News Archive

2006.09.02 : On my mind right now: Memory dumping over FireWire - UMA issues.

2006.06.12 : On my mind right now: DbgSetDebugPrintCallback - Capturing DbgPrint calls in Windows Vista.

2006.06.01 : On my mind right now: Forensic memory dumping intricacies - PhysicalMemory, DD, and caching issues.

2006.04.16 : A new tool: ListDrivers list the loaded kernel drivers.

2006.03.05 : I have created a web page with Visual Studio 2005 Problems and Solutions since I have encountered a couple of frustrating problems with it and wanted to share my solutions.

2006.01.08 : Release of version 3.0 of PEriscope. Now it has much more .NET support than before.

2005.12.13 : Version 2.0 of PEriscope is available. This version is updated to work with image files compiled for 64-bit Windows. It also contains a few bug fixes.

2005.11.14 : A new version of EtherChange is available. This version is updated to also work on Windows Vista.

2005.04.22 - Win32 SocketShell is shellcode for penetration testing. It binds to TCP port 7777 and returns the string "hacked!" when connected to.

2005.04.06 - A new version of ListModules is available. Now it also prints the base addresses and sizes of the loaded DLLs.

2005.04.04 - A new version of PEriscope is available. Now hashes of the exported function names are also shown - useful for shellcode analysis and design.

2004.07.30 - A new tool: UndeleteSMS can recover deleted SMS messages from a GSM SIM card.

2004.02.14 - Take a look at lddTroj, a proof of concept trojan that shows the danger of running the ldd command against potentially dangerous files. lddTroj comes as open source under a GPL license.

2003.12.23 - An article by Mirko Zorz at HNS with me, Russ Cooper and Ed Skoudis.

2003.12.14 - A new version of WinRelay is available. This one has support for IPv6.

2003.11.02 - I've released the tool EtherChange. It can change the Ethernet address of the network adapters in Windows 2000 / XP.

2003.10.21 - An interview with me at HNS.

2003.09.02 - I'm the Technical Editor of the new book Windows Security Portable Reference.

2003.03.06 - I've released version 1.1 of PEriscope. It now has some support for .NET CIL files and also contains a couple of bugfixes and minor feature additions.

2003.02.15 - Version 2.0 of Winfo is now available for download. The new information that can be found with this version is: OS version, domain and forest names, password and lockout policy, sessions, logged in users, more detailed user and share information. I also want to thank Chris Weber for a couple of very useful tips for this version.

2003.02.13 - I've changed the look of ntsecurity.nu and I hope you like it!

2003.02.04 - I've released a new version (1.6) of winfo. Now it works much better against Windows XP, and it also contains a few bugfixes making it much more reliable in general too.

2002.12.15 - A bug has been corrected in FileHasher. If you run version 1.0 of FileHasher you should update to the new version 1.1 since the md5 hash values calculated will be incorrect for certain file sizes. The values are just as cryptographically strong, but they won't match those calculated with other md5 hashing tools.

2002.12.11 - A new tool: GPList lists information about the applied Group Policies.

[2002.12.03] - A bug in KerbCrack that caused an error message about not running Windows 2000 or above when you're in fact doing so is now fixed in version 1.1. A big thanks to all of you who reported it and sent me useful error codes and other information so I could locate it and fix it!

[2002.12.02] - EFSView lists the users who have ordinary decryption keys or recovery keys for an EFS encrypted file.

[2002.11.28] - A new tool: PStoreView lists the contents of the Protected Storage which usually contains Internet Explorer autocomplete usernames and passwords, Outlook usernames and passwords, and so on.

[2002.11.24] - A new tool: KerbCrack is a combined Windows 2000/XP Kerberos login sniffer and cracker.

[2002.10.24] - I've removed all dead links from the Links section and updated with a few new ones as well as moved some of them to other categories.

[2002.08.30] - FileHasher calculates the MD5 or SHA hash for a file.

[2002.08.28] - A new version of WinRelay released. Now it can handle DNS names in addition to IP addresses.

[2002.08.10] - RPAK is a collection of tools that can be useful for doing attacks on routing protocols. It contains tools for RIP, RIP2, IGRP and OSPF.

[2002.07.02] - DBProbe checks the amplification factor for a particular network when you send a directed broadcast ping to it.

[2002.06.30] - DumpUsers is able to dump account names and information even though RestrictAnonymous has been set to 1.

[2002.06.30] - WPSweep is a simple ping sweeper, that is, it pings a range of IP addresses and lists the ones that reply.

[2002.05.09] - There have been problems with the site that made it really slow lately but they are fixed now.

[2002.05.08] - Version 1.2 of PMDump now includes a switch that makes it list all running processes with PID's.

[2002.05.01] - EtherFlood floods a switched network with Ethernet frames with random hardware addresses. The effect on some switches is that they start sending all traffic out on all ports so you can sniff all traffic on the network.

[2002.05.01] - GrabItAll performs traffic redirection by sending spoofed ARP replies. It can redirect traffic from one computer to the attackers computer, or redirect traffic between two other computers through the attackers computer.

[2002.04.20] - A new tool for the toolbox: CECrypt. A file encryption tool for Windows CE that is compatible with cryptf.

[2002.04.20] - The web hotel problem seem to have been resolved now.

[2002.04.19] - Right now there is a problem at the web hotel where this site is located that sometimes disables all counters and download scripts.

[2002.04.16] - PromiscDetect checks if your network adapter(s) is running in promiscuous mode, which may be a sign that you have a sniffer running on your computer.

[2002.02.16] - At 2002.02.08 an unknown number of Nimda infected emails were sent to various persons around the world using the faked source address arne.vidstrom@ntsecurity.nu, from a hacked computer in Munich, Germany. Of course I had nothing to do with it and I hope nobody got infected.

[2002.02.16] - A new tool for the toolbox - ListModules lists the modules (EXE's and DLL's) that are loaded into a process. This can for example be useful in a forensic investigation.

[2002.02.10] - A new tool for the toolbox - WinRelay is a TCP/UDP forwarder/redirector.

[2002.02.10] - A new tool for the toolbox - ClearLogs is a Command Prompt tool that clears the event log you specify on the local, or a remote, computer.

[2002.01.29] - There are a couple of vulnerabilities in EServ 2.97. You can find the advisory here.

[2002.01.20] - SpoonFTP is vulnerable to the FTP bounce attack. You can find the advisory here.

[2002.01.20] - A new tool - PMDump lets you dump the memory contents of a process to a file without stopping the process. This can be useful in a forensic investigation.

[2002.01.20] - A new tool - LNS searches for NTFS streams (aka alternate data streams or multiple data streams). This can be useful in a forensic investigation.

[2002.01.19] - A new tool - macMatch lets you search for files by their last write, last access or creation time without changing any of these times. A tool like this can be useful in a forensic investigation.

[2001.12.11] - A new version of snitch. A few minor changes.

[2001.12.11] - A new version of ipEye. The annoying error message that sometimes say that you must run it on Windows 2000 when you are running it on Windows 2000 has been fixed.

[2001.12.11] - A new version of winfo. This version has more complete error messages, support for much larger account databases, and a few other minor improvements.

[2001.10.13] - Another new tool for the toolbox - cryptf is a file encryption tool that uses 3-DES or IDEA to encrypt your files.

[2001.10.11] - There are a couple of vulnerabilities in the Ipswitch IMail Server 7.04. You can find the advisory here.

[2001.09.24] - A new tool for the toolbox: PEriscope is a PE file inspection tool. You can use it for example as an aid when investigating files looking for different kinds of malicious code. I will add more features to it with time so please let me know which features you would like to see in future versions.

[2001.09.24] - We have changed the look of the site and at the same time also switched web service provider to one that hopefully will give us better service and performance than the former one. We hope that you like the new look!

[2001.05.01] - A new tool for the toolbox: IPSecScan is a scanner that scans for IPSec enabled systems. Coded by Arne Vidstrom.

2001.01.28 - Recently I have received a lot of mails asking about the fact that many antivirus programs detect tools from us as trojans. We never put hidden backdoors into our tools, and if you are interested to know why they are detected as trojans you can read more about it here.

2001.01.26 - A Winsock Mutex Vulnerability in Windows NT 4.0 SP6 and below allows an attacker to disable networking if he/she is able to execute the exploit on the machine under any account. Found by Arne Vidstrom.

2001.01.10 - Check out this interesting article written by Randy Franklin Smith about WinZapper.

2000.12.07 - I get too many mails to answer them all, so please don't feel ignored if I don't answer yours. I try to answer as many as I can, so please don't stop trying - I like to get mails (especially encouraging ones). But those of you asking for source code or asking me to break into various systems, please don't bother - I will ignore you! And don't try to make up excuses why you need to break into various places either!

2000.11.20 - I've fixed two memory allocation bugs in BrowseList, and now the fixed version (1.4) is available here. I would like to thank Kevin Barnes for finding these bugs and helping me testing the fixed version.

2000.11.20 - I've written a short paper about the use of TCP port 445 in Windows 2000 that you can find here.

2000.11.07 - Another small tool for the toolbox: klogger. This is a keystroke logger for Windows NT / 2000.

2000.11.07 - In case somebody is interested I (Arne) have put up a small webpage about myself.

2000.09.07 - A new small tool for the toolbox: BrowseList. It retrieves an extended browse list either from your own system or from a remote system.

2000.09.05 - Edit the security event log in Windows NT 4.0 and Windows 2000! WinZapper is the first tool (as far as we know) that will let you remove lines in the security log without clearing the whole log. Coded by Arne Vidstrom.

2000.09.05 - Updated version of tini fixes problem with running it on Windows 9x.

2000.08.22 - A new addition to the toolbox section: tini - a simple and small (3kb) backdoor for Windows. It sets up a remote Command Prompt on TCP port 7777. Coded in assembler by Arne Vidstrom.

2000.08.13 - I've released FakeGINA - a DLL that intercepts the communication between Winlogon and the normal GINA, and while doing this it captures all successful logins (domain, username, password) and writes them to a text file.

2000.05.20 - I've released AckCmd - a remote Command Prompt that can bypass some firewalls. It works through the concept of ACK Tunneling, which I've described in a paper you can find here.

2000.05.07 - Chat at ntsecurity.nu! We have started our own IRC server at ntsecurity.nu:5555. It's running on Linux ;-) and is coded by Arne Vidstrom. You can register your own channels. Find out more about it here.

2000.03.30 - ntsecurity.nu featured in a Security Watch article at InfoWorld - "Boost your Windows NT security with tips and tricks from a dedicated vulnerabilities hunter".

2000.03.26 - I've added a security papers section, starting with a paper I've written about full disclosure.

2000.03.06 - The SQL Server dictionary attack tool SQLdict has been released. Coded by Arne Vidstrom. This is version 2.0, the older versions were all unofficial.

2000.03.04 - I've put up a page that will be dedicated to explaining why some applications bind ports when there seems to be no logical reason for them to do so. You can find it here if it is of interest to you.

2000.02.20 - I've been very busy lately, and have a hard time keeping up with all the mail I get. So please don't feel ignored if I haven't answered a mail from you. I'll try to get back in synch with everything as soon as possible.

2000.02.01 - A Recycle Bin creation vulnerability in Windows NT / Windows 2000 can be used to change executables in the Recycle Bin. Found by Arne Vidstrom and Nobuo Miwa.

2000.01.31 - A vulnerability in FireWall-1 version 3 makes it possible to circumvent script tag stripping. Found by Arne Vidstrom.

2000.01.21 - A vulnerability in rdisk for Windows NT 4.0 Terminal Server Edition exposes the registry contents to Everyone during update of the repair info. Found by Arne Vidstrom.

2000.01.21 - The TCP port scanner ipEye for Windows 2000 has been released. It does SYN, FIN, Null and Xmas scans. Developed by Arne Vidstrom.

2000.01.07 - The tool snitch has been released. It turns back the asterisks in password fields to the plaintext passwords. Developed by Arne Vidstrom and Roger Lindgren.

1999.12.27 - This is 2 to 3 weeks old news, but ntsecurity.nu has been selected as a featured site at The NT Toolbox site. Of course we are very proud. :)

1999.12.19 - The tool setowner has been released. Nothing really new, it's been done by others before, but I've coded this one to make the ntsecurity.nu toolbox more complete.

1999.12.18 - I've redesigned ntsecurity.nu, and I hope you like the new look. I'm also planning to release some new tools, papers, and other things during the next few weeks if all goes well, so keep your eyes open.

1999.11.30 - User to administrator elevation vulnerability found in the Windows NT Task Scheduler service by Arne Vidstrom and Svante Sennmark. Read all about the interesting exploit details, and take a look at the Microsoft security bulletin.

1999.11.14 - The Security Directory is increasing in size constantly, even though it got a slow start. From now on my good friend Ola Nordstrand is helping me with it to speed things up. Please take a few moments and submit your favourite security/hacking sites with the on-line form.

1999.11.05 - The tool DelGuest has been released. You can use it to completely delete the built-in Guest account in Windows NT 4.0.

1999.11.01 - Version 1.2 of the port to process mapping tool inzider released. Over 5000 downloads of version 1.1 and 1.2 so far!

1999.11.01 - ntsecurity.nu opened - I've moved my old site to ntsecurity.nu and improved it a lot. It will be focused on security for software built upon NT technology, that is Windows NT, Windows 2000 and applications which are able to run on those OS's. I know some of you have been waiting for updated and new tools and stuff, but this has taken almost all of my time until now.

© Arne Vidstrom. All rights reserved.