I'm always amazed by the productivity burst that results from having the right tool for the job—in terms of both the amount of time it takes to do that job and the breadth and accuracy of the data I obtain while performing it. Over the past few years, I've amassed a collection of great utilities that I rely on every day. These tools make my job easier, give me faster and more accurate results, and make my clients happy. I carry the utilities on a portable USB drive so that I always have them ready at a moment's notice. And the best part about my toolkit is that all its tools were 100 percent free. For information about how to locate and download each tool, see the Learning Path.
Utilities for Communicating
FileZilla
While working in the Web hosting industry, I often needed to move large numbers of directories and files between servers. My clients needed to do the same as they released new versions of their code to their Web sites. Walking clients through a command-line FTP session over the phone wasn't my idea of entertainment, but many weren't familiar with FTP, so it was sometimes necessary. Although commercial GUI FTP clients were available, it always bothered me to have to pay $10, $20, or $30 to license a GUI for a protocol that had been around forever. So, one day I set out to find an alternative solution. It had to be graphical, it had to be free, and it had to at least let me do a simple bulk copy of files and directories from one location to another via FTP. One tool accomplished all that and more: the open-source client called FileZilla.
FileZilla is a GUI FTP client that runs on all 32-bit versions of Windows, from Windows 95 to Windows XP. FileZilla supports FTP and SSH File Transfer Protocol (SFTP) transfers, drag-and-drop transfers, queuing multiple files and multiple connection transfers, and PASV (passive) mode. Simply put, it offers every feature that most of the commercial packages offer—at zero cost. This utility should be in every administrator's toolbox.
As a bonus, FileZilla also comes in a server version, in case you need a quick and simple FTP server but don't feel like installing Microsoft IIS. Or perhaps you can't install IIS, as in the case of XP Home Edition. Figure 1 shows the FileZilla client in action.
OpenSSH
About a decade ago, a Finnish engineer named Tatu Ylönen designed the first version of a protocol known as Secure Shell (SSH). That early version (now commonly referred to as SSH-1) let you create secure, encrypted "shell" sessions (think command prompt) on UNIX systems across untrusted networks, such as the Internet. Today, SSH has become the de facto standard for remote management in the UNIX world, and it's now also available for the Microsoft realm in the OpenSSH suite.
Now, you might be wondering why you need SSH if Microsoft already includes a Telnet server and client with all the latest versions of Windows. The answer is security: Although you can use Microsoft's Telnet components to remotely create a command-prompt session over the Internet, that communication session will be in clear text. Anyone with curious eyes and commonly available packet-sniffing software (for example, see the discussion of Ethereal a bit later) will be able to easily see exactly what you do in a Telnet session.
The purpose of SSH was to replace unsecure protocols such as Telnet while providing the same capabilities. Although administrators commonly use SSH for Windows to create a command-prompt session over an unsecure connection, they also commonly use SSH to tunnel TCP ports over the SSH channel, as well as for secure file transfers.
I find SSH to be a useful remote-management protocol for my clients. Often, I'm working wirelessly over low-bandwidth connections, such as cellular data (i.e., General Packet Radio Service—GPRS), and need to remotely connect to clients' systems. Using SSH, I can establish a command-prompt session on a remote system, know that the connection is secure, and work quickly to resolve a problem. Figure 2 shows an OpenSSH client session. Graphical protocols such as Terminal Services are great when the bandwidth is available, but when it's not, SSH is a terrific alternative.
As a bonus, some good SSH clients are available for both PocketPC and Palm OS handheld devices, giving you a great set of secure remote-management capabilities in a lightweight form factor.
Utilities for Sniffing
WinDump
Some days, I dream about giving up on the whole server-engineering and consulting gig and instead becoming a hardcore networking guy. After all, networks are simple, right? Either the packet is there or it's not! Obviously, I'm oversimplifying, but when I want to pretend that I know what I'm doing with a network, I bring out one of my favorite command-line utilities of all-time: WinDump.
WinDump is an exceptionally powerful command-line packet sniffer. Ported over from the source of the Tcpdump utility available for UNIX, WinDump carries over the same power and flexibility to the Windows world, all in a lightweight 440KB executable.
WinDump is a helpful utility when you need to do some quick and easy packet capturing to diagnose a network problem. It's flexible, and it can capture and display details about every packet going across the network interface. It can filter the output results based on protocol (e.g., Address Resolution Protocol—ARP, IP, TCP, UDP), source network or host, destination network or host, source port, destination port, and many other criteria.
To use WinDump, you'll first need to download and install the Windows Packet Capture Library (WinPcap), the Windows port of the open-source packet-capture and network-analysis library libpcap for UNIX. WinPcap runs on all versions of Windows. The most recent beta (at the time of this writing) is version 3.1 beta 4.
After you install WinPcap, you can download the standalone WinDump executable. Version 3.8.3 is the most recent version at the time of this writing, and it works quite nicely with the most recent WinPcap beta. To launch WinDump, simply run it from the command line with the appropriate options for what you'd like to capture or read. You'll find the online manual for WinDump at http://windump.polito.it/docs/manual.htm.
As you can see in Figure 3, the first command you might want to execute is Win-Dump -D. This command displays a list of interfaces available on your computer, as well as a corresponding number for each interface, so that you can determine which interface to use for your sniffing activities. After you know which interface to run, you can simply use that number with the -i option (i.e., WinDump -i 3, if number 3 is the interface you'd like to use) to start viewing packet data in real time. (Because these are ports of UNIX utilities, the command-line switches are case-sensitive.)
Ngrep
Although WinDump is a tremendous utility, sometimes it requires a considerable amount of overhead or knowledge to determine what you're looking for. For example, suppose you're trying to look up whether a DNS query is making it across your network, but you aren't familiar with the protocols and that DNS uses by default. Or, suppose a lot of traffic is coming across a network connection, and you're finding it too cumbersome to work through all the packets just to find the one particular packet you're looking for. For such situations, I always rely on ngrep, the network-aware grep utility.
If you aren't familiar with grep, it's probably one of the most widely known and oft-utilized UNIX utilities. Grep finds matching text strings (through a mechanism known as regular expressions) in files on a file system, then outputs the lines to the display. You might compare grep with the Windows command-line Find utility, but grep differs by providing an exceptional amount of power in its search for text strings.
By applying these capabilities to the network layer, ngrep provides the same level of functionality for packet sniffing. As a result, you don't need to know what protocols, ports, network, or IP addresses that two devices are using to transfer data. You just need to know something about the packet's payload, and ngrep will find it for you—regardless of how it's transmitted.
I often use ngrep for troubleshooting DNS query problems. In a large Active Directory (AD) environment, dozens of DNS queries are typically occurring across the network per second. If I'm trying to troubleshoot a specific set of problems, searching each packet to find the one I'm looking for is cumbersome at best. Instead of relying on a straight packet capture of all DNS traffic, I can simply use ngrep to find the text string I'm looking for because DNS queries and responses are performed in plain text.
Ngrep currently recognizes ICMP, IGMP, Raw, TCP, and UDP protocols across 802.11, Ethernet, FDDI, PPP, SLIP, Token Ring, and null interfaces. It requires the WinPcap library (as WinDump does) to operate properly. (Ngrep 1.43 has been tested to work with WinPcap 3.1 beta 4.) As you can see in Figure 4, I've instructed ngrep to catch any packets with the word "utilization" embedded in them. Ngrep picked up a packet out of an AOL Instant Messenger (IM) conversation that I was having with one of my colleagues at the time.
Ethereal
When you face a situation in which you need to roll up your sleeves and dive as deeply as possible into network capture and analysis, one utility needs to come to mind: the world's most popular network analyzer, Ethereal. Network experts around the world use Ethereal because it has all the standard features you'll find in most protocol analyzers, in addition to some you won't find in any other product. More than 400 developers around the world have made contributions to this open-source application. A decade ago, I paid nearly $20,000 for software that had the same capabilities, but Ethereal offers it all free.
Ethereal can capture data off your network connection, filter the data, dive into the details of each packet, save the packet capture for detailed analysis, send packet captures to other network engineers (or vendors) to help with debugging, and open packet captures from many other leading packet-capture utilities. Ethereal can capture data off of various network transports, such as Classical IP over ATM (CIP), Ethernet, Fiber Distributed Data Interface (FDDI), Point-to-Point Protocol (PPP), Token Ring, 802.11, and loopback interfaces (although it doesn't support all types on every platform). Across all those network transports, Ethereal can "dissect" more than 750 protocol types, including FTP, HTTP, NetBIOS, POP3, remote procedure call (RPC), SNMP, SSH, SMTP, and Telnet, just to name a few.
Like the other sniffing utilities I've mentioned, Ethereal depends on an installation of WinPcap to function properly, so you'll need to install that first. Then, after you install the latest Ethereal distribution for Windows, simply access the Capture, Interfaces menu and select the interface you want to start using for capture. Then, you're ready to start analyzing your traffic. Figure 5 shows a quick look at Ethereal's primary interface.
Utilities for Scanning, Auditing, and Monitoring
BareTail
Many applications keep detailed logging data in straight text files because the Windows event logs aren't appropriate for certain types of data (e.g., IIS log files). In the course of monitoring or troubleshooting these types of applications, it's often helpful to watch these log files in real time. However, because they're text files, that process typically consists of opening the file in Notepad or another text editor, looking at the contents, closing the file, then reopening the file to see what's changed.
In the UNIX world, a utility that serves this purpose has been available for quite some time: It's called tail. Fortunately, the good folks at Bare Metal Software have developed a free version of the tool called BareTail. Although BareTail isn't an open-source tool, as with the rest of this article's utilities, it's quickly becoming one of my most frequently utilized utilities—even though I just recently discovered it.
BareTail is a great utility for watching log files, such as IIS logs, cluster logs, and any other type of logs that can generate a lot of data quickly. Figure 6 shows the tool in action. BareTail can keep up with large log files (e.g., greater than 2GB) just as quickly as with smaller files, and—for easier visual recognition—it can selectively highlight specific entries that appear in a file based on matching text strings. For example, suppose you want to highlight references to cmd.exe in an IIS log file to easily spot which incoming connections are attempting to exploit known vulnerabilities.
One of BareTail's most compelling qualities is that it's a completely standalone executable. There's no installer package to work with, so you can use the utility on a client's system and feel safe that you've had little or no impact on the system after you complete your work.
NeWT
When I have security on the brain, I generally look to the open-source community for answers, rather than to specific vendors. After all, the open-source community can be voracious in its efforts to find and understand every aspect of a vulnerability or flaw. A shining example of this security consciousness is the open-source vulnerability scanner called Nessus.
Nessus is the world's most popular opensource vulnerability scanner. An estimated 75,000 organizations worldwide rely on Nessus to assess their networks and check for vulnerabilities. Originally launched in 1998 for UNIX, Nessus has been ported over to Windows by Tenable Network Security in a version called NeWT.
Tenable Network Security provides the standard version of NeWT free for anyone to use for any reason. The only limitation is that the host that NeWT runs on can scan only its local subnet. With more than 6000 known vulnerabilities that it can test for, NeWT is now the best vulnerability scanner available for the Windows platform.
When you unleash NeWT on your local subnet, it starts its process of testing each host it finds for vulnerabilities in its database. You can configure NeWT to test only for certain vulnerabilities—for example, if you're a 100 percent Microsoft shop, you don't need to test for UNIX vulnerabilities—and whether to attempt to fully exploit any vulnerabilities found to confirm its tests. NeWT can check for buffer-overflow vulnerabilities, watch for misconfigured application services (e.g., mail, Web), find all the listening ports on a server and determine the OS type, look for backdoors installed on an infected host, and more. Figure 7 shows NeWT's results following a vulnerability scan.
If you provide NeWT with appropriate administrative credentials, it will dive even deeper into your systems and check for local patching or the existence of malicious software. For example, on a test "victim" system in my lab, NeWT detected several spyware and adware packages that I intentionally installed on that host for some tests. NeWT recommended that I remove those applications. NeWT is the first tool I grab when I start a security assessment for a client, and it should be in every administrator's toolbox.
Winfingerprint
If you're looking for a quick and simple way to obtain information about a remote system, Winfingerprint is the tool of choice. Winfingerprint is a network scanner that runs on Windows. Unlike most network scanners, Winfingerprint is specifically designed to obtain information about Microsoft hosts and applications. Winfingerprint can use ICMP, RPC, SMB, SNMP, TCP, and UDP to obtain information (e.g., OS version, users, groups, SIDs, password policies, services, service packs and hotfixes, NetBIOS shares, transports, sessions, disks) about target systems. Winfingerprint comes in both a GUI version and a command-line version, so however you prefer to work, there's a version of Winfingerprint for you.
As you can see in Figure 8, Winfingerprint determined the number of drives I had installed on my target system, as well as the MAC addresses of the interfaces and the OS and patch level. What you can't see in the figure, however, is that Winfingerprint went on to enumerate all the share names on that system, as well as the services that were installed and the names of the users. The tool obtained all that data in about 20 seconds, making Winfingerprint a terrific tool for quickly collecting inventory data about networked systems.
Open Your Mind
For a long time, Windows administrators haven't been able to find many useful tools in the open-source environment. But now, times have changed, and you can find many beneficial, well-written software that's been ported over to the Microsoft space. Collaborative environments such as SourceForge are great repositories that you can browse through to find open-source utilities that can help you. Watch for a new collection of exciting free tools in a future article.