Republished with permission from WatchGuard Technologies, Inc.

WatchGuard LiveSecurity


Automated NT Vulnerability Testing 
(on a Shoe-String Budget)

by David Piscitello, President, Core Competence,


Sometimes, we are so focused on perimeter security and secure transport -- our firewalls and VPNs -- we inadvertently overlook the security of our internal hosts and servers. Companies pressure security administrators to provide access to new services for roaming employees and e-business partners, but each new service accessed from the outside exposes the interior of our networks. In the age of e-everything, security policies that rely solely on perimeter enforcement are hard to define, and even harder to implement. So today, hardening your interior is equally important to hardening your exterior.


A hardened interior consists of proper configuration of operating and file systems on client desktops and servers. This involves a litany of tasks, including:


  • User account management -- maintaining the lowest number of user accounts necessary on every system, using the strongest authentication method practical, and enforcing authentication policies.

  • Software management -- assuring that every OS has the most recent (but proven) security patches, service packs, and (where possible) auditing software for known vulnerabilities, including HTML, XML, script and CGI exploits.

  • Access control and authorization -- assuring that every file system has the strictest access permissions practical, using network shares only when necessary, and ensuring that all network shares require appropriate authentication.

  • Services management -- assuring that servers and client desktops only run necessary network services, and that these services are properly configured with access controls that restrict use.

  • DNS and Directory management -- assuring the integrity of these databases and limiting access to them (even browsing can disclose information useful to hackers).

How can you stay on top of so many issues? If you run an NT shop, youíre all too familiar with the difficulty of keeping pace with service packs and security updates, and the arduous task of configuring NT servers and workstations, then auditing them against your security policy. One way you can keep the task feasible is to use automated tools.


Automating Your Vulnerability Testing

Engineers and designers of firewalls (appliances or software run on *NIX and Windows platforms) take great pains to harden the operating and file systems of the firewall during installation. These developers are savvy administrators and students of security. They keep abreast of new exploits and vulner- abilities. To assure that they have done a thorough job, they subject their firewalls to batteries of checks and penetration attempts using tools they have developed. This systematic testing for vulnerabilities is called scanning.


Scanning can help you identify areas in your network that need hardening, thereby helping you to enforce the security of your network. To keep your network secure, you want to prevent an outsider from learning information -- such as software in use, ports that are open for outside access, names of directories or users -- that can be utilized to gain access to or exploit your network.


NT vulnerability scanners are designed to automatically identify exploits that might be perpetrated against your OS as you have configured it. Most will scan a host computer and let you know what network services are running on that host. The better scanners will do not only that, but also tell you if the services running are susceptible to a known vulnerability, or are poorly configured. For Windows NT Servers and Workstations, scanners perform an extensive list of tests; most notable are the following:

  • Network port scanning using UDP

  • Network port scanning using TCP SYN, ACK, FIN packets

  • Ability to scan Network Neighborhood

  • DNS and SNMP vulnerabilities

  • Scanning for known Trojans and backdoors, e.g., Back Orifice

  • Server Message Block Querying

  • Transport protocol and session enumeration

  • Active Services

  • Ability to establish NULL IPC$ session to host

  • Service Pack and Hotfix enumeration

  • User account details and privilege enumeration

  • Share enumeration, including Admin($)

  • Ability to query NT registry

  • Checks for known Vulnerable URL structures and CGIs

  • Vulnerability to known Denial of Service attacks

  • SMTP, FTP, POP3 banner grabs and service specific vulnerabilities

  • MS SQL server vulnerability checks

As organizations grow, even the most advanced network administrators can benefit from using vulnerability scanners. Reports generated by scanning tools provide a readily identifiable security baseline for systems. For less advanced administrators, they provide a sobering reminder that what you donít know can hurt you; moreover, you learn more about secure NT configuration each time you read a report.


The good news: There are at least a half-dozen very fine commercial vulnerability scanners. The bad news: They can be expensive. Fortunately, thereís a wealth of freeware and shareware vulnerability scanners for NT.


Individually, none Iíve found perform as many tests as any of the top commercial scanners, but collectively, the following scanners perform nearly all the tests enumerated above.


Cerberus Information Scanner (CIS, formerly NTInfoScan, freeware)

The Cerberus team recently merged with @stake, which recently acquired L0pht Heavy Industries (meaning, this tool has a respectable hacker pedigree). CIS scans a host to detect which services are running (e.g. HTTP,  SMTP, POP3, FTP, and Portmapper). It checks NT OS to see if any accounts, shares, groups, driver- and user-mode service checks, and registry checks are accessible to unwelcome visitors. It also scans for MS SQL vulnerabilities. Use the Web to view the current complete list of checks or download the tool itself. CIS results are reported in HTML.


GNIT NT Vulnerability scanner (Freeware)

GNIT and Cerberus Information Scanner perform nearly the same checks. The NT user account detail from GNIT grabs everything from the User Manager database, and the Transport protocol enumeration returns information on what protocol is in use on the network, as well as information on network adapters and which protocols are bound to each adapter. The report is a simple ASCII text file, and the program is run from the DOS command line.


Winfingerprint (Freeware)

Winfingerprint scans your hosts and returns accessible information about NetBIOS Shares, Users, Groups, Transport protocols, Date & Time, and Services. It will scan an entire Network Neighborhood, attempt to establish Null Sessions, and will query the NT registry. It reports in HTML. The complete list of checks can be found in the aboutwinfingerprint.html file that accompanies the executable.


Port Scanners

Port scanners are essential for network vulnerability testing. Look for utilities that scan using TCP and UDP, and can scan the well-known and ephemeral ports. Fscan (freeware) is a very flexible command line utility. NetScanTools (try-ware, $25.00) has a fine port probe, and can gather NetBIOS and WinSock Info, dig through DNS records, and get, or walk SNMP MIB entries.


You can download these scanners from their respective web sites, or from the Tools pages at


To give you a feel for the reports these scanners generate, Iíve run CIS, Winfingerprint, and GNIT against a Windows NT server with Service Pack 3, and a Windows NT Workstation with Service Pack 6. The NT server is running Microsoft peer web service and the TINI Trojan, and no effort has been made to secure either system. Here's a sample of the vulnerabilities I exposed:

  • Access Control Lists (ACLs) permit Automatic administrative shares

  • Web server banner grabbed

  • /iisadmin/ directory discovered

  • SQL accounts with no password

  • User accounts enumerated, default accounts exist, e.g., administrator, guest

  • ACLs permit general network access to the NT registry

  • ACLs permit access to SQL database via null session

  • NT services are enumerated

The complete reports are hosted at


All these tools have no-frills user interfaces. Online help ranges from very good to none. I found this set no less troublesome to install and considerably less demanding to run than commercial scanners Iíve tested.


Iíve only scratched the surface of the kinds of tools available. You may find more and better tools by searching shareware and security sites.


Why Pay More?

After seeing how impressive these inexpensive scanners are, you might ask, ďWhy bother with commercial scanners?Ē They have their merits. Commercial scanner vendors offer better support, and more staff to research and expand the tests scanners perform. Commercial scanners are designed to repeatedly execute scheduled tests on a battery of hosts, creating a basis for rigorous comparison -- not just ad hoc scanning. They generally provide excellent documentation, with detailed and graphical reports. In many cases, they identify the exact security update or registry change you must make to mitigate a vulnerability. I suggest you download a try-then-buy version of a commercial scanner and compare for yourself.


If you have not already done so, do consider implementing vulnerability scanning as a standard operating practice. If you're already doing it occasionally, build or expand your tool kit to suit your scanning needs. When it comes to network security and Internet-hardened desktops, automated vulnerability tests can help you -- and what you don't know can most definitely hurt you.





Copyright © 1996 - 2001 WatchGuard Technologies, Inc. All rights reserved.
Legal Notice/Terms of Use