u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h

Please click our sponsor

Windows NT Auditing Tools

AFind.exe

AFind is the only tool that lists files by their last access time without tampering the data the way that right-clicking on file properties in Explorer will. AFind allows you to search for access times between certain time frames, coordinating this with logon info provided from ntlast, you can to begin determine user activity even if file logging has not been enabled.

DUMPACL.ZIP

Somarsoft DumpAcl V2.7.16 - Windows NT program to dump the permissions (ACLs) for the file system, registry, shares and printers in a concise, readable listbox format, so that "holes" in system security are readily apparent.

DUMPEVT.ZIP

Somarsoft DumpEvt V1.7.3 - Windows NT program to dump the event log, in a format suitable for importing into a database. Used as basis for eventlog managment system, for long-term tracking of security violations, etc.

DUMPEVTD.ZIP

There is also a DLL version of DumpEvt, which allows you to read the formatted event log from Visual Basic.

DUMPREG.ZIP

Somarsoft DumpReg V1.1 - Windows NT and Windows 95 program to dump the registry, making it easy to find keys and values matching a string.

ForensicToolkit.exe

Forensic Toolkit v1.4 contains several Win32 Command line tools that can help you examine the files on a NTFS disk partition for unauthorized activity. Excellent Open Source freeware from NT OBJECTives, Inc.. 413.104 kb. Check out the NT OBJECTives, Inc. web site for lots of excellent tools and the source code for some of their fine products.

ForensicToolkit14.exe

The Forensic ToolKit 1.4 is a suite of very useful tools to help you examine the files on a NTFS disk partition for unauthorized activity. This is a "must have" Win32 Command line tool. Features: afind, hfind, sfind, audited, daclchk, filestat, hunt. Changes: fixed SP4/SP5 incompatibility, fixed audited, bugfixes. Check the NTOBJECTives, Inc. web site for more detailed descriptions, screenshots, and lots more excellent NT tools. Freeware by NTOBJECTives, Inc

NessusJ-JFC-980705.zip

No Description

NessusJ-alpha2-fix1.tar.gz

No Description

NessusJ-alpha2.tar.gz

No Description

NessusNT-981007.zip

No Description

Ntlast16.zip

NTLast 1.6 is a security audit tool for Windows NT. It's a Win32 command line utility with several switches that search the event log for Interactive/Remote/Failed logon stats. In it's simplist form, it reports the last ten successful logons at your computer. NTLast does two significant things that event viewer does not. It can distinguish remote/interactive logons and it matches logon times with logoff times. NTLast is designed to assist your efforts in tracking down logon/logoff data. By JD Glaser, NT OBJECTives, Inc.

RGEDIT.ZIP

Somarsoft RegEdit V2.0 - DLL callable by 32 bit Visual Basic that can be used to view and/or modify user registry profile.

SCE.TXT

Service Pack 4 includes support for the Microsoft Security Configuration Editor (SCE). SCE allows system administrators to consolidate all security related system settings into a single configuration file.

WDEvt201.zip

WDumpEvt v2.01 is an administration tool that makes it easy to manage all the information from Windows NT logs. Browse the eventlog tree, dump the data to a file in ASCII-delimited format for importing into a database or spreadsheet, or choose HTML format for an easy-to-read display. The resulting file can contain information such as type, number, and category of the event, plus computer name, date, user, description. Dump the data of the system, security, application log, or only a source, category, or event. Dump all the data or just the data from the last dump. Erase or save the data in the eventlogs, too. Schedule all these actions thanks to the LogSched service to have regular save or dump. Retrieve properties about eventlog files: events number, begin and end date, file size, etc. Shareware by Isabelle Vollant, www.wdumpevt.com.

audlog10b.zip

WinAudlog - New centralized logfile checking tool for auditing distributed system logs in a network and certify that intruders did not modify these logs.

chroniclev1.zip

Chronicle Remote Registry Query Tool v1.0b - This utility will determine the current service pack/hotfix level of all Windows NT machines on in your NT domain. Chronicle's filtering feature allows you to check for the existence of hotfixes that only relate to your current configuration. Chronicle.dat status: The version shipped with chronicle.zip does not yet need updating. By Rhino9 - Security Research Team.

chroniclev1source.zip

Chronicle Remote Registry Query Tool Source Code. By Rhino9 - Security Research Team.

commspy.comport.monitor.zip

commspy comport monitor.

epd.dump.portscanner.zip

epd dump portscanner.

epdump.zip

MS port scanner that shows what services are running on what ports.

gobbler.packet.sniffer.zip

Gobbler packet sniffer.

groupmonitor.zip

David LeBlanc's utility for monitoring malicious group creation by end users. For NT.

gsd.exe

GSD (Get Service Dacl) gives you the DACL (Discretionary Access Control List) of the Windows NT service you specify as a command line option. By Arne Vidstrom.

hpntbast10.zip "Building a Windows NT bastion host in practice V1.01" (Adobe PDF zipped) - Building a Windows NT bastion host in practice V1.01 - This paper presents a checklist for converting a default Windows NT installation to a bastion host. A bastion host is a computer system that is exposed to attack, and may be a critical component in a network security system. Special attention must be paid to these highly fortified hosts, both during initial construction and ongoing operation. Bastion hosts can include Firewall gateways, Web servers, FTP servers, Name servers (DNS), Mail hubs and Victim hosts (sacrificial lambs). By Stefan Norberg.

inzider.exe

Shows which processes listen at which ports, and can be used to find Back Orfice 2000 when it is hidden in another process. For Windows 9x/NT. By Arne Vidstrom.

l0phtcrack.zip

L0phtcrack NT password cracker

lava98.exe

Lava98 is a desktop application that allows you to monitor any log file (that is, a Web server or mail server log file), or a Windows NT event log. By Duke Engineering.

newsid.zip

Executable of above

nt.remotely.crack.nt.passwords.zip

Remote NT password cracker.

ntis.exe

NTInfoScan v4b - NTInfoScan is a security scanner for NT 4.0 that is run from command line and produces an HTML based report of security issues found with hyper-text links to vendor patches and further information. By David Litchfield.

ntis411.exe

NTInfoScan v4.1.1 - See description above.

ntis41b.exe

NTInfoScan v4.1beta - NTInfoScan is a security scanner for NT 4.0 that is run from command line and produces an HTML based report of security issues found with hyper-text links to vendor patches and further information. 62k. By David Litchfield.

ntis422.exe

NTInfoScan v4.2.2 is a security scanner designed specifically for the Windows NT 4.0 operating system. It's simple to use - you run it from a command line, and when the scan is finished it produces an HTML based report of security issues found with hyper-text links to vendor patches and further information. It tests a number of services such as ftp, telent, web service, for security problems. NTInfoScan will also check NetBIOS share security and User account security. By David Litchfield.

ntregpack.zip

Adjusts your Microsoft Windows NT 4.0 registry settings as suggested by Webtrends Security Analyzer. By vacuum.

portpro.port.scanner.ex_

Ostronet domain scanner

rasfix.exe

Rasfix: tightens the permissions on the rasman (Remote Access Connection Manager) service in Windows NT. This stops the exploit which Alberto Rodriguez Aragons has constructed.

redbutton.nt.weakness.shower.zip

RedButton NT vulnerability exploit tester.

revelation.pwl.cracker.zip

Revelation password cracker.

samdump.extract.sam.info.zip

Extract SAM info from samdump.

sans-v2n3.txt

The latest issue of The SANS NT Digest (v2n3). Includes information about Microsoft Security Bulletins, MS Hotfixes, Other NT Issues, IIS Issues, Third-party Software issues, Trojans, and an excellent description of the NT Resource Kit and UNIX commands available for NT. By The SANS Institute.

scesp4i.exe

No Description

secure-winnt.zip

WindowsNT Security Checklist/Guide, in postscript format.

secure_ntinstall.exe

"Securing your Windows NT installation" - MSWord document published by the developers of Windows NT detailing major security concerns and fixes for an out-of-the-box installation of Windows NT. From Microsoft Security. Original document location is here.

setup-ntsafe.exe

NTSAfe (prototype) - NTSAfe is intended to provide an application and the tools required to audit and reconfigure security-related settings on Windows NT machines. It provides multiple interfaces to those tools including a command-line scripting language and a data-driven Graphic User Interface (GUI) for automating the execution of any number of collections of configuration audit items. For Windows NT. By Internet Dynamics.

sidsrc.zip

Learn about the computer SID problem everybody has been talking about and get a free computer SID changer, NewSID, complete with full source code. For NT.

spcheck.zip

command line utility that lists service pack and hot fix information for Windows NT machines. By Gregg Branham.

spcheck1.5.zip

SPCheck is a command line utility that can be used to check the service pack and hot fixes on any NT Workstation or Server (assuming you have administrative privileges on the machine). SPCheck v.1.4 checks multiple machines and generates a web page or a comma-delimited text file that you can easily import in a spreadsheet or database program. SPCheck works by remotely connecting to the Registry of NT machines. It parses through the registry information looking at the key for the Service Pack and for the hot fix subkeys. Homepage here. By Gregg Branham

swing.zip

Java swing (see Sun Microsystems for the latest version).

ultrascan.port.scanner.zip

UltraScan port scanner.

winfo.exe

Uses Null Sessions to retrieve account and share information from Windows NT. By Arne Vidstrom.

Windows NT Auditing Tools
AFind.exe	AFind is the only tool that lists files by their last access time without tampering the data the way that right-clicking on file properties in Explorer will. AFind allows you to search for access times between certain time frames, coordinating this with logon info provided from ntlast, you can to begin determine user activity even if file logging has not been enabled.
DUMPACL.ZIP	Somarsoft DumpAcl V2.7.16 - Windows NT program to dump the permissions (ACLs) for the file system, registry, shares and printers in a concise, readable listbox format, so that "holes" in system security are readily apparent.
DUMPEVT.ZIP	Somarsoft DumpEvt V1.7.3 - Windows NT program to dump the event log, in a format suitable for importing into a database. Used as basis for eventlog managment system, for long-term tracking of security violations, etc.
DUMPEVTD.ZIP	There is also a DLL version of DumpEvt, which allows you to read the formatted event log from Visual Basic.
DUMPREG.ZIP	Somarsoft DumpReg V1.1 - Windows NT and Windows 95 program to dump the registry, making it easy to find keys and values matching a string.
ForensicToolkit.exe	Forensic Toolkit v1.4 contains several Win32 Command line tools that can help you examine the files on a NTFS disk partition for unauthorized activity. Excellent Open Source freeware from NT OBJECTives, Inc.. 413.104 kb. Check out the NT OBJECTives, Inc. web site for lots of excellent tools and the source code for some of their fine products.
ForensicToolkit14.exe	The Forensic ToolKit 1.4 is a suite of very useful tools to help you examine the files on a NTFS disk partition for unauthorized activity. This is a "must have" Win32 Command line tool. Features: afind, hfind, sfind, audited, daclchk, filestat, hunt. Changes: fixed SP4/SP5 incompatibility, fixed audited, bugfixes. Check the NTOBJECTives, Inc. web site for more detailed descriptions, screenshots, and lots more excellent NT tools. Freeware by NTOBJECTives, Inc
NessusJ-JFC-980705.zip	No Description
NessusJ-alpha2-fix1.tar.gz	No Description
NessusJ-alpha2.tar.gz	No Description
NessusNT-981007.zip	No Description
Ntlast16.zip	NTLast 1.6 is a security audit tool for Windows NT. It's a Win32 command line utility with several switches that search the event log for Interactive/Remote/Failed logon stats. In it's simplist form, it reports the last ten successful logons at your computer. NTLast does two significant things that event viewer does not. It can distinguish remote/interactive logons and it matches logon times with logoff times. NTLast is designed to assist your efforts in tracking down logon/logoff data. By JD Glaser, NT OBJECTives, Inc.
RGEDIT.ZIP	Somarsoft RegEdit V2.0 - DLL callable by 32 bit Visual Basic that can be used to view and/or modify user registry profile.
SCE.TXT	Service Pack 4 includes support for the Microsoft Security Configuration Editor (SCE). SCE allows system administrators to consolidate all security related system settings into a single configuration file.
WDEvt201.zip	WDumpEvt v2.01 is an administration tool that makes it easy to manage all the information from Windows NT logs. Browse the eventlog tree, dump the data to a file in ASCII-delimited format for importing into a database or spreadsheet, or choose HTML format for an easy-to-read display. The resulting file can contain information such as type, number, and category of the event, plus computer name, date, user, description. Dump the data of the system, security, application log, or only a source, category, or event. Dump all the data or just the data from the last dump. Erase or save the data in the eventlogs, too. Schedule all these actions thanks to the LogSched service to have regular save or dump. Retrieve properties about eventlog files: events number, begin and end date, file size, etc. Shareware by Isabelle Vollant, www.wdumpevt.com.
audlog10b.zip	WinAudlog - New centralized logfile checking tool for auditing distributed system logs in a network and certify that intruders did not modify these logs.
chroniclev1.zip	Chronicle Remote Registry Query Tool v1.0b - This utility will determine the current service pack/hotfix level of all Windows NT machines on in your NT domain. Chronicle's filtering feature allows you to check for the existence of hotfixes that only relate to your current configuration. Chronicle.dat status: The version shipped with chronicle.zip does not yet need updating. By Rhino9 - Security Research Team.
chroniclev1source.zip	Chronicle Remote Registry Query Tool Source Code. By Rhino9 - Security Research Team.
commspy.comport.monitor.zip	commspy comport monitor.
epd.dump.portscanner.zip	epd dump portscanner.
epdump.zip	MS port scanner that shows what services are running on what ports.
gobbler.packet.sniffer.zip	Gobbler packet sniffer.
groupmonitor.zip	David LeBlanc's utility for monitoring malicious group creation by end users. For NT.
gsd.exe	GSD (Get Service Dacl) gives you the DACL (Discretionary Access Control List) of the Windows NT service you specify as a command line option. By Arne Vidstrom.
hpntbast10.zip	"Building a Windows NT bastion host in practice V1.01" (Adobe PDF zipped) - Building a Windows NT bastion host in practice V1.01 - This paper presents a checklist for converting a default Windows NT installation to a bastion host. A bastion host is a computer system that is exposed to attack, and may be a critical component in a network security system. Special attention must be paid to these highly fortified hosts, both during initial construction and ongoing operation. Bastion hosts can include Firewall gateways, Web servers, FTP servers, Name servers (DNS), Mail hubs and Victim hosts (sacrificial lambs). By Stefan Norberg.
inzider.exe	Shows which processes listen at which ports, and can be used to find Back Orfice 2000 when it is hidden in another process. For Windows 9x/NT. By Arne Vidstrom.
l0phtcrack.zip	L0phtcrack NT password cracker
lava98.exe	Lava98 is a desktop application that allows you to monitor any log file (that is, a Web server or mail server log file), or a Windows NT event log. By Duke Engineering.
newsid.zip	Executable of above
nt.remotely.crack.nt.passwords.zip	Remote NT password cracker.
ntis.exe	NTInfoScan v4b - NTInfoScan is a security scanner for NT 4.0 that is run from command line and produces an HTML based report of security issues found with hyper-text links to vendor patches and further information. By David Litchfield.
ntis411.exe	NTInfoScan v4.1.1 - See description above.
ntis41b.exe	NTInfoScan v4.1beta - NTInfoScan is a security scanner for NT 4.0 that is run from command line and produces an HTML based report of security issues found with hyper-text links to vendor patches and further information. 62k. By David Litchfield.
ntis422.exe	NTInfoScan v4.2.2 is a security scanner designed specifically for the Windows NT 4.0 operating system. It's simple to use - you run it from a command line, and when the scan is finished it produces an HTML based report of security issues found with hyper-text links to vendor patches and further information. It tests a number of services such as ftp, telent, web service, for security problems. NTInfoScan will also check NetBIOS share security and User account security. By David Litchfield.
ntregpack.zip	Adjusts your Microsoft Windows NT 4.0 registry settings as suggested by Webtrends Security Analyzer. By vacuum.
portpro.port.scanner.ex_	Ostronet domain scanner
rasfix.exe	Rasfix: tightens the permissions on the rasman (Remote Access Connection Manager) service in Windows NT. This stops the exploit which Alberto Rodriguez Aragons has constructed.
redbutton.nt.weakness.shower.zip	RedButton NT vulnerability exploit tester.
revelation.pwl.cracker.zip	Revelation password cracker.
samdump.extract.sam.info.zip	Extract SAM info from samdump.
sans-v2n3.txt	The latest issue of The SANS NT Digest (v2n3). Includes information about Microsoft Security Bulletins, MS Hotfixes, Other NT Issues, IIS Issues, Third-party Software issues, Trojans, and an excellent description of the NT Resource Kit and UNIX commands available for NT. By The SANS Institute.
scesp4i.exe	No Description
secure-winnt.zip	WindowsNT Security Checklist/Guide, in postscript format.
secure_ntinstall.exe	"Securing your Windows NT installation" - MSWord document published by the developers of Windows NT detailing major security concerns and fixes for an out-of-the-box installation of Windows NT. From Microsoft Security. Original document location is here.
setup-ntsafe.exe	NTSAfe (prototype) - NTSAfe is intended to provide an application and the tools required to audit and reconfigure security-related settings on Windows NT machines. It provides multiple interfaces to those tools including a command-line scripting language and a data-driven Graphic User Interface (GUI) for automating the execution of any number of collections of configuration audit items. For Windows NT. By Internet Dynamics.
sidsrc.zip	Learn about the computer SID problem everybody has been talking about and get a free computer SID changer, NewSID, complete with full source code. For NT.
spcheck.zip	command line utility that lists service pack and hot fix information for Windows NT machines. By Gregg Branham.
spcheck1.5.zip	SPCheck is a command line utility that can be used to check the service pack and hot fixes on any NT Workstation or Server (assuming you have administrative privileges on the machine). SPCheck v.1.4 checks multiple machines and generates a web page or a comma-delimited text file that you can easily import in a spreadsheet or database program. SPCheck works by remotely connecting to the Registry of NT machines. It parses through the registry information looking at the key for the Service Pack and for the hot fix subkeys. Homepage here. By Gregg Branham
swing.zip	Java swing (see Sun Microsystems for the latest version).
ultrascan.port.scanner.zip	UltraScan port scanner.
winfo.exe	Uses Null Sessions to retrieve account and share information from Windows NT. By Arne Vidstrom.