Security Watch: An Arsenal of Attacks

Anticipating this year's always titillating Def-Con capture the flag contest, we thought it appropriate to open our security toolbox and reveal the latest in the security implements trade. Of course we maintain that commercial security products have their place, but few replace the work we perform as security consultants.

As many of you know, commercial tools are useful, but many are bloated and weighed down by frivolous features we rarely use. As a result, we often have to cobble together existing freeware and shareware programs and then write our own Windows NT and Unix scripts to perform attack and penetration exercises.

In this year's toolbox, we have some traditional favorites and newcomers. Traditional tools such as netcat, the Swiss Army knife of hacking tools, the NT TCP port scanner SuperScan, and the NT UDP (User Datagram Protocol) scanner Wups still make the cut, but new freeware and commercial tools always creep into the collection each year.

Portals onto the world

For NT port scanning, nothing beats the TCP port scanner from Robin Keir called SuperScan. The product stands alone as the best freeware scanner available. Superscan is multithreaded, incredibly flexible, and fast. On the other side of the speed spectrum is UDP port scanning. Arne Vidstrom's Wups is arguably the best freeware UDP scanner for NT. Wups is no Flash Gordon, and you'll have to play around with the time-out delay to make it super reliable, but it is the closest to perfection that you can get when using NT.

For Unix, the creme de la creme of port scanners is still nmap, by Fyodor, for both TCP and UDP. And for incredible ICMP (Internet Control Message Protocol) ping speeds, you still want the gping/fping combination, which lets you scan a Class A network in just minutes. For NT, ICMP pinging tool Pinger, from the now retired Rhino9 team, is still the best. As we write this, eEye Digital Security has just released a port of nmap for NT, which we need to try out soon (

When it comes to mapping the ports in use on an NT system (like lsof does on Unix), we have few NT equivalents. Inzider, from Vidstrom, enumerates the ports that are open on a system by querying the process table, but its stability is questionable at best. A better (for a fee) product is TCPView Pro from

How the NT passwords have fallen

For password cracking, the once dominant L0phtcrack tool has been challenged by a much faster tool: John the Ripper. Once only for Unix password cracking, John is blindingly fast on NT password hashes, but its Achilles heel is that it cracks only the Lanman hash. As a result, you cannot crack the case-sensitive NTLM passwords. NTPassword is a decent password cracker for NT as well, but along with L0phtcrack its speed needs improvement.

For sniffing the network and discovering those always fruitful gems of data such as passwords and e-mail contents, a host of products require your attention. The newest tool on both the Unix and NT circuit is the Dsniff distribution by Dug Song. With Dsniff you can retrieve from more than 15 products the passwords that run in cleartext or are simply obfuscated. In the Dsniff distribution is probably one of the most impressive tools to surface in the past year: arpredirect. The tool allows you to sniff traffic on a switched network with the greatest of ease. For sniffing GUI tools, Spynet is our favorite low-cost NT sniffer; it allows full packet capture.

For war dialing, THC-Scan has been very good to us, ripping into countless open modems over the years (and you can't beat its price: free); but Telesweep, by SecureLogix, is a serious up-and-comer. The war dialer has some cool management reports and allows multiple systems to dial out and be managed by a single computer. (This function takes some elbow grease with THC.)E-commerce futureFor Web hacking, and what we consider to be the future of all attacks on the Internet, the browser remains king. We love to brag about carrying this single tool into our e-commerce security engagements, walking away with the corporate jewels. Grinder, from Rhino9, is great for bulk Web-site detection but is limited in its functionality., from Rain Forest Puppy, is the de facto script for assessing known Web vulnerabilities. Look for more commercial tools on the horizon.

You can find all these tools by traversing the various sites we've cited in our columns or simply jump over to the Hacking Exposed Web site at Did we miss your favorite security tool? Send your gripes or hot tool tips to Stuart McClure is president and CTO and Joel Scambray is managing principal at security consultant Foundstone ( McClure and Scambray were formerly analysts in the InfoWorld Test Center. Their best-selling book, Hacking Exposed, has sold more than 100,000 copies in six months (