Forwarded From: Oliver Friedrichs <oliver@securenetworks.com>
Beta 2 of Ballista 2.4 is now availible. Ballista 2.4 Beta 1 contained
several problems which are now resolved, these include:
- scanner was hanging at startup on some systems, it was not
possible to complete a scan.
- Numerous Motif GUI fixes (checking for valid values and entries)
- Numerous NT GUI fixes
- Re-addition of differential reporting to report generation
- Reporting feature additions
Updated release notes for 2.4 follow. Ballista 2.4 Beta 2 is availible
via your account on update.secnet.com in the directory /ballista/2.4beta2
Please report any and all problems.
Ballista Security Auditing System v2.4
Release Notes
Index
1. Ballista for Windows NT
2. Ballista for UNIX platforms
3. Enhanced reporting functionality.
4. Known problems
1. Ballista for Windows NT
The 2.4 release of BallistaNT incorporates new modules, in addition to
several key features within the user interface and enhanced reporting
functionality. The enhanced reporting functionality is also present in
the Ballista 2.4 release for UNIX, and and described in section ii.
In addition to new modules, BallistaNT incorporates integrated password
cracking within the interface, allowing cracking of Windows NT and UNIX
password file which have been retrieved from the remote host. Also
provided is the "smbgrind" utility, allowing parallel password cracking
against CIFS servers without running a complete scan. These features
were present in the Ballista 2.3 release for UNIX.
The spinning Ballista logo can be turned off by clicking on the logo
during the course of a scan, if desirable.
For a complete listing of new modules, see section iv.
2. Ballista for UNIX platforms
The 2.4 release of Ballista for all supported UNIX platforms contains
significant changes to the underlying database structure used to retrieve
and store vulnerability information. This change provides much needed
flexibility for enhanced reporting functionality (described in section
iii.).
Database information is now stored in a new database, utilizing additional
files for indexing. Database files now consist of the suffixes .dat and
.idx for each database. The .db extension is no longer used in any
configuration or command line options. To change database names, simply
specify the desired prefix, for example "results".
The Ballista vulnerability database now consists of the following files:
"vulndata.dat"
"vulndata.idx"
Results gathered from a scan are now stored in database consisting of the
following names:
"sessions.dat"
"sessions.idx"
This database contains a list of "sessions", or different scans which
have been performed. These files can be removed to clean out the list of
previous scans.
"results.dat"
"results.idx"
"results_hosts.dat"
"results_hosts.idx"
The "results" database contains a listing of vulnerabilities found during
the course of the scan, while the "results_hosts" database contains the
hosts which were scanned. If moving database files from system to system,
all of these files should be copied to successfully generate a report.
Note that the "results" prefix is the default, and will change if the
configured database name is changed.
In addition to enhanced database support, Ballista for UNIX platforms also
contains additional modules, described in section iii. below.
3. Enhanced reporting functionality.
Ballista 2.4 introduces a range of new features allowing granular
reporting and statistical graphing. With the integration of the new
database system, verbose output descriptions of modules are now seperated
into distinct categories, allowing the user to generate customized reports,
displaying only desired information on a vulnerability. The report
information for each vulnerability is split into a number of categories
as follows:
verbose - the normal verbose vulnerability description explaining
the problem.
security - security concerns of this vulnerability, and why the user
should be worried about it.
suggestions - suggestions on how to fix the vulnerability.
reproduce - description of how to reproduce the vulnerability if it is
easily reproducible.
tech - detailed technical description of the attack for technical
users.
references - references and patch information for the specified
vulnerability.
manager - a managerial description of the vulnerability, for
non-technical users.
risk - the risk factor of the problem, and how significant the
problem is.
Items to include in the report can be selected by the user from any of the
graphical user interfaces (this functionality is not supported in the
ncurses interface). These options may also be specified on the command
line to the "repgen" program which generates the reports.
Ballista 2.4 also provides graphical Java reporting on a number of
statistics related to the selected scan. These statistics include:
risk factors - A graph of risk factor coverage of the entire scan,
displaying the number of low, medium and high risk
vulnerabilities.
active services - A graph of active services across the network.
Easily view the number and types of services which
are present on the network.
operating systems - A graph of the operating system types present on the
scanned network. View the number and type of
operating systems present on the network.
Java graphing can be selected via any of the graphical user interfaces
supported by Ballista (except the ncurses interface). Java graphing
is only applicable when generating an HTML report, and can also be
selected via a command line to the "repgen" report generator.
iv. New Modules
Ballista 2.4 now contains over 320 modules. A number of new modules
(totalling 20) have been added to the Ballista version 2.4 release.
The modules are enumerated below.
Solaris in.rlogind FTP bounce check - A vulnerability in Solaris
in.rlogind daemon can allow an attacker to obtain access to the
target system by utilizing the FTP daemon to come from a privileged
port.
rpc.statd buffer overflow - A buffer overflow in the rpc.statd daemon
can allow an intruder to obtain remote root access to the target
system.
rpc.statd bounce test - A vulnerability in rpc.statd allows an attacker
to bounce RPC calls through the rpc.statd daemon, appearing as though
they are originating from the local system.
Solaris automountd test - A vulnerability in the automount daemon can
allow an attacker to execute arbitrary commands on the remote host.
S/Key presence test - This module determines if the target host is
utilizing S/Key for one time password logins.
Portmap register via callit() - This module determines if an attacker
is able to register or unregister services through a vulnerability in
the portmap daemon, which forwards requests.
Teardrop 1 - This module checks for the denial of service attack known
as Teardrop, which allows a malicious user to crash the target system.
Teardrop 2/Bonk - This modue checks for a variation of the Teardrop
attack, which allows a malicious user to crash the target system.
Ascend Name Gathering - This module determines whether the target host
is an Ascend router, and whether it responds to a specially crafted
packet being sent to the discard port (port 9).
Ascend SNMP config file - This module determines whether an attacker
can obtain the configuration file from an Ascend router via the default
write community name.
Ascend SNMP config file full - This module prints out passwords which
have been obtained from the configuration file of a remote Ascend
router.
Ascend Discard port DOS - This module determines whether the target
Ascend router is vulnerable to a denial of service attack by sending
a specially crafted packet to the discard port.
Cisco 760 series DOS - This module checks for a buffer overflow
vulnerability in Cisco 760 series of routers. By sending an overly
long password string, it is possible to overflow a buffer within the
router, causing it to crash.
Seattle Labs / IMail overflow - This module checks for a buffer
overflow in the VRFY function of these mailers, allowing a user to
crash the mail server, and potentially exploit the mail server to
execute commands.
Unpassworded Wingate server - This module checks for Wingate servers
which are unpassworded and provide gateway access to any user.
Netscape Fastrack server "get" - This module checks for a
vulnerability in the Netscape Fastrack server whereby issuing a
lowercase "get" request provides a listing of files availible on
the remote server.
IRIX webdist.cgi - This module checks for a vulnerability in
/cgi-bin/webdist.cgi which is shipped with IRIX by default, and allows
execution of arbitrary commands.
Unpassworded Ascend router - This module checks for the target Ascend
device being configured without a password, allowing anyone access to
configure the device.
Unpassworded Netopia router check - This module determines whether the
target Netopia router is unpassworded, and allows anyone access to
configure the device.
NTP server check - This module polls the remote host's NTP server
(Network Time Protocol) for various information that can be obtained
via NTP. This information includes system memory statistics, IO
statistics and system statistics.
4. Known problems
i. Running Ballista on an NFS mounted partition. Ballista utilizes a
database system which requires file locking. Over some combinations
of operating systems, file locking is not implemented over NFS.
A known combination where Ballista will not work correctly is when
mounting a file system from a BSD system to a Solaris system and
attempting to run Ballista on the Solaris system. BSD does not
implement network file locking for NFS, therefore the Solaris
system will attempt to lock the file, and the program will hang.
As a workaround, ensure that Ballista is installed on a local
partition if you encounter this problem.
Running Ballista on a BSD system from an NFS mounted partition
which is mounted from a BSD system WILL work. Running Ballista on
a Solaris system from an NFS mounted partition from a Solaris system
will also work.
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Dimensional Communications (www.dim.com)
Received on Wed Apr 22 19:16:41 1998