This is a tool which dumps the contents of the endpoint mapper on NT target hosts. The output leaves something to be desired, but it gives some ideas about what's running and waiting on what dynamincally assigned ports.

David LeBlanc's utility for monitoring malicious group creation by end users.

Somarsoft RegEdit, a DLL callable by 32 bit Visual Basic that can be used to view and/or modify user registry profile.

WDumpEvt is an administration tool that makes it easy to manage all the information from Windows NT logs. Browse the eventlog tree, dump the data to a file in ASCII-delimited format for importing into a database or spreadsheet, or choose HTML format for an easy-to-read display. The resulting file can contain information such as type, number, and category of the event, plus computer name, date, user, description. Dump the data of the system, security, application log, or only a source, category, or event. Dump all the data or just the data from the last dump. Erase or save the data in the eventlogs, too. Schedule all these actions thanks to the LogSched service to have regular save or dump. Retrieve properties about eventlog files: events number, begin and end date, file size, etc.

ClearEventLog is a FREEWARE Windows NT application that can clear the system, application, and security event logs via a simple command-line operation. It can clear them separately, or all at once.

DumpEVT is a Windows NT program to dump the event log, in a format suitable for importing into a database. Used as basis for eventlog managment system, for long-term tracking of security violations, etc. There is also a DLL version of DumpEvt, which allows you to read the formatted event log from Visual Basic.

Windows NT program to dump the permissions (ACLs) for the file system, registry, shares and printers in a concise, readable listbox format, so that "holes" in system security are readily apparent. Must-have product for Windows NT systems administrators. Fully functional and free of charge. Retrieve copy (247 KBytes, 25 Apr 1997). There are also non-Intel versions available for this product. It is also possible to run on an Intel machine and dump information from a non-Intel machine. The current version of DumpAcl requires NT 3.51 or 4.0. It is possible to run DumpAcl on an NT 3.51 or 4.0 workstation/server and dump information from a server running NT 3.5.

AFind lists files by their last access time without tampering the data the way that right-clicking on file properties in Explorer will. AFind allows you to search for access times between certain time frames, coordinating this with logon info provided from ntlast, you can to begin determine user activity even if file logging has not been enabled.

HummingBird is a distributed component for any Intrusion Detection System. Features: Share security information with any Internet host, Powerful search-able database of security relevant data, Easy to use data visualization, Detects light but network wide attacks, Keeps historical data of system status, Hosts can be organized in a hierarchy for better management and information flow, Java interface for alert messages. HummingBird Project.

nstreams is a program that detects the common network streams occuring on a network (such as http traffic) from a tcpdump output, and which prints them in a human readable form, or directly generates a ipchains/ipfw output

Diskmon is a GUI/device driver combination that together monitor and display all hard disk activity on a system. It has advanced search capabilities that make it a powerful tool for exploring the way NT works and seeing how file systems use the hard disks.

CyberSensor enables spying on any WIN32 API call. You can install any number of prehandlers and posthandlers for the API call. It enables spying on a specific process, its children or allows you to put a system wide hook. Features: Network based Machine Activity Monitor (NMAM) will be able to spy remotely on all the machines in the network. This can be used for monitoring user activity. The activities which can be monitored include Registry, File System, Internet, E-mails, Security, etc; API Library for writing your own spys; Framework for adding new monitors to NMAM; No configuration requirements on individual machines in the network; Centralized User Interface for the entire network. By Cybermedia Software Private Limited (CSPL). diskmon.zip Mon Aug 16 17:25:10 1999 8K This is a Gui/device driver program that watches all hard disk activity.

This tool is designed for people with a mixed Unix and Windows NT ™ environment. Many organizations prefer to run a central syslog daemon. Unfortunately they are not able include Windows NT event log information in their syslog’s. Here EvntSLog comes into the game: EvntSLog runs on top of Windows NT, reads the NT event log and sends it’s content via syslog protocol to your central daemon! And, here we are, now you will be able to see each and everything in one central location (isn’t that the reason syslog was created?).

This is the initial release of an application written to monitor paths for incoming files. When a change is detected an SMTP e-mail message is sent to the party or parties related to that directory.

Back Orifice 2000 is a newer version of CDC's remote administration utility, Back Orifice.

Two perl based fake daemons for basic intrusion detection. Sendmail and Telnet daemons respectively. You will need Win32 PERL for this to work on your system.

X-RAY VISION provides privacy and security to the Internet user by filtering out unwanted ActiveX controls, Java Script, Java applets, cookies, push/pull technologies etc.

TCFS is a Transparent Cryptographic File System that is a suitable solution to the problem of privacy for distributed file system. By a deeper integration between the encryption service and the file system, it results in a complete trasparency of use to the user applications. Files are stored in encrypted form and are decrypted before they are read. The encryption/decryption process takes place on the client machine and thus the encryption/decryption key never travels on the network.

This program is meant to run as a cronjob. I have it run once a day, but busy shell boxes may want to run it twice a day. Basically it tracks any changes in your s[ug]id files and folders. If there are any new ones, ones that aren't set any more, or they have changed bits or other modes then it reports the changes. You can also run this manually for spot checking.

It also tracks s[ug]id files by md5 checksums. This helps detect if a root kit has been installed which would not show under normal name and permissions checking. Directories are tracked by inodes.

Linux FreeS/WAN is an implementation of IPSEC & IKE for Linux. IPSEC is Internet Protocol SECurity. It uses strong cryptography to provide both authentication and encryption services. Authentication ensures that packets are from the right sender and have not been altered in transit. Encryption prevents unauthorised reading of packet contents.