Tools for Windows
From Gray
Of all things, these tools should be part of your toolbox in Windows.
Security Assessment Tool
MSBA
A bit older, but nonethewiser too, is the Microsoft Baseline Security Analyzer. You can find this tool [here] (Validation required, of course...and agreement to subsequent EULA)
Microsoft Security Tools
A collection of updated and old tools from Microsoft can be obtained from [Microsoft's Security Tools] page.
The following utilities for Windows NT/2000/XP can help in troubleshooting and diagnostics. Many of these tools can be found at [sysinternals] and [Foundstone].
fport
fport reports all open TCP/IP and UDP ports and maps them to the owning application. This is the same information you would see using the 'netstat -an' command, but it also maps those ports to running processes with the PID, process name and path. Fport can be used to quickly identify unknown open ports and their associated applications.
superscan
SuperScan 4 is a completely-rewritten update of the highly popular Windows port scanning tool, SuperScan. Here are some of the new features in this version.
Superior scanning speed Support for unlimited IP ranges Improved host detection using multiple ICMP methods TCP SYN scanning UDP scanning (two methods) IP address import supporting ranges and CIDR formats Simple HTML report generation Source port scanning Fast hostname resolving Extensive banner grabbing Massive built-in port list description database IP and port scan order randomization A selection of useful tools (ping, traceroute, Whois etc) Extensive Windows host enumeration capability
trout
A GUI-based traceroute substitute for Windows with some added bells and whistles.
netschedscan
A Windows network admin utility for remotely detecting the Task Scheduler vulnerability on Microsoft Windows 2000 and Windows XP systems. NetSchedScan allows you to scan multiple IP ranges for the Task Scheduler buffer overrun.
pasco
Pasco, the latin word meaning "browse", was developed to examine the contents of Internet Explorer's cache files. The foundation of Pasco's examination methodology is presented in the white paper located here. Pasco will parse the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Pasco is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.
ntlast30
NTLast is a command line utility that is used to quickly scan the NT event log and report logon/logoff activity. It is very useful because it isolates security specific events so that you don't have to spend time looking for them.
showin
ShoWin displays useful information about windows by dragging a cursor over them.
Perhaps one of the most popular uses of this program is to display hidden password editbox fields (text behind the asterisks *****). This will work in many programs although Microsoft have changed the way things work in some of their applications, most notably MS Office products and Windows 2000. ShoWin will not work in these cases. Neither will it work for password entry boxes on web pages, at least with most web browsers.
Additional features include the ability to enable windows that have been disabled, unhide hidden windows (try the program with the include invisibles option set and see how many windows you have on your desktop that you didn't know about!) and force windows to stay on top or be placed below others.
vision
Reports all open TCP and UDP ports and maps them to the owning process or application.
handle
Handle is a utility that displays information about open handles for any process in the system. You can use it to see the programs that have a file open, or to see the object types and names of all the handles of a program.
ProcessExplorer
Process Explorer shows you information about which handles and DLLs processes have opened or loaded.
The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.
The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work.
Autoruns
This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. You can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond the MSConfig utility bundled with Windows Me and XP.
Autoruns' Hide Signed Microsoft Entries option helps you to zoom in on third-party auto-starting images that have been added to your system and it has support for looking at the auto-starting images configured for other accounts configured on a system. Also included in the download package is a command-line equivalent that can output in CSV format, Autorunsc.
PsTools
The tools included in the PsTools suite, which are downloadable individually or as a package, are: * PsExec - execute processes remotely * PsFile - shows files opened remotely * PsGetSid - display the SID of a computer or a user * PsKill - kill processes by name or process ID * PsInfo - list information about a system * PsList - list detailed information about processes * PsLoggedOn - see who's logged on locally and via resource sharing (full source is included) * PsLogList - dump event log records * PsPasswd - changes account passwords * PsService - view and control services * PsShutdown - shuts down and optionally reboots a computer * PsSuspend - suspends processes * PsUptime - shows you how long a system has been running since its last reboot (PsUptime's functionality has been incorporated into PsInfo)
