These are security tools that serve different purposes - enforcing password complexity in SQL server, brute-forcing of SQL server accounts, dumping Windows security information, checking for modems, log analysis, cracking Windows passwords, etc.

  • LINReS - Script used for collecting volatile and non-volatile information during the initial response phase of the Incident Response methodology
  • EnforcePass - Enforce password complexity on a MS SQL Server
  • ForceSQL v2.0 - Brute-force MS SQL passwords
  • DumpWin v2.0 - Displays Windows security information
  • Log Analyzer - Analyze any log file
  • NtCrack - Crack NT password hashes
  • ModCheck - Detect modems on a Windows system.
EnforcePass (Download)
Rated by SQLServerCentral Weak passwords are more often than not the weakest link in the chain of security. A case in point is the recent Spida worm which used the blank password of the 'sa' username in SQL Servers to wreak havoc. To protect against users and DBAs choosing weak passwords we have developed a function which checks for password complexity using these parameters:

  • It must not be the same as the login name
  • It must not contain the login name
  • Its length must be greater than 6 characters
  • It must contain atleast one alphabet
  • It must contain atleast one numeral
  • It must contain atleast one punctuation character
This function must be inserted into the sp_password and sp_addlogin stored procedures. How this is to be done is explained fully in the Readme.txt that accompanies this download. For other security tools and SQL information refer to the excellent SQL Security website of Chip Andrews

ForceSQL v2.0 (Download)
Passwords are one of the main sources of insecurity in any setup. Especially for a critical database. This utility tries to guess the password of an MS SQL Server user.

ForceSQL finds a mention in the book "HackNotes Windows Security Portable Reference" published by McGraw-Hill in chapter 6: Probing Common Windows Services.
The features of v2.0 are:
  • Easy Command-Line Control
  • Dictionary Attack
  • Brute Force Attack
  • Much faster than v1.0
  • It allows you to choose a port other than 1433
This tool just needs the IP address or machine name of the SQL Server and the user ID that you wish to check. If you choose to brute force, enter the characters to search for in the 'charset.txt' file and the maximum password length at the command line (see Usage below). Also make sure to include the dictionary file 'words.txt ' in the same place as forceSQL.exe for the dictionary attack.

Usage :
  • For the Dictionary Attack: forceSQL [IP] [UserID] -d
  • For the Brute Force Attack: forceSQL [IP] [UserID] -b [length]
  • In case the port is other than 1433, you can append it to the IP seperated by a comma. Like so: forceSQL [IP,port] [UserID] -b [length]
New Features: The tremendous increase in speed of v2.0 over v1.0 is because we are no longer using any SQL/ODBC API. We spent some time figuring out the packet structure of the authentication packet as it flows over the wire. We then replicated the packet and used that to carry out the authentication, thus bypassing everything else and going directly to the Network Layer. This greatly reduced the overhead of allocating and using the SQL Handles, and the SQL API. It now checks at more than 40 passwords per second depending on network connectivity. The second significant feature we have added is that of Brute Forcing.
Works on: Windows NT/2000/98/95:

DumpWin v2.0 (Download)
This utility displays the following System Information. It is especially useful for System Administrators, Auditors, and Security Professionals.
  • General Machine Information
  • Drive Information
  • Modem Drivers
  • Lists of all Software Installed
  • Shares Present
  • Startup Programs
  • Active Processes
  • List and Status of Services
  • List of local Group Accounts
  • List of User Accounts
  • Dumps ACL's for files/folders/registry
  • Show Account Lockout Policy
Works on: Windows NT/2000

Log Analyzer (Download)
This utility takes as input the folder where your log files are stored and the file containing the patterns to be searched. It is a generic tool useful for scanning almost any type of log file - Syslog, Windows Events, CISCO, IIS, Apache, etc. It is essentially for auditors to gather critical information quickly from the host's log files. We have provided a match.pat file containing common signatures for attacks on IIS, and will be adding more signature files for other systems as well.
Usage: la [Directory] -t [type of log files] -p match.pat

Example: To scan the IIS log files in the current directory for the year 2003 only using a pattern file iis.pat: la . -t *03.log -p iis.pat

NTCrack (Download)
NTCrack is basically a Windows NT/2000 password cracker which uses the MD4 hashes produced by pwdump2 of Todd Sabin. pwdump2 can be downloaded from http://razor.bindview.com/tools/desc/pwdump2_readme.php

You must take the output from this file, and feed in the last 32 characters (after the third colon) at the command prompt as the first argument to ntcrack. The output of pwdump2 is in the format
User:UserID:LMHash:MD4Hash

We need the last hash. Copy it and feed it as the first argument of ntcrack. For instance, after running pwdump2 you would take the user whose password you wish to crack, and determine the MD4 hash of this user.

ntcrack e270e1e3d0518b564fcab5e6d846d94c

Lastly, ntcrack searches for a dict.txt file in its own folder. This is the wordlist used to crack the passwords. Without this it won't work. Current speed is almost 400,000 checks in 8 seconds on a Pentium 800Mhz processor with 128Mb RAM.

Works on: Windows NT/2000. You will need Administrative access for pwdump2 to work properly.

ModCheck (Download)
A user can bypass all the security mechanisms at your organization's firewall or gateway by dialing out with a modem. A strict Security Policy prohibits the use of modems by individual workstations. This nifty little utility shows if the user has installed any modems on his machine. We have made the fingerprint very small by coding it in assembly (7Kb).

Works on: Windows NT/2000/2003/XP/9x

Disclaimer
DISCLAIMER OF WARRANTY: THE PROGRAMS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. NII FURTHER DISCLAIMS ALL WARRANTIES, EXPRESS AND IMPLIED, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

LIMITATION OF LIABILITY: IN NO EVENT SHALL NII OR ITS LICENSORS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR DATA USE, INCURRED BY CUSTOMER OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, EVEN IF NII HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. NII'S ENTIRE LIABILITY FOR DAMAGES HEREUNDER SHALL IN NO EVENT EXCEED THE FEES ACTUALLY PAID BY CUSTOMER TO NII FOR THIS LICENSE.

Previous ResearchWhitepapers
Next ResearchBooks