended to perform any type of password checks that you feel are necessary, that aren't already being done. Yppapasswd extends this program to be used with Network Information System (NIS). To accomplish this there is a daemon, yppapasswdd that runs on the NIS master in replacement of yppasswdd. Yppapasswd supports -f and -s options that change finger and shell information. This also works across the NIS domain so that you do not have to be on the NIS master server to change your passwd info.

Rob J. Nauta, YPX - A utility to transfer NIS maps beyond a local (broadcast) network.
Abstract: ypx is a utility to transfer a NIS map from any host running a ypserv daemon. ypx is similar to ypcat, with some additions. To be able to transfer a map, a domainname must be specified. There unfortunately is no way to ask the remote host about its domainname, so it must be known already or guessed to transfer a map successfully. If none is specified, the hostname of the remote host is used as the domainname. ypx is able to guess at the remote domainname, by trying parts of the hostname, if guessing is enabled with the -g option. If the -s option is used, ypx will connect to the sendmail daemon, read the hostname, and parse that too, to be used as additional guesses. Finally, any additional strings on the commandline will be added to the list of domainname guesses.

RokK Industries, Zap
Abstract: This program will fill the wtmp and utmp entires corresponding to the entered Username. It also Zeros out the last login data for the specific user, fingering that user will show 'Never Logged In'.

Patrick Powell, LPRng - An Enhances Printer Spooler (A related WWW homepage exists for this item)
Keywords: print spooler, LPR, Kerberos V, PGP authentication
Abstract: The LPRng sofware is an enhanced, extended, and portable implementation of the Berkeley LPR print spooler functionality. While providing the same interface and meeting RFC1179 requirements, the implementation is completely new and provides support for the following features: lightweight (no databases needed) lpr, lpc, and lprm programs; dynamic redirection of print queues; automatic job holding; highly verbose diagnostics; multiple printers serving a single queue; client programs do not need to run SUID root; greatly enhances security checks; and a greatly improved permission and authorization mechanism. For users that require secure and/or authenticated printing support, LPRng supports Kerberos V and/or PGP authentication methods. Additional authentication support is extremely simple to add.


O Built by Mark Crosbie and Ivan Krsul.

Security Archive Page Security Archive Homepage.

COAST Homepage COAST Project (CERIAS)Page.

Purdue CS Homepage Purdue CS Dept page. (COAST Security Archive)