SAN MATEO (04/03/2000) - We receive at least a dozen e-mail messages a week that ask in one form or another, "How do I secure my Windows network?" The answer, as always, is "Arm yourself with the right tools, and learn by using."
There was a brief period of inactivity when some of the premier Microsoft Corp.
Windows assessment tools were devoured by commercial interests, but now a new group of free Windows security-assessment tools is flourishing on the Internet.
This week we talk about some of those tools and how they deliver sophistication and comprehensiveness at no cost. Who says Linux is the only platform where free software reigns supreme?
One of our favorite utilities for quick and dirty scans used to be NTInfoScan (NTIS) by David Litchfield (aka Mnemonix), now at Cerberus Information Security in the United Kingdom. NTIS has been renamed Cerberus Internet Scanner (CIS) and is available in a supported-for-a-fee version and an unsupported free version (see www.cerberus-infosec.co.uk for details).
CIS is respectable because of its simple but effective approach. It looks for the usual low-hanging fruit such as NetBIOS information via unauthenticated connections and remote access to an unsecured Windows NT or Windows 2000 Registry. CIS also pulls informational banners from listening services and attempts to identify several common security failings with Web, FTP, SMTP, POP3, and DNS services if they are active on the target. We still reminisce about the command-line version that could be scripted to scan multiple hosts, but the freeware CIS is a great start for small-scale assessments.
NTOScanner is a $30 TCP port scanner that can scan all 65,000 ports of a target machine in fewer than five minutes. Our tests validated that claim for the most part in the five-to 10-minute range. NTOScanner also sports a crisp interface as well as easily customizable target and port lists, and it even pulls banners from listening services.
Of more interest is the wicked NTOMax, which is a free, script-driven buffer overflow and denial of service testing tool. Perhaps the best way to describe what NTOMax does is to walk through a stirring example, which is available in the form of a PowerPoint presentation called "Taking Out an NT Server," at packetstorm.securify.com/papers/NT.
NTOMax is extraordinarily simple. Its power derives from iterative substitution of a single variable, the * character in the script syntax, with a user-defined, increasing array of buffer data. For example:host:10.10.10.10,110,40,100lc:user hac*kerlc:pass hack*passThe first line of this NTOMax script will connect to port 110 (POP3) on host 10.10.10.10, and within the boundaries of 40-and 100-byte buffers, it will loop though the next two commands (lc denotes "loop command"), which send user name and password data to the POP server. With each loop, the data sent is incremented by one byte until the maximum of 100 is reached. Thus, the first loop sends a username of "hac[40 bytes]ker" and a password of "hack[40 bytes]pass," the next loop sends "hac[41 bytes]ker" and "hack[41 bytes]pass" until the maximum buffer padding of 100 bytes is reached.
How can this seemingly simplistic blast of data reveal security holes? When the POP server is unable to handle a certain buffer size within these input fields, it will choke. NTOMax will dutifully note that the server times out after, say, the 65th byte of padding, clueing in the attacker that there is a potential buffer overflow condition that can be exploited.
In the case of "Taking Out an NT Server," a hacker named dark spyrit more precisely bounded the buffer overflow condition in an Avirt Mail server (www.avirt.com/mail) with some further work, whipped up some exploit code, and was able to spawn a listening shell with SYSTEM privileges on the remote target system. Simply telnet to the listening shell and you could gain console access with the highest order of privilege.
Could a tool like NTOMax help secure your network applications? Let us know at email@example.com.
Stuart McClure is president and CTO and Joel Scambray is a managing principal at Foundstone (www.foundstone.com).