HostedDB - Dedicated UNIX Servers
nt-part2_87 Analysis of the Security of  Windows NT 1 March 1999 87 •   Outputs that are suitable as input to spreadsheets. •   Can answer questions like "Show all files for which user A has Take Ownership permission". We believe this tool to be valuable for any NT system administrator. To gain maximal profit of this utility, it should be used on a regular basis to verify that the NT system has not been compromised. D.1.5  Kane Security Analyst (KSA) In [64], the author describes a tool called KSA, which can produce essentially the same information as DumpACL and C2CONFIG together. In addition, KSA is able to detect intrusions based on statistical algorithms applied on gathered data. The idea is to find out whether any particular behavior is significantly anomalous. Another feature pre- sented by Tom Sheldon is the built-in expert knowledge base, which includes security industry "best practices" to be used for comparison with the security attributes in the current system. We have not used this utility in our experiments. More information can be found on their web site (www.intrusion.com), see appendix E.        D.1.6  Internet Scanner for NT (IS) IS for NT is an NT port of the company ISS well known utility Internet Scanner. This utility will go through the system and test for known weaknesses. Both general and NT specific weaknesses are tested. For a detailed description on exactly which tests are carried out, see appendix E. D.2  Information Retrieval Programs D.2.1  Windows NT Password Dump Utility (PWDump) The PWDump utility dumps the password database of an NT computer in the follow- ing format: <user>:<id>:<lanman pw>:<NT pw>:<comment>:<home dir>: Where <user> is the user name on NT, <id> is the last 32 bits of the SID, <lanman pw> is the Lan Manager password hash, <NT pw> is the NT password hash. This fields are the important one. The <comment> and <home dir> fields contain information such as the user’s full name, description and home directory as specified in the NT User Man- ager. PWDump can be used on both the local machine and remote machines. However, in order to run the program the user has to log on as Administrator. Here follows a sam- ple output from PWDump that was distributed together with L0phtCrack, 1.x. Administrator:500:73CC402BD3E791756C3D3B817E02809D:C7E2622D76D3F00 1CF08B0753646BBCC:Built-in account for administering the computer/domain:: Guest:501:NO PASSWORD*********************:NO PASSWORD******************** *:Built-in account for guest access to the computer/domain:: Joe:1008:3815B591E3ADC98431A60ABC6B5DA940:0934A0D928B63A7D4AB0A7CE EC35C7F2:: :BillG:1010:5ECD9236D21095CE7584248B8D2C9F9E:C04EB42B9F5B114C86921C 4163AEB5B1::: fredc:1011:3466C2B0487FE39A417EAF50CFAC29C3:80030E356D15FB1942772D CFD7DD3234:::