These tools originate from some specific needs I or my teamates had and from some of my security advisories and vulnerability discoveries (though I stopped publishing some several years ago, due to lack of time and...new laws !).
Of course, these tools are free !
FakeNetBIOS is a family of tools designed to simulate Windows hosts and domains on a LAN. FakeNetBIOS is made of several individual tools:
- FakeNetbiosDGM (NetBIOS Datagram)
- FakeNetbiosNS (NetBIOS Name Service)
Each tool can be used as a standalone tool or as a honeyd responder or subsystem.
FakeNetBIOS was originally hosted by the French Honeypot Project (FHP) Web site, now cancelled.
You can download FakeNetBIOS here.
SecuredIIS, developped with other security experts and in collaboration with Russ Cooper of NTBugTraq, is designed to secure a default installation of IIS. It shows in practice how to implement the recommendations I present in my articles.
Version 1.0 does the following:
- Remove FTP Services and any virtual directories
- Remove the IISADMPWD virtual web directory
- Remove all IIS Samples
- Disable FrontPage on the Default Web Site
- Remove SMTP Services and any virtual directories
- Disable Parent Paths
- Remove Script Mappings for:
- Remove SMTP Service
- Remove FTP Service
- Remove RDS Registry keys
- Set Jet ODBC to safe Sandbox mode
- Disable automatic NetBIOS shares
- Disable 8.3 DOS file generation
- Remove the Optional, OS/2 and Posix subsystems
- Hides the last logon name
- Establishes a logon notice
- Removes the Shutdown button from Logon dialog
- Restricts Anonymous access
- Deletes physical directories associated with:
- SMTP Service
- FTP Service
- IIS Samples
- IIS Password Change directory
SecuredIIS is released on the NTBugTraq Web site. To download it, use the following URLs:
SecuredIIS tool page
GetAdmin Screen Saver
GetAdmin Screen Saver exploits a well known Windows NT/2000 vulnerability: the default screen saver launched when nobody is logged on runs under the SYSTEM account. GetAdmin Screen Saver replaces the default Windows NT/2000 screen saver (logon.scr) and adds the 'Test' user to the local Administrators group.
Note that this screen saver is not stealth on purpose.
Download GetAdmin Screen Saver (20 Kb)
IISPwds is the tool that exploits the IIS metabase vulnerability I discovered in 1998.
IISPwds, developped in C++, shows the passwords of some NT accounts used by Microsoft IIS 4.0 and 5.x in clear text.
These passwords are stored in IIS metabase. They are not stored in clear text but they can be easily derived to clear text. Note that this tool is a local version only. The version capable of retreiving remote passwords will not be released.
Download IISPwds (19 Kb)
This tools shows how one or several NT accounts have been used:
- Last login
- Last logoff
- Last failed login
- Last bad login address
- Bad login count
- Password expiration date
- Password max age
- Password last changed
Note that you do NOT need to be an Administrator or a Domain Administrator to get all the information about every account on your domain. Moreover, if you have a connection with another domain, you can also get the information about any account on this domain. It is a kind of vulnerability...
AccountChecker requires ADSI (Active Directory Server Interface) installed on the machine.
Download AccountChecker V. 2.0 (17 Kb)
I did not have time to put all the tools online yet. You will find more tools here soon.