Forwarded From: Oliver Friedrichs <olivert_private> Beta 2 of Ballista 2.4 is now availible. Ballista 2.4 Beta 1 contained several problems which are now resolved, these include: - scanner was hanging at startup on some systems, it was not possible to complete a scan. - Numerous Motif GUI fixes (checking for valid values and entries) - Numerous NT GUI fixes - Re-addition of differential reporting to report generation - Reporting feature additions Updated release notes for 2.4 follow. Ballista 2.4 Beta 2 is availible via your account on update.secnet.com in the directory /ballista/2.4beta2 Please report any and all problems. Ballista Security Auditing System v2.4 Release Notes Index 1. Ballista for Windows NT 2. Ballista for UNIX platforms 3. Enhanced reporting functionality. 4. Known problems 1. Ballista for Windows NT The 2.4 release of BallistaNT incorporates new modules, in addition to several key features within the user interface and enhanced reporting functionality. The enhanced reporting functionality is also present in the Ballista 2.4 release for UNIX, and and described in section ii. In addition to new modules, BallistaNT incorporates integrated password cracking within the interface, allowing cracking of Windows NT and UNIX password file which have been retrieved from the remote host. Also provided is the "smbgrind" utility, allowing parallel password cracking against CIFS servers without running a complete scan. These features were present in the Ballista 2.3 release for UNIX. The spinning Ballista logo can be turned off by clicking on the logo during the course of a scan, if desirable. For a complete listing of new modules, see section iv. 2. Ballista for UNIX platforms The 2.4 release of Ballista for all supported UNIX platforms contains significant changes to the underlying database structure used to retrieve and store vulnerability information. This change provides much needed flexibility for enhanced reporting functionality (described in section iii.). Database information is now stored in a new database, utilizing additional files for indexing. Database files now consist of the suffixes .dat and .idx for each database. The .db extension is no longer used in any configuration or command line options. To change database names, simply specify the desired prefix, for example "results". The Ballista vulnerability database now consists of the following files: "vulndata.dat" "vulndata.idx" Results gathered from a scan are now stored in database consisting of the following names: "sessions.dat" "sessions.idx" This database contains a list of "sessions", or different scans which have been performed. These files can be removed to clean out the list of previous scans. "results.dat" "results.idx" "results_hosts.dat" "results_hosts.idx" The "results" database contains a listing of vulnerabilities found during the course of the scan, while the "results_hosts" database contains the hosts which were scanned. If moving database files from system to system, all of these files should be copied to successfully generate a report. Note that the "results" prefix is the default, and will change if the configured database name is changed. In addition to enhanced database support, Ballista for UNIX platforms also contains additional modules, described in section iii. below. 3. Enhanced reporting functionality. Ballista 2.4 introduces a range of new features allowing granular reporting and statistical graphing. With the integration of the new database system, verbose output descriptions of modules are now seperated into distinct categories, allowing the user to generate customized reports, displaying only desired information on a vulnerability. The report information for each vulnerability is split into a number of categories as follows: verbose - the normal verbose vulnerability description explaining the problem. security - security concerns of this vulnerability, and why the user should be worried about it. suggestions - suggestions on how to fix the vulnerability. reproduce - description of how to reproduce the vulnerability if it is easily reproducible. tech - detailed technical description of the attack for technical users. references - references and patch information for the specified vulnerability. manager - a managerial description of the vulnerability, for non-technical users. risk - the risk factor of the problem, and how significant the problem is. Items to include in the report can be selected by the user from any of the graphical user interfaces (this functionality is not supported in the ncurses interface). These options may also be specified on the command line to the "repgen" program which generates the reports. Ballista 2.4 also provides graphical Java reporting on a number of statistics related to the selected scan. These statistics include: risk factors - A graph of risk factor coverage of the entire scan, displaying the number of low, medium and high risk vulnerabilities. active services - A graph of active services across the network. Easily view the number and types of services which are present on the network. operating systems - A graph of the operating system types present on the scanned network. View the number and type of operating systems present on the network. Java graphing can be selected via any of the graphical user interfaces supported by Ballista (except the ncurses interface). Java graphing is only applicable when generating an HTML report, and can also be selected via a command line to the "repgen" report generator. iv. New Modules Ballista 2.4 now contains over 320 modules. A number of new modules (totalling 20) have been added to the Ballista version 2.4 release. The modules are enumerated below. Solaris in.rlogind FTP bounce check - A vulnerability in Solaris in.rlogind daemon can allow an attacker to obtain access to the target system by utilizing the FTP daemon to come from a privileged port. rpc.statd buffer overflow - A buffer overflow in the rpc.statd daemon can allow an intruder to obtain remote root access to the target system. rpc.statd bounce test - A vulnerability in rpc.statd allows an attacker to bounce RPC calls through the rpc.statd daemon, appearing as though they are originating from the local system. Solaris automountd test - A vulnerability in the automount daemon can allow an attacker to execute arbitrary commands on the remote host. S/Key presence test - This module determines if the target host is utilizing S/Key for one time password logins. Portmap register via callit() - This module determines if an attacker is able to register or unregister services through a vulnerability in the portmap daemon, which forwards requests. Teardrop 1 - This module checks for the denial of service attack known as Teardrop, which allows a malicious user to crash the target system. Teardrop 2/Bonk - This modue checks for a variation of the Teardrop attack, which allows a malicious user to crash the target system. Ascend Name Gathering - This module determines whether the target host is an Ascend router, and whether it responds to a specially crafted packet being sent to the discard port (port 9). Ascend SNMP config file - This module determines whether an attacker can obtain the configuration file from an Ascend router via the default write community name. Ascend SNMP config file full - This module prints out passwords which have been obtained from the configuration file of a remote Ascend router. Ascend Discard port DOS - This module determines whether the target Ascend router is vulnerable to a denial of service attack by sending a specially crafted packet to the discard port. Cisco 760 series DOS - This module checks for a buffer overflow vulnerability in Cisco 760 series of routers. By sending an overly long password string, it is possible to overflow a buffer within the router, causing it to crash. Seattle Labs / IMail overflow - This module checks for a buffer overflow in the VRFY function of these mailers, allowing a user to crash the mail server, and potentially exploit the mail server to execute commands. Unpassworded Wingate server - This module checks for Wingate servers which are unpassworded and provide gateway access to any user. Netscape Fastrack server "get" - This module checks for a vulnerability in the Netscape Fastrack server whereby issuing a lowercase "get" request provides a listing of files availible on the remote server. IRIX webdist.cgi - This module checks for a vulnerability in /cgi-bin/webdist.cgi which is shipped with IRIX by default, and allows execution of arbitrary commands. Unpassworded Ascend router - This module checks for the target Ascend device being configured without a password, allowing anyone access to configure the device. Unpassworded Netopia router check - This module determines whether the target Netopia router is unpassworded, and allows anyone access to configure the device. NTP server check - This module polls the remote host's NTP server (Network Time Protocol) for various information that can be obtained via NTP. This information includes system memory statistics, IO statistics and system statistics. 4. Known problems i. Running Ballista on an NFS mounted partition. Ballista utilizes a database system which requires file locking. Over some combinations of operating systems, file locking is not implemented over NFS. A known combination where Ballista will not work correctly is when mounting a file system from a BSD system to a Solaris system and attempting to run Ballista on the Solaris system. BSD does not implement network file locking for NFS, therefore the Solaris system will attempt to lock the file, and the program will hang. As a workaround, ensure that Ballista is installed on a local partition if you encounter this problem. Running Ballista on a BSD system from an NFS mounted partition which is mounted from a BSD system WILL work. Running Ballista on a Solaris system from an NFS mounted partition from a Solaris system will also work. -o- Subscribe: mail majordomot_private with "subscribe isn". Today's ISN Sponsor: Dimensional Communications (www.dim.com)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:51:11 PDT