Penetration Testing mailing list archives
Re: [PEN-TEST] Auditing for Malicious Tools
From: "Curphey, Mark (ISS Atlanta)" <MCurphey () ISS NET>
Date: Wed, 23 Aug 2000 08:31:33 -0400
Point taken, I guess the wording should have been potential malicious use :-) You will of course note I cited our own ISS Scanner as well and the fact it wasn't supported. I agree all security tools can be totally innocuous as well as potentially malicious. Thanks for the sanity check :-) --------------------------------------------------------------- How does that work when it comes to legal issues. L0phtcrack, and Retina are both commercial tools and in the case of Retina, a competitor to ISS, if your scanner identifies these programs as being malicious tools is this not slandering a potential competitor? -----Original Message----- From: Steve [mailto:Steve () SecureSolutions org] Sent: Tuesday, August 22, 2000 8:22 PM To: Curphey, Mark (ISS Atlanta); 'PEN-TEST () SECURITYFOCUS COM ' Subject: RE: [PEN-TEST] Auditing for Malicious Tools
I don't know of any specific tools but It should be easy enough to do under NT.
Microsoft SMS can be used to inventory software. I do believe (hopefully someone who works with ver 2.0 a bit more can confirm) that version 2.0 can also collect data from registry keys. Of course to use SMS to do this requires a bit of scripting and configuration. Obviously, if you rename the binaries or change the default location of the registry entries created by such programs SMS won't help you.
A simple Perl script should be able to check the reg, file existence and values etc.
Agreed. But, it would not be hard to modify the malicious software to install or use different reg keys.
If you have an ISS scanner license we have some flex checks that will find windows tools like l0pht crack, ISS Scanner, Retina, by doing exactly the above, and I assume all other commercial tools you could do the same pretty easily. Not supported or accurate (for the reasons mentioned above) but sometimes useful.
How does that work when it comes to legal issues. L0phtcrack, and Retina are both commercial tools and in the case of Retina, a competitor to ISS, if your scanner identifies these programs as being malicious tools is this not slandering a potential competitor? In my opinion, L0phtcrack and Retina are not malicious tools. Yes, they can be used for malicious intent, but so can things like Microsoft SMS and even ISS Scanner as we all know that there are hacks available to generate keys/licenses for ISS Scanner at will. Hell, Norton Anti-Virus can be used for malicious intent if you really wanted to push things (refer to the Win2KSecAdvice or Bugtraq post on local privledge escalation using the NAV Scheduler). Regards; Steve Manzuik
Current thread:
- Re: [PEN-TEST] Auditing for Malicious Tools, (continued)
- Re: [PEN-TEST] Auditing for Malicious Tools Max Vision (Aug 22)
- [PEN-TEST] Proxy Penetrated Roberto Poblete (Aug 24)
- Re: [PEN-TEST] Proxy Penetrated Vanja Hrustic (Aug 24)
- Re: [PEN-TEST] Proxy Penetrated Max Vision (Aug 24)
- [PEN-TEST] Proxy Penetrated Roberto Poblete (Aug 24)
- Re: [PEN-TEST] Auditing for Malicious Tools Curphey, Mark (ISS Atlanta) (Aug 22)
- Re: [PEN-TEST] Auditing for Malicious Tools H Carvey (Aug 23)
- Re: [PEN-TEST] Auditing for Malicious Tools Netsecure (Aug 22)
- Re: [PEN-TEST] Auditing for Malicious Tools Brian Pennington (Aug 22)
- Re: [PEN-TEST] Auditing for Malicious Tools Knowledgebase i-Net Security (Aug 23)
- Re: [PEN-TEST] Auditing for Malicious Tools Steve (Aug 23)
- Re: [PEN-TEST] Auditing for Malicious Tools Curphey, Mark (ISS Atlanta) (Aug 23)
- Re: [PEN-TEST] Auditing for Malicious Tools Max Vision (Aug 22)