NT Security Tools

30 November -0001

"Why should NT always be unix's poor cousin when it comes to tcp/ip testing and exploration? I bet many NT admins out there keep a unix box around to use tools such as Netcat or to test their systems with the unix version of an NT vulnerability exploit."
--Weld Pond of L0pht

This quote is no less true now than when it was written. Too often NT admins (this now includes the entire class of Windows machines from NT 4.0 to XP, to 2003 to Vista) are denied tools that are easily found and implemented on Unix systems, and therefore resort to using a *nix for many common security tasks. Luckily many skilled programmers have turned their sites toward providing quality tools for Windows. As a Windows NT administrator you should be aware of these tools, and how they are used on (or against) your system.

Several wonderful tools have recently come to my attention, many based on the power provided by the Windows port of libpcap. Wincap provides the functionality to place an ethernet card on an NT based (or even Windows home systems such as 9x and Me) into promiscuous mode and read the traffic received by the card. This allows Windows 2000, 2003, XP and Vista machines to run popular tools like Snort and dSniff. Windows binaries of these tools are also available, and in my experience, install is simple and painless. With this realization, NT admins can now use powerful auditing tools like Nmap, or even sniffing tools like dSniff, and IDS tools like the powerful and popular Snort.

Useful Tools:

WinPCap (download source: http://www.winpcap.org)

WinPCap is the library necessary to throw your ethernet card into promiscuous mode. This means that the card will listen to passing packets, not just for the packets intended for your machine. This basic capability is key to installing other security programs.

Snort (download source: http://www.snort.org)

Snort is the premier network IDS. Most Intrusion Detection handbooks use Snort as their benchmark for intrusion detection analysis. Snort uses rule sets to analyze packet traffic across the network and take specified action. Snort can be used to alert users of scans, exploit attempts, and trojan (netbus, back orifice) usage across the network. Snort can be configured to send messages via e-mail or write logs to a text file. Writing snort rules is an art in and of itself.

Dsniff (download source: http://www.datanerds.net/~mike/dsniff.html)

The Dsniff package comes with several good programs for parsing and extracting sniffed network traffic. Dsniff.exe is very good at pulling passwords, from HTTP challenge response to pop and smb passwords. The only common passwords dsniff passes over are form field passwords. I often run dsniff in the background by issuing 'dsniff >> dsniff.txt' at the command line (redirecting output to a text file for later perusal). The webspy package (webspy.exe) is a lot of fun. By issuing webspy 111.111.111.11 the program intercepts all HTTP traffic to and from the IP address 111.111.111.111 and passes it off to a local browser. This will open Netscape or IE and the traffic sent to your browser will match that of the target. You can follow targets around as they surf the net. Webspy won't follow targets over ssl connection though, or reveal information entered into form fields (like passwords). All in all Dsniff is a great package to do lightweight sniffing or IDS.

Nmap (download source: http://insecure.org/nmap/)

Nmap is probably one of the most common and effective port scanning tools out there. Not only can Nmap perform stealth scans (through the use of half open connection), but it can also do OS mapping based on tcp traffic. Nmap is great for taking a look at your own systems and finding what services are open, or for scanning a remote machine to find potential holes.