[ISN] Announce: Ballista 2.4 Beta 2

From: mea culpa (jerichot_private)
Date: Wed Apr 22 1998 - 15:11:21 PDT

  • Next message: mea culpa: "[ISN] Software Infrastructure: Policies, Practices, Architecture"

    Forwarded From: Oliver Friedrichs <olivert_private>
    
    
    Beta 2 of Ballista 2.4 is now availible.  Ballista 2.4 Beta 1 contained
    several problems which are now resolved, these include:
    
     - scanner was hanging at startup on some systems, it was not
       possible to complete a scan.
     - Numerous Motif GUI fixes (checking for valid values and entries)
     - Numerous NT GUI fixes
     - Re-addition of differential reporting to report generation
     - Reporting feature additions
    
    Updated release notes for 2.4 follow.  Ballista 2.4 Beta 2 is availible
    via your account on update.secnet.com in the directory /ballista/2.4beta2
    
    Please report any and all problems.
    
    
                    Ballista Security Auditing System v2.4
                                Release Notes
    
    Index
    
    1.  Ballista for Windows NT
    2.  Ballista for UNIX platforms
    3.  Enhanced reporting functionality.
    4.  Known problems
    
    
    1.  Ballista for Windows NT
    
     The 2.4 release of BallistaNT incorporates new modules, in addition to
     several key features within the user interface and enhanced reporting
     functionality.  The enhanced reporting functionality is also present in
     the Ballista 2.4 release for UNIX, and and described in section ii.
    
     In addition to new modules, BallistaNT incorporates integrated password
     cracking within the interface, allowing cracking of Windows NT and UNIX
     password file which have been retrieved from the remote host.  Also
     provided is the "smbgrind" utility, allowing parallel password cracking
     against CIFS servers without running a complete scan.  These features
     were present in the Ballista 2.3 release for UNIX.
    
     The spinning Ballista logo can be turned off by clicking on the logo
     during the course of a scan, if desirable.
    
     For a complete listing of new modules, see section iv.
    
    
    2.  Ballista for UNIX platforms
    
     The 2.4 release of Ballista for all supported UNIX platforms contains
     significant changes to the underlying database structure used to retrieve
     and store vulnerability information.  This change provides much needed
     flexibility for enhanced reporting functionality (described in section
     iii.).
    
     Database information is now stored in a new database, utilizing additional
     files for indexing.  Database files now consist of the suffixes .dat and
     .idx for each database.  The .db extension is no longer used in any
     configuration or command line options.  To change database names, simply
     specify the desired prefix, for example "results".
    
     The Ballista vulnerability database now consists of the following files:
    
     "vulndata.dat"
     "vulndata.idx"
    
     Results gathered from a scan are now stored in database consisting of the
     following names:
    
     "sessions.dat"
     "sessions.idx"
    
     This database contains a list of "sessions", or different scans which
     have been performed.  These files can be removed to clean out the list of
     previous scans.
    
     "results.dat"
     "results.idx"
     "results_hosts.dat"
     "results_hosts.idx"
    
     The "results" database contains a listing of vulnerabilities found during
     the course of the scan, while the "results_hosts" database contains the
     hosts which were scanned.  If moving database files from system to system,
     all of these files should be copied to successfully generate a report.
    
     Note that the "results" prefix is the default, and will change if the
     configured database name is changed.
    
     In addition to enhanced database support, Ballista for UNIX platforms also
     contains additional modules, described in section iii. below.
    
    
    3. Enhanced reporting functionality.
    
     Ballista 2.4 introduces a range of new features allowing granular
     reporting and statistical graphing.  With the integration of the new
     database system, verbose output descriptions of modules are now seperated
     into distinct categories, allowing the user to generate customized reports,
     displaying only desired information on a vulnerability.  The report
     information for each vulnerability is split into a number of categories
     as follows:
    
       verbose     - the normal verbose vulnerability description explaining
                     the problem.
       security    - security concerns of this vulnerability, and why the user
                     should be worried about it.
       suggestions - suggestions on how to fix the vulnerability.
       reproduce   - description of how to reproduce the vulnerability if it is
                     easily reproducible.
       tech        - detailed technical description of the attack for technical
                     users.
       references  - references and patch information for the specified
                     vulnerability.
       manager     - a managerial description of the vulnerability, for
                     non-technical users.
       risk        - the risk factor of the problem, and how significant the
                     problem is.
    
     Items to include in the report can be selected by the user from any of the
     graphical user interfaces (this functionality is not supported in the
     ncurses interface).  These options may also be specified on the command
     line to the "repgen" program which generates the reports.
    
     Ballista 2.4 also provides graphical Java reporting on a number of
     statistics related to the selected scan.  These statistics include:
    
       risk factors      - A graph of risk factor coverage of the entire scan, 
                           displaying the number of low, medium and high risk
                           vulnerabilities.
    
       active services   - A graph of active services across the network.
                           Easily view the number and types of services which
                           are present on the network.
    
       operating systems - A graph of the operating system types present on the
                           scanned network.  View the number and type of
                           operating systems present on the network.
    
     Java graphing can be selected via any of the graphical user interfaces
     supported by Ballista (except the ncurses interface).  Java graphing
     is only applicable when generating an HTML report, and can also be
     selected via a command line to the "repgen" report generator.
    
    
    iv. New Modules
    
     Ballista 2.4 now contains over 320 modules.  A number of new modules
     (totalling 20) have been added to the Ballista version 2.4 release.
     The modules are enumerated below.
    
         Solaris in.rlogind FTP bounce check - A vulnerability in Solaris
         in.rlogind daemon can allow an attacker to obtain access to the
         target system by utilizing the FTP daemon to come from a privileged
         port.
    
         rpc.statd buffer overflow - A buffer overflow in the rpc.statd daemon
         can allow an intruder to obtain remote root access to the target
         system.
    
         rpc.statd bounce test - A vulnerability in rpc.statd allows an attacker
         to bounce RPC calls through the rpc.statd daemon, appearing as though
         they are originating from the local system.
    
         Solaris automountd test - A vulnerability in the automount daemon can
         allow an attacker to execute arbitrary commands on the remote host.
    
         S/Key presence test - This module determines if the target host is
         utilizing S/Key for one time password logins.
    
         Portmap register via callit() - This module determines if an attacker
         is able to register or unregister services through a vulnerability in
         the portmap daemon, which forwards requests.
    
         Teardrop 1 - This module checks for the denial of service attack known
         as Teardrop, which allows a malicious user to crash the target system.
    
         Teardrop 2/Bonk - This modue checks for a variation of the Teardrop
         attack, which allows a malicious user to crash the target system.
    
         Ascend Name Gathering - This module determines whether the target host
         is an Ascend router, and whether it responds to a specially crafted
         packet being sent to the discard port (port 9).
    
         Ascend SNMP config file - This module determines whether an attacker
         can obtain the configuration file from an Ascend router via the default
         write community name.
    
         Ascend SNMP config file full - This module prints out passwords which
         have been obtained from the configuration file of a remote Ascend
         router.
    
         Ascend Discard port DOS - This module determines whether the target
         Ascend router is vulnerable to a denial of service attack by sending
         a specially crafted packet to the discard port.
    
         Cisco 760 series DOS - This module checks for a buffer overflow
         vulnerability in Cisco 760 series of routers.  By sending an overly
         long password string, it is possible to overflow a buffer within the
         router, causing it to crash.
    
         Seattle Labs / IMail overflow - This module checks for a buffer
         overflow in the VRFY function of these mailers, allowing a user to
         crash the mail server, and potentially exploit the mail server to
         execute commands.
    
         Unpassworded Wingate server - This module checks for Wingate servers
         which are unpassworded and provide gateway access to any user.
    
         Netscape Fastrack server "get" - This module checks for a
         vulnerability in the Netscape Fastrack server whereby issuing a
         lowercase "get" request provides a listing of files availible on
         the remote server.
    
         IRIX webdist.cgi - This module checks for a vulnerability in
         /cgi-bin/webdist.cgi which is shipped with IRIX by default, and allows
         execution of arbitrary commands.
    
         Unpassworded Ascend router - This module checks for the target Ascend
         device being configured without a password, allowing anyone access to
         configure the device.
    
         Unpassworded Netopia router check - This module determines whether the
         target Netopia router is unpassworded, and allows anyone access to
         configure the device.
    
         NTP server check - This module polls the remote host's NTP server
         (Network Time Protocol) for various information that can be obtained
         via NTP.  This information includes system memory statistics, IO
         statistics and system statistics.
    
    4.  Known problems
    
    i.  Running Ballista on an NFS mounted partition.  Ballista utilizes a
        database system which requires file locking.  Over some combinations
        of operating systems, file locking is not implemented over NFS.
        A known combination where Ballista will not work correctly is when
        mounting a file system from a BSD system to a Solaris system and
        attempting to run Ballista on the Solaris system.  BSD does not
        implement network file locking for NFS, therefore the Solaris
        system will attempt to lock the file, and the program will hang.
    
        As a workaround, ensure that Ballista is installed on a local
        partition if you encounter this problem.
    
        Running Ballista on a BSD system from an NFS mounted partition
        which is mounted from a BSD system WILL work.  Running Ballista on
        a Solaris system from an NFS mounted partition from a Solaris system
        will also work.
    
    
    -o-
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Dimensional Communications (www.dim.com)
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:51:11 PDT