NT Security Tools

By: madirish

"Why should NT always be unix's poor cousin when it
comes to tcp/ip testing and exploration? I bet many NT admins out there
keep a unix box around to use tools such as Netcat or to test their systems
with the unix version of an NT vulnerability exploit."

--Weld Pond of L0pht

This quote is no less true now than when it was written. Too often NT admins are denied tools that are easily found and implemented on Unix systems, and therefore resort to using a *nix for many common security tasks. Luckily many skilled programmers have turned their sites toward providing quality tools for Windows. As a Windows NT administrator you should be aware of these tools, and how they are used on (or against) your system.

Several wonderful tools have recently come to my attention, all based on the power provided by the Windows port of libpcap. Wincap provides the functionality to place an ethernet card on an NT based (or even Win 9x/Me system) into promiscuous mode and read the traffic received by the card. This allows Windows 2000 machines to run popular tools like Snort and dSniff. Windows binaries of these tools are also available, and in my experience, install is simple and painless. With this realization, NT admins can now use powerful auditing tools like Nmap, or even sniffing tools like dSniff, and IDS tools like the powerful and popular Snort.

Useful Tools:
Snort (download source: http://www.snort.org)

-Snort is the premier network IDS. Most Intrusion Detection handbooks use Snort as their benchmark for intrusion detection analysis. Snort uses rule sets to analyze packet traffic across the network and take specified action. Snort can be used to alert users of scans, exploit attempts, and trojan (netbus, back orifice) usage across the network. Snort can be configured to send messages via e-mail or write logs to a text file. Writing snort rules is an art in and of itself.

Dsniff (download source: http://www.datanerds.net/~mike/dsniff.html)

-The Dsniff package comes with several good programs for parsing and extracting sniffed network traffic. Dsniff.exe is very good at pulling passwords, from HTTP challenge response to pop and smb passwords. The only common passwords dsniff passes over are form field passwords. I often run dsniff in the background by issuing 'dsniff >> dsniff.txt' at the command line (redirecting output to a text file for later perusal). The webspy package (webspy.exe) is a lot of fun. By issuing webspy 111.111.111.11 the program intercepts all HTTP traffic to and from the IP address 111.111.111.111 and passes it off to a local browser. This will open Netscape or IE and the traffic sent to your browser will match that of the target. You can follow targets around as they surf the net. Webspy won't follow targets over ssl connection though, or reveal information entered into form fields (like passwords). All in all Dsniff is a great package to do lightweight sniffing or IDS.

WinpCap (download source: http://netgroup-serv.polito.it/winpcap/)

-This is the package that makes it all possible. Simply download and install by double clicking on the .exe. It runs in the background and makes Dsniff and Snort possible.

Nmap (download source: http://www.eeye.com/html/Research/Tools/nmapNT.html)

-Nmap is probably one of the most common and effective port scanning tools out there. Not only can Nmap perform stealth scans (through the use of half open connection), but it can also do OS mapping based on tcp traffic. Nmap is great for taking a look at your own systems and finding what services are open, or for scanning a remote machine to find potential holes.

1.)
File removal: How to be sure - madirish

2.)
NT Security Tools - madirish
3.)
Getting Started with SQL (part 3) - L33tdawg
4.)
Anatomy of Brute Force Attacks - madirish
5.)
IIS Script Directory Exploit - madirish
6.)
Another one bites the dust - L33tdawg
7.)
Using PHP Securely - SecuriTeam