SAN MATEO (03/27/2000) - We're always on the lookout for fresh sources of information and tools on security vulnerabilities. This week we want to highlight such a source for Microsoft Corp. Windows NT. We're speaking of NTsecurity.nu, at www.ntsecurity.nu, founded by Arne Vidstrom.
Vidstrom has exposed his fair share of Windows vulnerabilities. Bringing attention to recent vulnerabilities in Recycle Bin, Repair Disk (rdisk), and Internet Anywhere Mail Server have proven his security acumen. Then there is his tool set. Although we can't cover all his tools, we present a few that we're sure you'll find are worth a look.
The first tool would not traditionally be called a security product, but it can help your security posture. The Delguest tool can remove the Guest account on Windows NT. Delguest can save your users from themselves by eliminating the chance of one of them enabling the account and providing cursory access to the system.
You'll find Snitch is in the same vein as Revelation, from Snadboy (www.snadboy.com), and Unhide, by Vitas Ramanchaukas (webdon.com). Snitch displays the starred-out passwords in typical Windows controls, such as those in the Microsoft SQL Manager dialog box. Although not a truly high-risk vulnerability, do not underestimate the value of showing your manager his or her super-secret password with a single mouse click.
The ipEye tool performs some of the tricks of our favorite Unix scanner nmap; these include alternate packet scanning (FIN, null, Xmas), and the capability to specify source IP and port for the scan for operating in stealth mode.
Spoofing has long been the realm only of Unix and we were skeptical, but ipEye seems to live up to its promises. The big drawback to this program, however, is that it runs only on Windows 2000. Vidstrom must be taking advantage of some of the new raw socket features in Windows 2000.
Like the well-known products from Mneumonix, winfo automates the infamous null session information grab, ever effective against NT and even 2000, assuming that proper precautions have not been taken to disable them. This would be a nifty little tool for adding to scripts, but it seems to exit if information can't be dumped, making it difficult to automate via a logical loop. Of course, the good ol' net use command native to Windows NT and DumpACL will still work fine as well.
Ever wonder why no one (outside of Network Associates' CyberCop Scanner) can make a good UDP (User Datagram Protocol) port scanner for NT? Well, although UDP scanning is a bit more difficult than TCP scanning, Vidstrom has proven that this is no excuse. Vidstrom's Windows UDP Port Scanner (WUPS) is probably the most accurate UDP scanner for NT. The product isn't what you would call feature-rich, but it gets the job done.
Vidstrom's SQL brute force password guesser, sqldict, is also unique in the industry. We don't know of any tool that takes a dictionary list of passwords and attempts to break into Microsoft SQL using a user-defined account (usually "sa"). The product can be slow, but it works and will be in our consulting toolbox.
The strongpass tool complements the familiar passfilt.dll from Microsoft. Meant to restrict new passwords to the difficult-to-guess variety, strongpass further enforces the rules of passfilt to require users to set strong passwords. It also takes advantage of the weaknesses in Microsoft's password encryption scheme to harden the first and second set of seven characters in the password.
From the category of the truly interesting comes inzider. This tool tries to discover the ports opened by a particular program. This is a really great idea.
(Who doesn't want to know what the heck is listening on those ports?) Unfortunately, the program can consistently crash some applications. We witnessed some severe instability when using this tool -- undoubtedly due to the DLL injection technique used to gain access to the sockets.
What other tool sites are in your arsenal? Let's us know at firstname.lastname@example.org.
Stuart McClure is president/CTO and Joel Scambray is a managing principal at Rampart Security Group (www.ramsec.com).