Security Wizard/Talisker/NetworkIntrusion.co.uk has a site up giving a round-up of end-point security tools. This is especially popular due to the heightened emphasis on end-point security lately, in particular laptops and other mobile devices.
This site is more than just a host for their radar, but also compiles huge lists and summaries of a lot of security tools, in as non-biased a way as they can.

Been working on WSUS as a work project (second job in a row for it), and I just wanted to spill out a bunch of links about WSUS.

MS WSUS Blog
WSUS Forum
WSUSWiki
WSUS Beginner’s FAQ
Microsoft WSUS newgroup
related scripting site

And if you want to use WSUS but do not have Active Directory (Group Policy) in use, you can still use WSUS with some manual scripting of registry settings.

Netsh is an oft-overlooked tool to configure tcp/ip settings in Windows from the command-line. This small post illustrates how to effectively use the app.

PortListener XP is a port listener for Windows XP. The tool installs and then listens on particular ports. This tool listens on multiple ports in one instance, drops to the systray, and also logs to files. It does not log in real time, but it does accrue connection totals (aggregated for all ports) on the main window. There are options to change colors and show alerts for various warning levels, but they seemed useless to me. Also, you can set a banner or connection reply to be sent back to connecting sessions, but that didn’t appear to work for me either…however, I do like the systray and multiple port options.

PortPeeker is one of the more exciting simple tools I’ve seen in the past few months. PortPeeker is a Windows program that requires an installation. It then sets up a listening port on the port of your choosing. This listening port is bannerless and open to connection from other computers/devices. PortPeeker reports these connections and any data that is sent to this port both in a realtime display on the screen and also a log file. What is even more exciting, is that multiple copies can be opened to listen on multiple ports….although currently used ports cannot be used.

Why is this exciting? On a local network that might not be secure or that I am in charge of monitoring, a box can be set up that listens and captures traffic on particular ports. In a network like mine with multiple possibly insecure MSDE/SQL instances, being able to quickly see port 1433/1434 port probes would be very helpful. The only additional item I could wish for is a light or systray icon or sound to be played when a connection is made on a port being sniffed.

Update: Oh man, the uses are numerous! I have found out that the tool actually does allow the editing of banner information upon connection. On the link, scroll to the bottom to see captured traffic from various attacks and worms. Not only can this tool report connections on a port, but it display the data being transmitted to that port. For something like an SQL server connection attempt, the userid and password are cleartext in the hex output.

I may have an old post about NetFlow elsewhere, but this is another article on using NetFlow to monitor bandwidth on a network. Files this away to read at some point, still have not read it or tried it, but would really like to.

Detecting abnormal traffic using NetFlow papers, part 1 and part 2

Network security administrators sometimes need to be able to abort TCP/IP connections routed over their firewalls on demand. This would allow them to terminate connections such as SSH tunnels or VPNs left in place by employees over night, abort hacker attacks when they are detected, stop high bandwidth consuming downloads – etc. There are many potential applications.

This article describes how a Linux IPTables based firewall/router can be used to send the right combination of TCP/IP packets to both ends of a connection to cause them to abort the conversation. It describes the steps required to perform this task, and introduces a new open-source utility called “cutter” that automates the process.

This quick article talks about running double instances of Snort in order to capture two opposing sets of data. First one sensor catches “everything” that you can imagine in the rules, basically allowing the operator to get an idea of the state of the Internet as a whole. The second sensor only catches things of immediate interest to the operator, basically filtered so that only those threats that may affect the operator are captured. I like this article due to the explicit instructions on installing and running Snort.

Rainbow Crack is the next Microsoft Authentication-killer. Basically this crack generates every possible NTLM hash. These can then be put into a database and searched against. Instead of a crack tool brute forcing a particular hash by comparing it, one by one, with every computed value, this tool precomputes all the values and saves them. For complex passwords, this can save days of crack time. For the most complex passwords, it can save weeks. I believe the whole database can be bought for just over a hundred bucks, in some circles, but this free tool will generate it free.

update: Everything I ever wanted to know about passwords and rainbow tables all in one very recent paper/article. And hey, I didn’t even know Cain comes with a table generator!! W00t!

Been a lot of talk about rainbox tables here and passwords, so here are suggestions on how to withstand even rainbox attacks. Basically, what this tells me is that passwords/passphrases are flawed, fundamentally.

A new SSH brute force tool attempts to crack into a box by brute forcing root through an listening SSH service. The tool even includes its own dictionary, where as most other tools of this type rely on a separate user-defined dictionary. Impressive. At any rate, this just further illustrates a security practice that should be used for all SSH Linux boxes: don’t allow root to log into SSH. Force a user account to be used, and then su to root.

Ghost costs way too much to license, so I have chosen to use the amazingly cheap Image for Windows (and Image for DOS) tools for imaging workstations. Sadly, one needs to keep up-to-date with updates in order to make sure they can mount new Dell machines…

In addition, to support network shared drives, Bart’s Boot Disk works wonders once I can get it set up.