Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


October 2005

10 Network Security Assessment Tools You Can’t Live Without

Test your network with these free utilities—before the bad guys do
From the October 2005 Edition
of Windows IT Pro
Jerry Cochran
Cover Story
InstantDoc #47648
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
SideBar    Security Is My Business—and Yours

6. Enum
For a Windows guy who also dabbles in Linux, it really comes in handy to have a comprehensive (and free) tool that enumerates all kinds of information about a Windows system. The Enum tool is exactly that tool. The command-line console-based utility reports a lot of great Win32 information about a host through NetBIOS running on TCP port 139. Using null or authenticated sessions, Enum can retrieve user lists, machine lists, share lists, group and member lists, and password and Local Security Authority (LSA) policy information. Enum is also capable of a rudimentary brute-force dictionary attack on individual local accounts. Figure 1 shows the many details about a given Windows host that are available remotely via Enum. You can download Enum (along with some other great tools, such as Pwdump2 and LSAdump2) from BindView at http://www.bindview.com/services/razor/utilities.

7. PsTools
Most of you are familiar with the many great tools and resources provided by Sysinternals. From a security assessment perspective, the PsTools suite is perhaps the most useful. Named after the UNIX ps (process listing) command-line tool, PsTools is a collection of tools that fill the gaps left by the standard Windows OS command-line tools and the Windows resource kit tools. PsTools are particularly useful for both remote and local system assessment and exploitation.

After you've exploited a host vulnerability, PsTools are a huge help in remotely manipulating a system and allowing you further exploitation such as privilege escalation. For example, if you've exploited a host and gained local administrator access but you want to escalate your privilege to the domain administrator who's currently logged on, PsTools can help you through such features as remote shutdown and process kill.

PsExec is perhaps my favorite of the PsTools. It allows someone with local administrator access (via an authenticated network connection) to remotely execute programs on a system. My favorite operation is to use PsExec to run cmd.exe on a remote system, giving me a remote command-line prompt to the system with administrator privileges (PsExec doesn't obtain these privileges for you—you have to get them some other way). For more information about PsExec, see Windows Power Tools, "PsExec," July 2004, InstantDoc ID 42919.

Other favorites include PsList, which lets you list all processes running on a remote system and PsKill, which lets you kill individual processes running on a remote system. For more information about these tools, see Windows Power Tools, "PsList and PsKill," September 2004, InstantDoc ID 43569. Besides security assessment, the PsTools suite is quite useful simply for performing many administrator functions remotely from the command line (which is probably more the authors' intention). You can get PsTools (along with many other awesome resources) at the Sysinternals Web site at http://www.sysinternals.com/utilities.html.

8. Netcat
Although many know about Netcat because of its use as a back door that allows attackers access to a system (an exploitation feature), Netcat isn't as well known for its capabilities as a tool to perform enumeration and assessment, as well as other important operations that are part of traditional network security assessment. Developed more than 10 years ago for UNIX and ported to Windows in 1998, Netcat is an extension of the UNIX

cat

command, which lets you "stream" file contents to and from the screen and view, modify, or combine them. Netcat allows data from the system's standard I/O to be read and written across network connections by using TCP/IP. This means that you can directly manipulate the TCP/IP stack and read/write data over TCP or UDP ports.

In addition to using Netcat as a back-door tool, you can use it for grabbing banners (such as Telnet, SMTP, and FTP banners), "piping" files and data, port scanning, remote service and port enumeration, and many other creative functions. Every time I turn around, someone is showing me new ways that I hadn't thought of to use Netcat. I use it most frequently for port fuzzing (connecting to a TCP port and poking around to see what I can learn) and shell-shoveling (piping a command prompt from a target host back to me—a poor man's reverse shell).

Download the Windows version of Netcat at http://www.vulnwatch.org/netcat, and read http://www.vulnwatch.org/netcat/ readme.html to learn more than you ever wanted to know about the tool. Learn still more at "Netcat," Security Administrator, September 2003, InstantDoc ID 39680.

9. John the Ripper
Most people have heard of the L0phtCrack password-cracking and -audit tool originally developed by The Cult of the Dead Cow (don't ask) and now owned and maintained by @stake (recently acquired by Symantec). I prefer John the Ripper, a simple, high-performance password cracker available for many platforms (including Windows) that grew out of the well-known UNIX Crack tool. John can detect system characteristics and capabilities that allow it to optimize performance. In my experience, John runs circles around other crackers such as L0phtCrack in terms of tries per second (LC5—the current version of L0phtCrack—is supposedly greatly improved over previous versions, but you have to pay for it).

Also, John doesn't crack just Windows (LAN Manager and NT LAN Manager—NTLM) password hashes but out of the box cracks any password hashes that use DES (standard, single, extended), MD5, Blowfish, or Andrew File System (AFS) ciphertext or hash formats. John used in conjunction with a dictionary file (numerous such files are available containing most any language known in the galaxy—even Wookie and Klingon) is a can't-live-without-it tool for password cracking and audit (which every company should be doing regardless of how strong its password policy is). You can get John the Ripper at http://www.openwall.com/john or http://www.securiteam.com/tools/3X5QLPPNFE.html.

10. The Metasploit Framework
Wouldn't it be nice to have an easy-to-use exploit platform that contained the most recent exploits, featured an auto-update capability, and was extensible via a well-known language such as Perl? Yes, but ... . It's scary (and somewhat irresponsible) that someone would provide such a capability to the masses for free—it just calls out to script kiddies everywhere (roughly similar to offering a nuclear suitcase on eBay). However, I'll concede that having a tool such as the Metasploit Framework is beneficial for network security assessors emulating threats (if Pandora's box has been opened, the good guys should have the same tools as the bad guys).

The Metasploit Framework was introduced about 2 years ago as a research project by the well-known security researchers H.D. Moore and spoonm. The project's goals were half noble: to further security research and provide a resource for exploit developers. I use the Metasploit Framework (with care and with prior testing in a lab environment) as an exploitation tool for security assessments.

Metasploit is a Perl script–based engine that allows you to select from a myriad of exploits for a variety of platforms and applications (more than 75 exploits and 75 payloads and growing at the time of this writing). In addition to giving you a selection of exploits for known vulnerabilities, Metasploit lets you select the specific payloads that you'd like to send with the exploits. For example, if you want to exploit a system that has the SQL Slammer vulnerability, as mentioned in the SQLRECON section above, you can choose how you want to manipulate the vulnerable system: by creating a Win32 Bind shell connection, by sending back a Win32 Reverse shell, by simply running a remote command, by injecting a rogue Virtual Network Computing (VNC) server DLL into an exploited running process, or by some other means. Since the Metasploit Framework is also extensible via Perl modules, you can write your own exploits, plug them into the framework and use an existing applicable payload. Figure 2 shows the easy-to-use Metasploit Web interface listing the available exploits.

I recommend that you approach the Metasploit Framework with caution and use it only to demonstrate specific vulnerabilities during your network security assessment. You can download the Metasploit Framework at http://www.metasploit.com. Nessus (http://www.nessus.org) is another popular vulnerability scanner and exploit platform that has been around for years and is worth a look.

I've attempted to do the somewhat impossible—provide a list of the most popular free tools available to aid in network security assessment. It's difficult at best to choose just 10 tools—there are many tools for the job. If what I've recommended doesn't work for you, there are bound to be other, comparable free tools you can try. Or you can look into commercial tools, which are often more fully developed or have better support models than free tools do. I hope you've come away with some new knowledge about tools that you can leverage. Even if you learned about only one new great tool, this article was probably worth the read!

End of Article

   Previous  1  [2]  Next  


Reader Comments
Very informative...

DFiore.FMS@GMail.com October 18, 2005 (Article Rating: )

Very informative article. I've downloaded all the tools mentioned and learnng about them, one by one. great place for a beginner like me to start

AIRIT July 07, 2006 (Article Rating: )

perfect,but where can i read the full article?

hankern July 21, 2008 (Article Rating: )

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Interact! DTS Demonstrates DTS-HD Master Audio at CES

Learning Path For more information about these security assessment tools, see:
"Windows Power Tools, PsExec, July 2004"

"Windows Power Tools, PsList and PsKill, September 2004"

"Netcat, Security Administrator, September 2003"

"NT Gatekeeper, Using John the Ripper, Security Administrator, November 2002"

"Nmap Your Network, Security Administrator, February 2002"
Top Viewed ArticlesView all articles
Anti-Virus Vendors Prepare for War with Microsoft ... Again

When Microsoft announced its Windows Live OneCare security and PC health product over five years (as MSN OneCare), Symantec, McAfee, and the other consumer-oriented security vendors reacted with stunning vigor. ...

What You Need to Know About Microsoft's x64 Server Product Plans

What do Longhorn Server, Windows Compute Cluster Server, and Windows Vista have in common? The x64 platform. ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...
Security Whitepapers Sustainable Compliance: How to reconnect compliance, security and business goals

The Impact of Messaging and Web Threats

Why SaaS is the Right Solution for Log Management
Related Events Security Summit

Top 10 Email Security Challenges and Solutions

Introduction to Identity Lifecycle Manager "2"

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format

Test Drive IT Solutions and Get Free Music Downloads
Solve your toughest IT problems with these free downloads and receive 5 free music downloads!


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Get Microsoft Microsoft Certified With Train Signal Computer Training
Train Signal’s computer training software videos will teach you the skills you need to get certified and gain experience in areas like Windows Server 2008, Exchange Server, SharePoint Server, and more.
Get Mark Minasi’s Windows Server 2008 Audio CDs
"Windows expert, consultant and best-selling author Mark Minasi shows you if 2008 is right for you and, if so, how to get the most out of it!

Desktop Management is a Never-Ending Job for Administrators
Get a complete desktop management solution to centralize the management of thousands of desktops that will help you keep up with increased demand with limited manpower.

Integrate Fax Servers into Your Unified Communications Plan
In this fundamentals eBook you will learn how you can implement a solution that is easy to support, secure, and integrate.

Take Control of Your Email
Optimize your email storage – Download this white paper to learn key how-to’s in email storage management.

Get Windows IT Pro To Go!
The Windows IT Pro Magazine Master CD is a powerful combination of content and convenience.   Order now, and save up to 25%--plus you’ll get online access to new articles each and every month!  Subscribe today!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home asp.netPRO Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement | Reprints and Licensing