Re: [PEN-TEST] Auditing for Malicious Tools

[Steve <Steve () SECURESOLUTIONS ORG>]

> I don't know of any specific tools but It should be easy enough to do
> under
> NT.

Microsoft SMS can be used to inventory software.  I do believe (hopefully
someone who works with ver 2.0 a bit more can confirm) that version 2.0 can
also collect data from registry keys.

Of course to use SMS to do this requires a bit of scripting and
configuration.

Obviously, if you rename the binaries or change the default location of the
registry entries created by such programs SMS won't help you.


> A simple Perl script should be able to check the reg, file existence and
> values etc.

Agreed.  But, it would not be hard to modify the malicious software to
install or use different reg keys.

> If you have an ISS scanner license we have some flex checks that will
> find
> windows tools like l0pht crack, ISS Scanner, Retina, by doing exactly
> the
> above, and I assume all other commercial tools you could do the same
> pretty
> easily. Not supported or accurate (for the reasons mentioned above) but
> sometimes useful.

How does that work when it comes to legal issues.  L0phtcrack, and Retina
are both commercial tools and in the case of Retina, a competitor to ISS, if
your scanner identifies these programs as being malicious tools is this not
slandering a potential competitor?

In my opinion, L0phtcrack and Retina are not malicious tools. Yes, they can
be used for malicious intent, but so can things like Microsoft SMS and even
ISS Scanner as we all know that there are hacks available to generate
keys/licenses for ISS Scanner at will.  Hell, Norton Anti-Virus can be used
for malicious intent if you really wanted to push things (refer to the
Win2KSecAdvice or Bugtraq post on local privledge escalation using the NAV
Scheduler).

Regards;

Steve Manzuik