So, you're thinking about testing your own Windows systems for security vulnerabilities? Doing so is actually pretty interesting work -- that is, if you have the right tools. Well, instead of wading through all the muck and mire trying to find good security tools let me help point you in the right direction.
For starters, as it relates to Windows-based computers, there are seven general types of security testing tools. These are:
- Port scanners
- Network/OS vulnerability scanners
- Application/database vulnerability scanners
- Password crackers
- File searching tools
- Network analyzers
- Exploit tools
All of these types of tools can and should be used when performing penetration tests, vulnerability assessments, and security audits on your Windows systems.
I've found by and large that you get what you pay for when it comes to security testing tools. There are, however, a handful of free tools that I can't live without, so I'll share both types with you.
|Tool||Website||What it's good at|
|SuperScan version 3||www.foundstone.com/resources/proddesc/superscan3.htm||Very fast and easy to use port scanner that can find live systems, look for open ports and running services, grab banner information including software versions|
|SoftPerfect Network Scanner||www.softperfect.com/products/networkscanner||Maps MAC addresses to IP addresses which can help you locate rogue wired and wireless systems|
|NetBIOS Auditing Tool (NAT)||www.cotse.com/tools/netbios.htm||Neat tool for cracking passwords on Windows network shares|
|Winfingerprint||http://winfingerprint.sourceforge.net||Windows enumeration tool that can ferret out patch levels, NetBIOS information, user information, and more|
|Metasploit||www.metasploit.org||A great tool to exploit those Windows-based vulnerabilities that other tools find|
|Cain & Abel||www.oxid.it||A nice tool for misc. password cracking|
|QualysGuard||www.qualys.com||The ultimate in ease of use and comprehensive network/OS vulnerability scanning -- checks for thousands of old and current exploits|
|GFI LANguard Network Security Scanner||www.gfi.com/lannetscan||A great low-cost network/OS vulnerability scanner with a nice focus on Windows systems|
|N-Stealth||www.nstalker.com||A nice low-cast scanner for systems running IIS|
|WebInspect||www.spidynamics.com/products/webinspect/index.html||The ultimate in in-depth Web application vulnerability testing for systems running IIS, Apache, and more|
|WinHex||www.winhex.com/winhex/index-m.html||Great for poking around to see what applications leave exposed in memory after they run -- simply search for text such as "password", "SSN", etc. to find sensitive information that's not properly cleaned up|
|AppDetective for MS SQL Server||www.appsecinc.com/products/appdetective/mssql||The ultimate database security scanner for systems running SQL Server|
|Proactive Password Auditor||www.elcomsoft.com/ppa.html||An effective and simple to use password cracking program -- includes support for Rainbow tables|
|Effective File Search||www.sowsoft.com/search.htm||Great text searching tool for finding files on local drives and server shares -- simply search for text such as "password", "SSN", etc. to find sensitive information that's not properly secured|
|EtherPeek||www.wildpackets.com/products/etherpeek/overview||Excellent network analyzer for ferreting out rogue systems, unauthorized protocols, finding top talkers, and more|
As you build your security testing toolbox over time, you'll find that there is no one best tool. Also, keep in mind that security tools are not the Holy Grail for finding security vulnerabilities -- even technical ones. That's where application, OS, and network knowledge and, most importantly, experience will come into play.
Where tools are required, you'll see that the ones that are more specialized in finding specific types of vulnerabilities will provide you with the best results. It all comes down to personal preference and how comfortable you feel using each tool, but in the end your goal should be to find the greatest number of vulnerabilities, exerting the least amount of legwork, in the shortest amount of time. Get to know the tools on this list, use them consistently and you'll be well on your way to vulnerability assessment stardom.
About the author: Kevin Beaver is an independent information security consultant, author, and speaker with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments. Kevin has written five books including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver @ principlelogic.com.
This was first published in January 2006