SecurityFocus Microsoft Newsletter #62

From: Marc Fossi (mfossi@securityfocus.com)
Date: 11/26/01


Date: Mon, 26 Nov 2001 15:11:21 -0700 (MST)
From: Marc Fossi <mfossi@securityfocus.com>
To: Focus-MS <focus-ms@securityfocus.com>
Subject: SecurityFocus Microsoft Newsletter #62
Message-ID: <Pine.GSO.4.30.0111261511060.9163-100000@mail.securityfocus.com>

SecurityFocus Microsoft Newsletter #62
------------------------------------------

This Issue Sponsored by: John Wiley & Sons

SPECIAL SAVINGS ON SECURITY BOOKS Amazon.com is now offering discounts of
up to 40% on select books from authors like Bruce Schneier, John Chirillo
and Ross Anderson. Whether you are looking to become a CISSP, planning
for PKI, or needing to stop hackers in their tracks, they've got the book
for you.

Visit them at:
http://www.amazon.com/exec/obidos/tg/feature/-/217991/107-7187047-6127744

-------------------------------------------------------------------------------

I. FRONT AND CENTER
     1. Advertising Information
     2. An Audit of Active Directory Security, Part Four
     3. The Evolution of Intrusion Detection Systems
     4. You Say "Hacker", the Feds Say "Terrorist"
II. MICROSOFT VULNERABILITY SUMMARY
     1. Microsoft Internet Explorer Password Character Determination...
     2. Legato NetWorker Reverse DNS Authentication Vulnerability
     3. thttpd Basic Authentication Buffer Overflow Vulnerability
     4. HP-UX Remote Line Printer Daemon Logic Flaw Vulnerability
     5. Bharat Mediratta Gallery Directory Traversal Vulnerability
     6. HyperMail Remote Command Execution Vulnerability
     7. OpenSSH Kerberos Arbitrary Privilege Elevation Vulnerability
     8. Microsoft Internet Explorer Patch Q312461 Existence Vulnerability
     9. Caldera XLock Buffer Overflow Vulnerability
     10. Network Tool PHPNuke Addon Metacharacter Filtering Command...
III. MICROSOFT FOCUS LIST SUMMARY
     1. Weird URL's that work, can you say IPvOctal? (Thread)
     2. how to save event log data and perfmon data in a database?...
     3. nt 4.0 workstations (Thread)
     4. NT/2000 Event Logs (Thread)
     5. Hiding HTML code from being viewed. (Thread)
     6. VNC logging (Thread)
     7. Hiding HTML code from being viewed (Thread)
     8. Remote Admin of DMZ (Thread)
     9. Redux: IE cookies assigned to RAM disk survive reboot (Thread)
     10. Need some advice on possible NIMDA infection. - THANKS FOR...
     11. How to grant a user right to user Winat usage rights? (Thread)
     12. IE cookies assigned to RAM disk survive reboot (Thread)
     13. Administrivia: Out of Office Autoreplies (Thread)
     14. Antwort: Remote Admin of DMZ (Thread)
     15. Antwort: Exchange and secure mail (Thread)
     16. Exchange and secure mail (Thread)
     17. Need some advice on possible NIMDA infection. (Thread)
     18. SecurityFocus Microsoft Newsletter #61 (Thread)
     19. Web monitoring tool ala George Orwell. (Thread)
     20. Encryption between standalone hosts RESOLVED (Thread)
     21. Tunnelling SMB over SSH or SSL (Thread)
     22. ntfs permissions and exchange 2000 (Thread)
     23. (2) IE cookies assigned to RAM disk survive reboot...
     24. Cached Network Password (Thread)
     25. Batching Hot-fix installation (Thread)
     26. file?? (Thread)
     27. Encryption between standalone hosts (Thread)
     28. Single sign-on capability? (Thread)
     29. auditing PCs (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
     1. entercept 2.0 Web Server Edition
     2. NetRecon
     3. SmartFilter
     4. EventAdmin
V. NEW TOOLS FOR MICROSOFT PLATFORMS
     1. Windows 9x PassWord List reader v0.07
     2. EndoShield v1.2
     3. ngrep (Windows) v1.39.2
     4. DDoSPing v2.0
     5. CompaqInsightManager Check & DoS 0.5
VI. SPONSORSHIP INFORMATION

I. FRONT AND CENTER
-------------------
1. Advertising Information

Reach the LARGEST audience of security professionals with SecurityFocus
direct e-marketing NOW!

SecurityFocus is the Web's most successful security intelligence site,
with more than 200,000 unique monthly visitors (September 2001), and
growing rapidly each week. Leverage the security portal of unrivaled
credibility and influence in your next direct marketing campaign.

To find out how SecurityFocus Web marketing and opt-in email newsletter
sponsorships can drive your company's success, contact us at
adsales@securityfocus.com, or download the Advertising Kit at
http://www.securityfocus.com/about/press/adverts.shtml. To speak directly
with a customer service representative, please call +1(650) 655-6350.

2. An Audit of Active Directory Security, Part Four: Keys to the Kingdom
by Aaron Sullivan

This is the fourth in a five-part series on auditing Active Directory
security. The first article in the series offered a brief introductory
overview of Active Directory. The second installment we examined some of
the security implications of the AD's default settings. The third article
we looked at LDAP, SASL and Kerberos in the context of AD security. This
installment will look at some potential security concerns related to the
Configuration Naming Context in AD.

http://www.securityfocus.com/infocus/1509

3. The Evolution of Intrusion Detection Systems
by Paul Innella, Tetrad Digital Integrity, LLC

I am currently working with a client who asked me to choose an intrusion
detection system (IDS) to deploy in their environment. I have been working
with intrusion detection since it was virtually unknown, so it would seem
the decision would be quite simple. On the contrary, with all of the
different components and vendors to choose from, IDS offerings have become
pretty complex. That led me to wonder how IDS technology has progressed to
its current state. So, I invested some time trying to figure it out. Now
that I have, let me tell you, it is enough to induce a headache.
Nonetheless, I wrote this article to share my findings with you. If you
are ready for a discussion about the evolution of IDS, then read on;
however, be forewarned, the history of intrusion detection is as confusing
as Greenspan's economic strategies.

http://www.securityfocus.com/infocus/1514

4. You Say "Hacker", the Feds Say "Terrorist"
by Richard Forno

Hackers may be annoying, they may be criminals, they may even be
dangerous, but they are not terrorists.

http://www.securityfocus.com/columnists/38

II. BUGTRAQ SUMMARY
-------------------
1. Microsoft Internet Explorer Password Character Determination...
BugTraq ID: 3563
Remote: No
Date Published: Nov 21, 2001
Relevant URL:
http://www.securityfocus.com/bid/3563
Summary:

An issue has been reported in Microsoft Internet Explorer which could
allow a user to differentiate between numeric and alphabetic characters
used in a password.

When providing a password in Internet Explorer and using the Ctrl and
right arrow key to navigate, the cursor will move between the alphabetic
and numeric characters as if there was a space between them.

2. Legato NetWorker Reverse DNS Authentication Vulnerability
BugTraq ID: 3564
Remote: Yes
Date Published: Nov 21, 2001
Relevant URL:
http://www.securityfocus.com/bid/3564
Summary:

Legato NetWorker is a server package designed to help share data, media
and backup processes across a heterogeneous network.

As part of the process of authenticating a client, the NetWorker server
attempts to verify that their given host matches their given IP address by
performing a reverse DNS lookup on the host name. If it is unable to
complete this lookup, it continues with the authentication process,
trusting the provided information.

A remote attacker able to deny reverse DNS lookup to the vulnerable server
will be able to authenticate as an arbitrary host, bypassing this check.

3. thttpd Basic Authentication Buffer Overflow Vulnerability
BugTraq ID: 3562
Remote: Yes
Date Published: Nov 20, 2001
Relevant URL:
http://www.securityfocus.com/bid/3562
Summary:

thttpd is a web server product designed to be small, fast and secure.

Basic Authentication is a feature used by web servers to require remote
users to authenticate with a password before being allowed to view certain
files. thttpd may support basic authentication, which must be enabled at
compile time. By default, basic authentication is enabled.

When thttpd attempts to decode the user name and password provided to it,
it is possible to overflow a string buffer by a single null character.
This is known as an off-by-one vulnerability, and may lead to remote
execution of arbitrary code.

4. HP-UX Remote Line Printer Daemon Logic Flaw Vulnerability
BugTraq ID: 3561
Remote: Yes
Date Published: Nov 20, 2001
Relevant URL:
http://www.securityfocus.com/bid/3561
Summary:

Rlpdaemon is the line printer daemon that ships with HP-UX. It is intended
to provide print-sharing capabilities over a network. It is installed by
default on HP-UX systems and runs as superuser. Rlpdaemon is based on the
original BSD Unix line printer daemon and is similar to the lpd
incorporated into other Unix variants.

The HP-UX line printer daemon is prone to an issue which may allow a
remote attacker to gain local access to a host running the vulnerable
package.

This vulnerability may allow a remote attacker to make a specially crafted
print request which is able to write to arbitrary files or create
directories on the host.

This may result in the remote attacker gaining local access, potentially
with elevated privileges.

5. Bharat Mediratta Gallery Directory Traversal Vulnerability
BugTraq ID: 3554
Remote: Yes
Date Published: Nov 19, 2001
Relevant URL:
http://www.securityfocus.com/bid/3554
Summary:

Bharat Mediratta Gallery is a free, open source web-based photo album
which may be used as an add-on for the PHPNuke web portal.

Due to insufficient validation of user-supplied input, it is be possible
to view arbitrary web-readable files via a specially crafted web request
which contains '../' sequences.

This issue may allow a remote attacker to gather sensitive information
which may be used in directed and organized attacks against a host running
the Gallery software.

6. HyperMail Remote Command Execution Vulnerability
BugTraq ID: 3557
Remote: Yes
Date Published: Nov 19, 2001
Relevant URL:
http://www.securityfocus.com/bid/3557
Summary:

HyperMail is free, open-source mailing list software which will take
e-mail and convert it to HTML.

Attachments sent in e-mail are not modified in any way before being
archived by HyperMail. This becomes an issue if SSI is enabled on the host
running HyperMail, as it is possible to upload a file with an SSI
extension, such as .shtml, which contains server-side includes that will
be executed when the attachment is requested.

However, the root of this issue is that a user may send an attachment with
an arbitrary file extension, which will then be archived. Other content
may be executed on the server as a result of this vulnerability.

7. OpenSSH Kerberos Arbitrary Privilege Elevation Vulnerability
BugTraq ID: 3560
Remote:
Date Published: Nov 19, 2001
Relevant URL:
http://www.securityfocus.com/bid/3560
Summary:

OpenSSH is a freely available implementation of the SSH client-server
protocol. It is distributed and maintained by the OpenSSH team.

A problem with the software has been discovered that could allow remote
users to gain unauthorized access. The level of privilege that can be
obtained through this vulnerability is currently unknown. The problem is
related to the Kerberos V authentication handling by the implementation.

Under some circumstances, it may be possible for an arbitrary user to gain
access to a system. The only affected OpenSSH implementations are those
that have compiled into the program the Kerberos V compatibility code.
This is not usually built with a default compilation of OpenSSH.

8. Microsoft Internet Explorer Patch Q312461 Existence Vulnerability
BugTraq ID: 3556
Remote: Yes
Date Published: Nov 19, 2001
Relevant URL:
http://www.securityfocus.com/bid/3556
Summary:

The HTTP_USER_AGENT variable gets passed between a web browser and a web
server each time a web page is requested by a program. The variable
contains the user agent name along with operating system information.

An issue exists with Microsoft Internet Explorer patch Q312461 which, when
installed, will reveal its existence in the HTTP_USER_AGENT variable.

This issue could assist an attacker in locating unpatched browsers and
launching attacks against the target.

9. Caldera XLock Buffer Overflow Vulnerability
BugTraq ID: 3555
Remote: No
Date Published: Nov 16, 2001
Relevant URL:
http://www.securityfocus.com/bid/3555
Summary:

xlock is an application distributed with most versions of the X Window
System. The vulnerable version is included with CDE distributed with
Caldera UnixWare and Open Unix operating systems.

A problem has been discovered that could allow local users to gain
elevated privileges. The problem is a buffer overflow in xlock. A buffer
overflow in this program makes it possible for local users to execute
arbitrary code. This could result in a local user gaining elevated
privileges, and potentially administrative access.

It is possible that this vulnerability may be already known on other
platforms.

10. Network Tool PHPNuke Addon Metacharacter Filtering Command...
BugTraq ID: 3552
Remote: Yes
Date Published: Nov 16, 2001
Relevant URL:
http://www.securityfocus.com/bid/3552
Summary:

Network Tool is a PHPNuke addon, written and maintained by Rick Fournier.
It is designed to offer network features such as nmap, traceroute, and
ping from a web interface.

A problem with the package has been discovered that could allow remote
users to gain arbitrary access to restricted resources. The problem is in
the filtering of metacharacters by the interface. A command passed to the
modules in the suite could be encapsulated in metacharacters, and would
result in the command being executed on the system with the permissions of
the httpd process.

This makes it possible for a remote user to execute arbitrary commands,
and potentially gain access to a vulnerable host.

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Weird URL's that work, can you say IPvOctal? (Thread)
Relevant URL:

http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=000b01c173a3$6b220660$0500a8c0@laptop&threads=1

2. how to save event log data and perfmon data in a database? (Thread)
Relevant URL:

http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=003301c173ad$35b0cc00$6463a8c0@bfgapollo1&threads=1

3. nt 4.0 workstations (Thread)
Relevant URL:

4d0de7d5@baacpl.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=000801c1735f$f9bff9c0$4d0de7d5@baacpl.com&threads=1

4. NT/2000 Event Logs (Thread)
Relevant URL:

http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=956B91F44E41D411A8E70000D110AECB019B08C4@orion.education.services&threads=1

5. Hiding HTML code from being viewed. (Thread)
Relevant URL:

87115154.1006350427@pc47794.campus.ad.utdallas.edu&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=87115154.1006350427@pc47794.campus.ad.utdallas.edu&threads=1

6. VNC logging (Thread)
Relevant URL:

http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=000901c172c3$6b268400$eeeca8c0@parkplacetexas.corp&threads=1

7. Hiding HTML code from being viewed (Thread)
Relevant URL:

20011120202312.A12477@nsk.yi.org&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=20011120202312.A12477@nsk.yi.org&threads=1

8. Remote Admin of DMZ (Thread)
Relevant URL:

http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=001c01c171df$b0dd66b0$6414a8c0@james&threads=1

9. Redux: IE cookies assigned to RAM disk survive reboot (Thread)
Relevant URL:

http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=01112016204802.01085@bilbo&threads=1

10. Need some advice on possible NIMDA infection. - THANKS FOR ALL THE
HELP (Thread)
Relevant URL:

85D6FD232F6C7F4C81D4A320C66648581977DD@rgc2000.RGC.roseglen.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=85D6FD232F6C7F4C81D4A320C66648581977DD@rgc2000.RGC.roseglen.com&threads=1

11. How to grant a user right to user Winat usage rights? (Thread)
Relevant URL:

453FD4452B6CD311A95F0008C7731DCD06DCE3E0@eseis10nok.ntc.nokia.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=453FD4452B6CD311A95F0008C7731DCD06DCE3E0@eseis10nok.ntc.nokia.com&threads=1

12. IE cookies assigned to RAM disk survive reboot (Thread)
Relevant URL:

0300a8c0@rescomconst.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=005f01c171dd$a7eaab50$0300a8c0@rescomconst.com&threads=1

13. Administrivia: Out of Office Autoreplies (Thread)
Relevant URL:

Pine.GSO.4.30.0111201058270.24739-100000@mail.securityfocus.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=Pine.GSO.4.30.0111201058270.24739-100000@mail.securityfocus.com&threads=1

14. Antwort: Remote Admin of DMZ (Thread)
Relevant URL:

OF70C9233B.B22575E1-ONC1256B0A.00300722@gmx.net&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=OF70C9233B.B22575E1-ONC1256B0A.00300722@gmx.net&threads=1

15. Antwort: Exchange and secure mail (Thread)
Relevant URL:

OFD0A29D46.9CAE6978-ONC1256B09.0071F59E@gmx.net&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=OFD0A29D46.9CAE6978-ONC1256B09.0071F59E@gmx.net&threads=1

16. Exchange and secure mail (Thread)
Relevant URL:

6400000a@leafgrove.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=01fa01c17136$2fd33cb0$6400000a@leafgrove.com&threads=1

17. Need some advice on possible NIMDA infection. (Thread)
Relevant URL:

85D6FD232F6C7F4C81D4A320C66648581977D0@rgc2000.RGC.roseglen.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=85D6FD232F6C7F4C81D4A320C66648581977D0@rgc2000.RGC.roseglen.com&threads=1

18. SecurityFocus Microsoft Newsletter #61 (Thread)
Relevant URL:

Pine.GSO.4.30.0111191353180.26358-100000@mail.securityfocus.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=Pine.GSO.4.30.0111191353180.26358-100000@mail.securityfocus.com&threads=1

19. Web monitoring tool ala George Orwell. (Thread)
Relevant URL:

http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=2D8497CAE725D41193D100062939CD4486D4C2@exchange&threads=1

20. Encryption between standalone hosts RESOLVED (Thread)
Relevant URL:

http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=001201c1711f$914c8300$fd01a8c0@peterj&threads=1

21. Tunnelling SMB over SSH or SSL (Thread)
Relevant URL:

BDE59B3B10C40746A7CD7E1743009D27159B61@lis-msg-01.europe.corp.microsoft.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=BDE59B3B10C40746A7CD7E1743009D27159B61@lis-msg-01.europe.corp.microsoft.com&threads=1

22. ntfs permissions and exchange 2000 (Thread)
Relevant URL:

20011119022054.81893.qmail@web20503.mail.yahoo.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=20011119022054.81893.qmail@web20503.mail.yahoo.com&threads=1

23. (2) IE cookies assigned to RAM disk survive reboot -- and history too
(Thread)
Relevant URL:

NFBBLAEICLEBFNIBCMKMCEPMCIAA.tcgreene@bellatlantic.net&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=NFBBLAEICLEBFNIBCMKMCEPMCIAA.tcgreene@bellatlantic.net&threads=1

24. Cached Network Password (Thread)
Relevant URL:

EE9F3A089F0B01499C5782E7CFA935271C23C2@hkisrv08.teleware.fi&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=EE9F3A089F0B01499C5782E7CFA935271C23C2@hkisrv08.teleware.fi&threads=1

25. Batching Hot-fix installation (Thread)
Relevant URL:

897928731.1005920275@speedy.andrew.ad.cmu.edu&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=897928731.1005920275@speedy.andrew.ad.cmu.edu&threads=1

26. file?? (Thread)
Relevant URL:

5.1.0.14.0.20011116110146.00affa50@mail.softhome.net&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=5.1.0.14.0.20011116110146.00affa50@mail.softhome.net&threads=1

27. Encryption between standalone hosts (Thread)
Relevant URL:

3201010a@mrsquirrel.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=000c01c16ed0$44dcf9b0$3201010a@mrsquirrel.com&threads=1

28. Single sign-on capability? (Thread)
Relevant URL:

http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=04a801c16e2e$b65aa7b0$3701a8c0@dealramh&threads=1

29. auditing PCs (Thread)
Relevant URL:

http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=3BF46D39.8420.16F541F5@localhost&threads=1

IV.NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. entercept 2.0 Web Server Edition
by Entercept Security Technologies
Platforms: Solaris, Windows NT, Windows 2000
Relevant URL:
http://www.clicknet.com/products/WSE/
Summary:

Entercept 2.0 delivers technology that provides real-time analysis and
reaction to hacking attempts. Entercept. 2.0 is able to identify the
attack and prevents access to critical server resources before any
unauthorized transactions occur. Unlike traditional detection products,
Entercept 2.0 proactively protects the host by evaluating requests to the
operating system and the application programming interface (API) before
they are processed. Using a blend of 'signature' and resource access
control techniques, Entercept 2.0 is able to stop both known and unknown
attacks.

2. NetRecon
by Symantec
Platforms: Windows NT
Relevant URL:
http://enterprisesecurity.symantec.com/products/products.cfm?productID=46
Summary:

Symantec NetRecon helps secure an organizationšs networks by exposing
vulnerabilities before intruders can exploit them and attack. By
automatically scanning systems and services on the network and safely
simulating common intrusion or attack scenarios, Symantec NetRecon answers
the question: "What can a hacker see, use, and exploit on the network?"

3. SmartFilter
by Secure Computing
Platforms: UNIX, Windows NT, Netware
Relevant URL:
http://www.securecomputing.com/index.cfm?skey=85
Summary:

SmartFilter features the highest quality and most comprehensive database
of Uniform Resource Locators (URLs) available today. Yet, it is easily
customized, transparent to end users, and has minimal system requirements.
As the industry's first montoring and control Web tool, SmartFilter
software has proven its value and strength in Fortune 500 corporate
networks since 1995.

4. EventAdmin
by Aelita Software
Platforms: Windows NT, Windows 2000
Relevant URL:
http://www.aelita.com/products/EventAdmin.htm
Summary:

EventAdmin is a comprehensive, robust, and flexible enterprise event
management, analysis and auditing system for Windows NT and Windows 2000
networks and infrastructure applications. EventAdmin gives you the power
to track and analyze user activity patterns, applications behavior and
systems health and performance.

V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. Windows 9x PassWord List reader v0.07
by xilun
Relevant URL:
http://xilun666.free.fr.
Platforms: UNIX, Windows 95/98
Summary:

Windows 9x Password List reader is a program that will allow you to see
the passwords contained in your Windows pwl database under Unix. You can
check the security of these files/try to recover the main password using
the bruteforce mode.

2. EndoShield v1.2
by Dave Cheeseman
Relevant URL:
http://endoshield.sourceforge.net/
Platforms: Linux
Summary:

EndoShield is a fully configurable firewall that will run under a 2.2 or
2.4 Linux kernel (ipchains or iptables). It requires no knowledge of
firewalls or how ipchains or iptables works. It is perfect for home users
wanting to secure their systems, but can also be configured for internet
connection gateways or server systems.

3. ngrep (Windows) v1.39.2
by Jordan Ritter, jpr5@darkridge.com
Relevant URL:
http://ngrep.sourceforge.net/
Platforms: Windows 2000, Windows 95/98, Windows NT
Summary:

ngrep strives to provide most of GNU grep's common features, applying them
to the network layer. ngrep is a pcap-aware tool that will allow you to
specify extended regular expressions to match against data payloads of
packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP,
SLIP, FDDI and null interfaces, and understands bpf filter logic in the
same fashion as more common packet sniffing tools, such as tcpdump and
snoop.

4. DDoSPing v2.0
by Robin Keir robinkeir@foundstone.com
Relevant URL:
http://www.foundstone.com/rdlabs/tools.html
Platforms: Windows 2000, Windows 95/98, Windows NT
Summary:

DDoSPing is a remote scanner for the most common Distributed Denial of
Service programs (often called Zombies by the press). These were the
programs responsible for the recent rash of attacks on high profile web
sites. This tool will detect Trinoo, Stacheldraht and Tribe Flood Network
programs running with their default settings, although setup of each
program type is possible from the configuration screen. Scanning is
performed by sending the appropriate UDP and ICMP messages at a
controlable rate to a user defined range of addresses. Feedback
appreciated.

5. CompaqInsightManager Check & DoS 0.5
by Gert Fokkema
Relevant URL:
http://www.isaan.org/files/isaan_cim05.pl
Platforms: DOS, Perl (any system supporting perl), Windows 2000, Windows
95/98, Windows NT
Summary:

Checks for the compaqInsightManager webserver which runs on port 2301.
-Shows info of the host running the CIM.
-Tries to get the 'SAM._' backup-file.
-Got a 'DenialOfService' option.

Source available in PERL-script.
Ported to Win32executable by perl2exe.

VI. SPONSORSHIP INFORMATION
---------------------------
This Issue Sponsored by: John Wiley & Sons

SPECIAL SAVINGS ON SECURITY BOOKS Amazon.com is now offering discounts of
up to 40% on select books from authors like Bruce Schneier, John Chirillo
and Ross Anderson. Whether you are looking to become a CISSP, planning
for PKI, or needing to stop hackers in their tracks, they've got the book
for you.

Visit them at:
http://www.amazon.com/exec/obidos/tg/feature/-/217991/107-7187047-6127744
-------------------------------------------------------------------------------