Free smbd audit software for linux

Fenris is a suite of tools suitable for code analysis, debugging, protocol analysis, reverse engineering, forensics, diagnostics, security audits, vulnerability research and many other purposes.
The main logical components are:
- Fenris: high-level tracer, a tool that detects the logic used in C programs to find and classify functions, logic program structure, calls, buffers, interaction with system and libraries, I/O and many other structures. Fenris is mostly a "whats inside" tracer, as opposed to ltrace or strace, tracers intended to inspect external "symptoms" of the internal program structure. Fenris does not depend on libbfd for accessing ELF structures, and thus is much more robust when dealing with "anti-debugging" code.
- libfnprints and dress: fingerprinting code that can be used to detect library functions embedded inside a static application, even without symbols, to make code analysis simplier; this functionality is both embedded in other components and available as a standalone tool that adds symtab to ELF binaries and can be used with any debugger or disassembler.
- Aegir: an interactive gdb-alike debugger with modular capabilities, instruction by instruction and breakpoint to breakpoint execution, and real-time access to all the goods offered by Fenris, such as high-level information about memory objects or logical code structure.
- nc-aegir: a SoftICE-alike GUI for Aegir, with automatic register, memory and code views, integrated Fenris output, and automatic Fenris control (now under development).
- Ragnarok: a visualisation tool for Fenris that delivers browsable information about many different aspects of program execution - code flow, function calls, memory object life, I/O, etc (to be redesigned using OpenDX or a similar data exploration interface).
- ...and some other companion utilities.
Code analysis is not limited to debugging, quality assurance or security audits. Understanding and handling file formats or communication protocols used by proprietary solutions, a problem that many corporations face when they decide to change their base software platform from one, obsolete or insufficient solution to another, perhaps more suitable, is a task that can consume long months and millions of dollars, especially when any misjudgment or misinterpretation is made.
Because of that, accurate and complete information about existing solutions has to be obtained and evaluated in a timely manner. This project is an attempt to fill the gap between currently used tools by providing a freely available program analysis utility, suitable for black-box code audits, algorithm analysis,
rapid reconnaissance in open-source projects, tracking down bugs, evaluating security subsystems, performing computer forensics, etc.
This program does not automate the process of auditing, and does not favor any particular use. Instead of that, it is intended to be a flexible and universal application that will be a valuable solution for many advanced users. While functional, it is probably not tested sufficiently, there are many issues to fix, several known bugs, some portability problems.
It is being released primarily to get user feedback, comments, and, most important, to request development support, as my resources are very limited, both in terms of available time and development platforms. This project is and will be distributed as a free software, regardless of projected use, accompanied by complete sources, under the terms and
conditions of GPL. Why do you might need this code? Well, there are few reasons...
Human beings are, so far, the best code analysts. Unlike computer programs, they have imagination, ability to build synthetic abstract models, and yet to observe and analyze smallest details at the same time. Functionality is often being described as "doing what the program is supposed to do", security as "doing what the program is supposed to do and
nothing more". While it might sound funny, that is the most general and complete definition we have. In most real-life scenarios only humans really know what are their expectations. Building strict formal models of our expectations does not necessarily mean that models themselves are flawless, and is very time-consuming. Then, even with such models,
validating the code is not always possible, due to its computational complexity. That is why real, live programs (not including some critical developments) do not have such models, do not follow any particular coding guidelines, and cannot be formally examined without human judgment.
Unfortunately, humans are also highly inaccurate and very expensive. They work slowly, and better results can be achieved by hiring better specialists and performing more careful audit. And after all, even the best expert can overlook something in complex, hard to read code. It is almost impossible for human to perform an accurate audit of a large, complex, heterogeneous project written e.g. in C - like Sendmail, BIND, Apache - and provide results in reasonable time.
Things get even worse when humans try to understand algorithms and protocols used by complex closed-source black box solutions. They are simply too slow, and not always able to make accurate guesses about dozens of complicated, conditional parameter passes and function calls before final action is taken.
While it might sound surprising, human-driven code audit is very similar to playing chess - it is a general analysis of possible states, way too many to be implicitly projected by our conscience, a result of experience, knowledge, some unparalleled capabilities of human brain, and luck. It is also a subject to false moves and misjudgment. And there are maybe just a few hundred excellent players.
As for today, freely and commercially available audit tools both use two opposite approaches. First approach tends to minimize human role by automating the review of source code. Source code analysis methods are good in spotting known, repeatable static errors in the code - such as format string vulnerabilities. On the other hand, static tools are not able to trace and analyze all possible execution paths of complex application by
simply looking at its source.
The reason for inability to follow all execution paths lies deeply in the foundations of modern computation theory, and one of its aspects is known as "the halting problem". Speaking in more general terms, in many cases (such as complex software, or even underlying operating system), the amount of medium needed to store all possible states of a complex program exceeds significantly the number of particles in the
universe; and the amount of time needed to generate and process them sequentially is greater than the lifetime of our universe, even having a machine that works with the speed of light.
This might be changed by the development of new computation models, such as quantum computing, or by creating mathematical models that allow us to make such problems non-polynomial - but for now, we are far from this point, and static analysis is restrained in many very serious ways, even though many software suppliers tend to market their products as the ultimate, 100% solutions. Subtle, complex, conditional dynamic errors, such as privilege dropping problems, input-dependent table overflows in C and many other issues usually cannot be detected without generating a completely unacceptable number of false positives.
This kind of software is highly dependent on coding style, and specific notation or development practices might render them less efficient - for example, automated audit utilities can usually detect problems like insecure call to strcpy() function, but will very likely not notice insecure manual copy in do-while
loop. The truth is, for programs that do not have previously built formal models, static auditing utilities look for known, common problems in known, common types of code in a very limited scope.
Another issue is the applicability of this approach to algorithm analysis tasks. In the domain of automated audit tools, this problem is "reduced" to building a formal model of program behavior, or, more appropriately, generating certain predictive statements about the code. While there are very interesting developments in this direction, such as the work of professor Patrick Cousot, it is very difficult to make any detailed, accurate and abstract enough run-time predictions for complex source code that has any immediate value in the analysis of unknown algorithm.
Last but not least, static analysis of sources can be deployed only when the source code is available, which does not have to be the case. This approach is a subject to many shortcomings, tricky assertions, and is a technique of strictly limited capabilities. This is, of course, not to dismiss this method - but to demonstrate that this much favored approach is not flawless and how much it needs to be accompanied with auxiliary methods.
The second approach to be discussed here is based on a dynamic run-time program analysis. This method is usually used to provide the user with information about actual program execution path, letting him make decisions on which path to follow and giving him free will to draw any conclusions and perform all the synthetic reasoning.
This method is
applied to a live binary executed in real-time and is based on monitoring syscalls (strace), libcalls (ltrace) or functions (xtrace); in certain cases, breakpoint debuggers, such as gdb, can be used, however it is usually not feasible to use them to perform anything more than in-depth analysis of a very small portion of program functionality. Usually, such analysis provides a very useful information on what is happening, and this information is provided in uniform, reduced-output form.
A careful auditor can analyze program behavior and find interesting or potentially dangerous run-time conditions. By monitoring how a given application interacts with external world, he (or she) can determine whether some other
conditions can be triggered and eventually explore them by examining sources or re-running the program. Advantages are enormous, as such software enables the auditor to spot very subtle errors in code that "looked good", to observe actual execution, not to try to figure it out, and to find or trace down not obvious or non-schematic vulnerabilities. Run-time trace tools are primarily used for fast reconnaissance tasks and for tracing down notorious errors that are not clearly visible in the source, significantly reducing the time of such operations.
There are, however, serious drawbacks related to this method. First of all, known tracing tools do not provide the complete information. They will detect strcpy() call, but wont report if exactly the same functionality has been implemented from scratch by the author of given program. And, in some cases, the amount of produced data
can be enormous, and because of its completely unstructured character, it makes the observation of overall execution vector almost impossible. Two most important problems are: correlating trace data with actual code, and determining what occurred in the "dark matter" between two lines of trace output.
There are some attempts to combine both approaches - run-time evaluation and source code analysis - such as Purify or many other commercial development support products. Unfortunately, they all feature a limited set of capabilities that need development-side or compilation-time support and are not really suitable for comprehending black box solutions or performing a general analysis. Most of them are targeted for dynamic memory debugging and code / memory profiling.
While not mentioned above, there is also another approach to black-box code - high-level decompiler. However, the complexity of modern compilers makes it very difficult to develop an effective C decompiler or similar utility, and there are only a few (two?) projects available to accomplish it, all of them not able to deal with too complex or optimized code. Finally, there is no guarantee that generated output code will be any help in comprehending the program. For now, this approach remains almost purely theoretical,
and I am not aware of any auditors using it extensively. Why? Well, heres an example of decompiled, mildly optimized code *with* some symbolic information: http://www.backerstreet.com/rec/ex386/hdgO.rec . One may argue it is less readable than cross-referenced disassembly.
This project, Fenris, is named after the monstrous wolf, son of the Norse god Loki. It is not the ultimate answer to all questions, not a solution for all problems, and under no circumstances is intended to replace other tools and techniques. On the other hand, it makes one step forward compared to other tools, trying to support the auditor and to make his work much more effective. This is accomplished by combining a number of techniques, including partial run-time decompiler, stateful analysis, code fingerprinting, I/O analysis, high-level visualization layer, traditional interactive debugger features and run-time code modification capabilities. The goal is to provide a very detailed trace information, and, at the same time, to provide data suitable to build a model of program behavior more quickly and in more convenient way.
Fenris is not supposed to find vulnerabilities or bugs, or to guess algorithms or describe protocols. It is supposed to report and analyze the execution path - detect and describe functional blocks, monitor data flow in the program, marking its lifetime, source, migration and destination, analyze how functions work and what conditions are evaluated.
At the end, it can deliver you an execution model of traced program (or arbitrarily chosen portion of it, if complete trace results in too much noise or irrelevant information), and hint you how this model can change in different conditions. Fenris does not need source codes of analyzed application, but obviously does not keep the auditor from using them.
For many users, Fenris might be a new tool or tools, for others - just a command-line replacement or addition to strace, ltrace, gdb or similar applications (theres a brief list of other nice tools in doc/other.txt). And thats the idea - to build a tool that is simple, reusable, but also precise and smart. It is supposed to have advantages over other tools, but not to be an ultimate replacement or the final solution. Some users can just use very specific features, such as automated function fingerprinting, and use companion tools instead of the main program.

Software Engineering Environment (SEE) is frame for manufacturing information. It is implemented in sevlet and xml, and is used by the web-browser.
Software Engineering Environment (SEE) attempts to provide the information manufacturing platform for software development.
SEE is a free project, that is the author will provide all of its source code at the same time.
It runs in any servlet environment (The author merely verified in the Win and Linux environment), not using any special technique and needs no auxiliary program.
All of its data are saved in XML files, and need not database. (The future release will support the option of saving data, so that the user can select some free database, such as mysql, or commercial database to improve SEE speed.)
This means that the user can run SEE without any money. (Tomcat is a free servlet environment.)
User uses all SEE functions with the web-browser. So information sharing is very convenient.
SEE supports Simplified Chinese, Traditional Chinese, and English now.( It will support any language if someone will translate.) User can switch to interfaces in different language at any time when SEE is running. And user can add language translations which will work at once.
The main body of SEE is a frame for information manufacturing. All information included in it can be costumed dynamically and all changes will get into effect immediately. This means that the user can modify or add her/his own information structure as will at any time.
SEE provides various predefined selections for information attributes, which correspond various predefined information manufacturing patterns. The user can focus on the information description when costuming information definition, and the system will implement the functions automatically. This is the core of SEE. Most functions of SEE are in this model.
The default information definition of SEE is the result that the author understands what is the Software Engineering.
Although the target of SEE is helping for software development, actually, user can use it to design any type information, such as book registering, personnel lists, and financial reports etc.
The speed of SEE is not bad. Reading and writing 20000 records needs no more than 1 second. At present, the sorting speed is 9 seconds for 5000 records. (The testing platform is 1.8G CPU and 256M memory)
Enhancements:
- The data interface to prepare supporting databases.
- The databases are not supported in this release.
- A new interface style "Beautiful Flowers".
- These flowers are photoed in parks in this year by the author.
- The author likes the honeybee who holds a flower in its mouth very much. It is the first cartoon figure by the author. It will appear when you save wrong data. :)
- The function of "Personal Message".
- User can only query the messages sent by and sent to herself/himself. And user can only remove the messages sent to herself/himself.
- After a user read a message sent to her/him, SEE will mark it as "have_read" automatically.
- The number of new arrived messages will be shown in the interface.
- The data privileges management
- When user "Remove All" or "Modify All", the "base conditions" will be checked at first. That is user can only do what she/he can do.
- The Password fields values can not be visited, except when the user, who owns the "Import" privilege to current data, exports the data.
- All the data structures of ACL tables are changed! Their keywords become the "Title". This will permit user define better ACL.
- And the "condition" in the ACL tables are implemented completely. Now any "SEE conditions" is valid.
- Snapshot for image file
- When list the data, a snapshot will be shown for the image files type, which may end with jpg/jpeg/gif/png.
- Data sorting concerned with langauges.
- Thus when sorting data in Chinese, the result is Chinese result.
- General users can not visit the "User" table! Then they can not fill in many data!
- This is a fatal bug! This means all former releases can not be used actually!
- Now all ACL tables are redesigned.
- When a new user is added without password, SEE will add some password itself! Then this new user can never login!
- This is another fatal bug!
- In the last English release, which is 0.06, the ACL data are in Chinese!
- So the English users can not use SEE at all~~
- This is still a fatal bug!
- The "Risk Items" in the table "Deviation Handling" is wrong defined.
- This will cause an error information when user clicks the "Select" button.
- The values of Password fields can be visited when query or export.
- Although the values are meaningless encoded codes, they are still security thread.
- When some quota marks in the key values, pages will report errors and the function buttons, such as Modify and Remove, can not act!
- This is because quota is also an element of web page.
- When the interface language changes, the language in audit records changes too!
- This is not permitted. Language of all data is determined when SEE is installed and can not change with interface!

The aim of CMS Made Simple is to supply a simple and effective way of managing content of primarily static sites. Before you can ask why you need a content management system for a site that doesnt change its content, let me tell you.
There are tons of content management systems out there but they are basically all the same. Other CMS systems are great if you have a lot of news or articles on your site, but what if your site content doesnt change a lot, or only small parts of it change? Doesnt make a lot of sense to create a new entry in your blog style site just for a simple update, and whats the point of having time stamped blog entries if you are constantly updating them? Voila, in comes CMS Made Simple.
CMS lets you update your pages and keep the content on a static page that will not become stale regardless of how much other content gets placed on your site, unlike a blog style site where entries get pushed off the page and your users have to check the archives or know an obscure link to get to the original story.
Main features:
- Easy user and group management
- Group-based permission system
- Intelligent caching mechanism to only get what is necessary from the database
- Full template support, for unlimted looks without changing a line of content
- Easy wizard based install and upgrade procedures
- Minimal requirements
- Admin panel with multiple language support
- Integrated, Optional WYSIWYG
- Content hierarchy with unlimited depth and size
- Optional self-generating menus
- Integrated file manager w/ upload capabilities
- Module API for unlimited expandability
- Integrated audit log
- Included News module
- Included RSS module
- Ability to program simple PHP coded plugins right inside the admin
- Friendly support in forums and irc

Solsoft NetfilterOne is a graphical interface that will automate the design, deployment and documentation of security rules and policies as they pertain to a networked netfilter firewall.
As the name suggests, NetfilterOne will support one installation of the netfilter firewall.
With Solsoft NetfilterOne, IT administrators will realize the advantages of a centralized interface from which to configure, deploy, enforce and audit rules and policies consistently among netfilter firewall(s).
NetfilterOne is the ideal tool to remotely maintain security policies on Linux servers, webservers, DNS, Mail servers which often resides on DMZ.
Main features:
No manual coding
- Centralizing and automating design and generation of accurate security configurations for all devices using the same management software is very important for small, resource-constrained IT departments.
Higher operational efficiency
- Solsoft NetfilterOne enables you to deploy accurate security rules to ALL security devices on your network, instead of manually configuring devices one at a time. Changes to complex networks can be made in minutes - reducing the costs required to manage multi-vendor security environments.
Faster incident response
- Solsoft NetfilterOne makes your organization more agile and improves your ability to react to virus, worm, and network attacks. More importantly, Solsofts policy-based system hardens your network against future attacks by making sure security rules are consistently and correctly configured end-to-end - something that is very hard to do through other means.
Broad interoperability
- Solsoft NetfilterOne provides the glue that connects the sources of policy - business requirements, security audits, vulnerability scans, and event correlation alerts - with the security device infrastructure that must be configured to enforce policy. Only a truly open management solution can provide this level of interoperability and agility.
Greater vendor and device independence
- Solsoft NetfilterOne supports the ability to import existing device configurations and quickly migrate to different security platforms. With Solsoft NetfilterOne, you enjoy the flexibility to pick the best security device based on price vs. performance, regardless of team expertise.
Enhancements:
- This release supports Cisco IOS, PIX, ASA, FWSM, Netscreen, Nortel, Linux, and ISS proventia.

sslredir is a simple utility used for redirecting incoming non-SSL connections to outgoing SSL connections.

sslredir project is useful for enabling applications such as mail, news, or IRC clients, which do not support SSL, to connect to SSL servers. It also supports connecting to the remote host through a SOCKS4A proxy, so sslredir is ideal for use with Tor.

sslredir is similar to stunnel or socat, except that it is not as general-purpose as socat. It uses less than 450 lines of Python, so it is simple to audit (although it does rely on M2Crypto which relies on OpenSSL, both of which are rather more difficult to audit). sslredir is also designed to work nicely with Tor, whereas I had run into bugs with both socat and stunnel.

SLAD is a tool for performing local security checks against GNU/Linux systems.

SLAD has been primarily developed for the BOSS project to work together with Nessus to enhance its local scanning capabilities. For example, scanning for weak passwords with a tool like John-the-Ripper is something that simply cannot be achieved by a network scan.

Therefore, SLAD is required to be installed on every GNU/Linux system where local auditing needs to be done. SLAD can then be used as a stand-alone application or more conveniently through Nessus. For usage with Nessus two NASL plugins are provided for interfacing between Nessus and SLAD

The Version 2.0 provides a XML Interface for Parameters and easy integration of additional audit-parameters and tools. To help the administrator to integrate a new feature-set, a development-documentation is provided with the cvs.

SLAD has been tested and verified on the following platforms:

RedHat Fedora Core 3
SuSe 9.2
Debian 3.0 (woody)
Debian 3.1 (sarge)
ERPOSS3
Gentoo Linux 2004.3

SLAD is implemented in Perl and provides an extendable plugin architecture allowing to use various GPL-based security scanners and auditing tools under one common framework. Currently, SLAD comes packaged with

John-the-Ripper
Chkrootkit
LSOF
ClamAV
Tripwire
TIGER

As a result SLAD delivers reports of these locally installed auditing and analysis tools. When used with Nessus the individual reports are wrapped into a standard Nessus report.

SLAD as well as the SLAD NASL Plugins can be downloaded from this Website in their current stable release V2.0.

Installation:

You can use our "easy-to-use" GTK installer, this installer downloads the lastest SLAD Release Binary, and install it on the target system. You only need to provide the login for the traget system.

Domain Auditor project was written to audit and track accounts within a domain. This tool uses LDAP queries to a definable Active Directory server to find various definable classes of accounts.
Initially it will operate interactively, but capabilities may be added in the future to automate functions (i.e. generate reports on a scheduled basis). The installation script handles most installation chores, so setup is very straightforward.
The tool is beta status at this time, but is in being used to generate SOX reports for my employer.
Main features:
- Reports - This function will display a list of defined reports, when invoked it will generate a list of accounts from AD (via LDAP queries) the results returned will depend on what you have defined for the filter for any particular report class under Sysadmin
- Sys Admin - This function will allow you to changes the system settings for LDAP server and port, base DN, Bind DN, username and password, and the database settings (mySQL only at this time). You may also add the report class definitions and their matching LDAP filters within this module
- User Admin - This screen is used to define users for the system and their rights. Usernames are used as the primary value, and entered values are validated via LDAP queries
- Audit Logs - The system logs all changes to the information stored and this page will allow you to review the data from these logs

Gnomba is a share browser for the smb protocol.

Gnomba allows you to scan any number of subnets for machines with smb. The workgroups, machines and share are shown in a tree-view.

For each machine you can then view the list of shares, and mount, unmount or browse them.

Right now gnomba is a separate tool. In theory it could/should co-exist with a file manager, perhaps even be part of it. We have made no attempt to do any file browsing, instead we leave that for your favorite file browser (or command line).

Well, I used to explain here how we dont use smb "master browser" scanning. However now we do. If you specify smb scanning (which is set by default) you need to have smbd and nmbd running on your machine.

If you specify IP scanning, you must specify a range of IPs to scan. This is usually just your subnet, so for instance if your network address is 10.23.45.0 then you would probably want to scan from 10.23.45.1 - 10.23.45.254.