Tools



These tools originate from some specific needs I or my teamates had and from some of my security advisories and vulnerability discoveries (though I stopped publishing some several years ago, due to lack of time and...new laws !).
Of course, these tools are free !



FakeNetBIOS

FakeNetBIOS is a family of tools designed to simulate Windows hosts and domains on a LAN. FakeNetBIOS is made of several individual tools:

  • FakeNetbiosDGM (NetBIOS Datagram)
  • FakeNetbiosNS (NetBIOS Name Service)

Each tool can be used as a standalone tool or as a honeyd responder or subsystem.
FakeNetBIOS was originally hosted by the French Honeypot Project (FHP) Web site, now cancelled.
You can download FakeNetBIOS here.



SecuredIIS

SecuredIIS, developped with other security experts and in collaboration with Russ Cooper of NTBugTraq, is designed to secure a default installation of IIS. It shows in practice how to implement the recommendations I present in my articles.

Version 1.0 does the following:

  1. Remove FTP Services and any virtual directories
  2. Remove the IISADMPWD virtual web directory
  3. Remove all IIS Samples
  4. Disable FrontPage on the Default Web Site
  5. Remove SMTP Services and any virtual directories
  6. Disable Parent Paths
  7. Remove Script Mappings for:
    • .cer
    • .cdx
    • .htr
    • .htw
    • .ida
    • .idc
    • .idq
    • .stm
    • .shtm
    • .shtml
  8. Remove SMTP Service
  9. Remove FTP Service
  10. Remove RDS Registry keys
  11. Set Jet ODBC to safe Sandbox mode
  12. Disable automatic NetBIOS shares
  13. Disable 8.3 DOS file generation
  14. Remove the Optional, OS/2 and Posix subsystems
  15. Hides the last logon name
  16. Establishes a logon notice
  17. Removes the Shutdown button from Logon dialog
  18. Restricts Anonymous access
  19. Deletes physical directories associated with:
    • SMTP Service
    • FTP Service
    • IIS Samples
    • IIS Password Change directory

SecuredIIS is released on the NTBugTraq Web site. To download it, use the following URLs:

SecuredIIS tool page
Download SecuredIIS



GetAdmin Screen Saver

GetAdmin Screen Saver exploits a well known Windows NT/2000 vulnerability: the default screen saver launched when nobody is logged on runs under the SYSTEM account. GetAdmin Screen Saver replaces the default Windows NT/2000 screen saver (logon.scr) and adds the 'Test' user to the local Administrators group.
Note that this screen saver is not stealth on purpose.

Download GetAdmin Screen Saver (20 Kb)



IISPwds

IISPwds is the tool that exploits the IIS metabase vulnerability I discovered in 1998.
IISPwds, developped in C++, shows the passwords of some NT accounts used by Microsoft IIS 4.0 and 5.x in clear text.
These passwords are stored in IIS metabase. They are not stored in clear text but they can be easily derived to clear text. Note that this tool is a local version only. The version capable of retreiving remote passwords will not be released.

Download IISPwds (19 Kb)



AccountChecker

This tools shows how one or several NT accounts have been used:

- Last login
- Last logoff
- Last failed login
- Last bad login address
- Bad login count
- Password expiration date
- Password max age
- Password last changed

Note that you do NOT need to be an Administrator or a Domain Administrator to get all the information about every account on your domain. Moreover, if you have a connection with another domain, you can also get the information about any account on this domain. It is a kind of vulnerability...
AccountChecker requires ADSI (Active Directory Server Interface) installed on the machine.

Download AccountChecker V. 2.0 (17 Kb)



...
I did not have time to put all the tools online yet. You will find more tools here soon.