Category Archives: Information Security

How to Hide Data in NTFS Streams and Break Software Integrity – From the WikiLeaks CIA Vault Leaks

WikiLeaks leaked out a CIA operations manual. Documents posted, with promises of more.  Currently, I am working on them like many other security researchers/hackers/technologically curios. Due to the semi-partial leak status, missing any real exploits. I decided to fill in the operations manual with exploits and how-to articles.

One technique caught my eye, hiding data in NTFS data streams. The full instructions were missing. I have enjoyed using this technique for many years now.  Some people already know about it. Microsoft even posted a blog on it back in 2013. We’ll take it one step further in a how to with some hashing J Microsoft has had a tool out called SysInternals Streams.exe available for free download which can be used for this technique.

If an attacker wants to hide data in plain sight, this is one method which can be considered based on the situation. NTFS ADS is also referred to as Forking. Yes, it has been used maliciously in the past. I decided to update the original posting with full instructions. Then take it up a notch to show you how to break file integrity by using SHA256++ with NTFS ADS.

Update to the leak original CIA manual for Everyone 🙂

NTFS Alternate Data Streams (ADS)

Exfiltration, manipulation of software and file integrity, obfuscation

Alternate Data Streams on the Root of the Drive

Depending on the target and system configuration. An NTFS alternate data stream (ADS) should be considered a viable method to hide data and foil protection or alerting. Particularly cases where protection present relies heavily or is dependent on file hashing as a method to verify file integrity. Whether it’s for exfiltration, manipulation of integrity, obfuscation or general tradecraft. Great for bypassing many security controls and pivoting deeper into a target network.

There are several methods. One of the easiest is from the command prompt. Work in the root of a hard drive directory. This can also be accomplished remotely if you already have remote access to the victim.

Gain access to the victim local or remote

Using a victim D drive as an example, due to limited privileges. The attacker has a file of IP addresses, which are additional Command and Control domains related to both StoneDrill and NewsBeEF, in addition to Kaspersky’s list. As part of a targeted attack, the attacker needs to get this list onto a victim machine silently. The attack can also be done with PowerShell or a batch file. Renaming Batch files once they are on the system to bypass security controls is normally easy with limited access. If it’s an executable, you can also use this technique with PSExec.exe. Many anti-malware and other protection will catch PSExec, but not always.

ntfs 1

Sample contents of the evil file

Perform the NTFS ADS and hide the Evil file

Open a command prompt local or remote on the victim machine. The attacker, for ease of use. Has placed the text file of Command and Control servers in the root of D, naming it evilcncips.txt

Create the file you want to hide the evil file in. In this example, we will call this file: testfile.txt. Type at the root the following commands. The command first creates the innocent file. The second command hides the evil file behind the innocent looking file.

ECHO “This is a test file” >testfile.txt

ECHO “This is the evil text in the ADS file” >testfile.txt:evilcancips.txt

ntfs 2

Verify the NTFS ADS Stream worked

Check what the directory shows in the command prompt. It should look the same as before the NTFS ADS

ntfs 3

What the directory looks like in the GUI

ntfs 4

Although it is possible to display ADS NTFS streams/Forks easily in a command prompt. This is beyond the normal user level and most technical as well. The technique is still somewhat obscure as a method for attack or espionage.  The GUI portion of Windows will not readily show the NTFS ADS file.

At the command prompt, ensure the NTFS ADS stream worked. It will show a double line with the original file, then show the hidden file.

dir /r

ntfs 5

When practicing, also verify using Streams.exe. In this example, Streams.exe was installed.

Open a command prompt and charge the working directory to where Streams is located. Then execute Streams against the innocent looking file: testfile.txt

streams d:\testfile.txt

ntfs 6

Hashing to F*ck with File Integrity

To ensure you hid the evil file on the victim machine. Hash the innocent file prior to NTFS ADS, recording the hash. The default hashing level in PowerShell is Sha256. Because modern Windows based victim machines have PowerShell. No additional tools are required to hash. The attacker does not need to be an administrator to use the PowerShell to hash a file. PowerShell is not being run as an administrator in this example. Most users and enterprise administrators are still unfamiliar with PowerShell and leave functionality default configured in a manner an attacker could exploit.

At a PowerShell prompt, use the cmdlet Get-FileHash, then the -Path where the original file is located.

Get-FileHash -Path d:\testfile.txt

ntfs 7.png

After the NTFS ADS, hash the original file again where the evil file is hidden.

ntfs 8

The hash will show the same hash. 9BB114C0FE4F787EF64A43F310EA81F273FC87001503A141A125D9689AE8DFEF

If the victim uses the NTFS file system, which most modern Windows uses. Anyone can hide whatever evil file they wish into an innocent one in a root directory like the examples shown. The victim nor attacker can display the hidden file in the GUI. Defence is based on if the target protection mechanisms can recognize the evil file or behaviour. Rarely is dir /r used. The file can be hidden and hashed with MD5, SHA1, SHA256, etc… The evil file will look hidden. This technique can be easily recreated and practiced before using on a target.


The result, relying on hashes for file integrity does not mitigate this risk or attack technique completely. The Hash process in a way hides the data further by giving a false impression of limiting risk. Many security products rely on hashing for file integrity. It’s accepted best practice. Now everyone knows it can be manipulated under certain conditions. I wrote about it in 2012, but never shared with the public. I feared an evil government could misuse it. Even if a great, free hug for everyone government is in power, sitting on exploits. Can you trust the next person or party in power won’t be or turn evil?

ntfs 9

I guess I don’t need that password or to encrypt the paper anymore. Thanks CIA & WikiLeaks 🙂

Microsoft’s Search your privacy away

Because searching another user’s documents is a great idea!

Last week a friend sent me the link, said it was a gold mine. Yes it is 😊 The breach was announced on Radio 1 Netherlands on 27 March 2017 as limited to some CV’s or resumes. No, no, no my friend. It is wide open. Microsoft sounded as if they had already fixed part of the problem. It’s days later and I can say nope.

Using the search function for “SSN” which is an acronym of the USA tax payer identification Social Security Number.

Search using a browser that allows JavaScript:

Docs com search bar

Get filled out loan, school, medical, tax, and other related documents. Below is a sanitized example of a person’s filled out loan deferment request form.

docs com school deferment form

I currently live in the Netherlands, land of the free, home of the Orange. To discover documents in Dutch. We changed the search terms and the language. A search for “kanker” which is cancer in Dutch yielded financial tax documents.

docs com kanker search

Using the search term “schulden” which is debts in Dutch, on 3 April 2017 documents with personally identifiable information is still viewable.

docs com schulder debts form

Business yearly financial workbooks viewable and can edit fields on 3 April 2017. A quick snap of my virtual machine system clock

docs com editable excel financial dutch business

There are debt collector’s documents listing court fees. Hospital documents. When I was informed of the leak last week. I went looking for a Microsoft Bug Bounty for privacy based vulnerabilities or breaches. There aren’t any. There are bounties for most of their products on the application level. Explains a lot about Windows 10.  In the Netherlands, the Dutch Data Protection Agency fines companies for these types of violations.

A search for “NHS Cards” yields NHS numbers, scanned cards, NHS email accounts:

docs com NHS card scanned straight

Since internet search engines index when they can. You don’t even need to search in to find content in Use Google, Bing, DuckDuckGo, etc.

docs com searchable by indexing search engines

Please Microsoft, flash a big warning to users of the system “Before you save documents to Please remove any personally identifiable information and do not post the PII of others. Anything you post here can be seen by the world!” Also, seriously consider a privacy based bug bounty program. The EU GDPR comes into full effect soon and the fines are promising pain.


Say Cyber one more time…

IT Security’s love hate relationship with the word Cyber

I attended DefCon 22 and as usual it was great! However, the word Cyber brewed controversy and passionate debates. One presentation by Keren Elazari thoroughly summarized the word’s roots and explained its essence. Others carried flasks embracing liquid alcohol yumminess upon the mere mention of the word.


I personally say it’s here as long as it’s used correctly but not too frequently. Do you hate the word? Have you played the Cyber drinking game? Or do you embrace it like a warm Snuggie?

DefCon 22 participant custom made T-shirt

How to get on a USA Government Surveillance list

Use any advanced search techniques in Google and you’re a Cyber-Terrorist

A recent warning was posted to USA law enforcement listing advanced Google search techniques as indicators of Cyber-Terrorism is slightly chilling. Thanks to: Sadly, this is not the Onion
saw this story. The advanced techniques are old school ways of ensuing you return only the filtered data you want in a more accurate manner. Google Dorking, as it’s called in slang is a method of searching for a specific keyword in specific conditions. For example, if you want to search only the website for the keyword LolCats in Dorking terms is: + “LolCats”.

Sean Gallagher from ArsTechnica, commented he believed the notice is meant to be more of a wakeup call to make law enforcement IT more aware of the techniques. I slightly disagree and saw only FUD in the law enforcement notice. The same story commentary also mentions how using advanced Google searches has already landed some reporters in trouble and wrongfully accused of criminal activity due to massive technology misunderstandings. Using a search engine is not illegal, at least not yet.

My advice if you are a law enforcement agency IT, learn more about Open Source Intelligence and disregard FUD notices written by technologically challenged policy makers. Here are ten friendly tips to help find or protect your internet exposed assets:

  1. Keep all public facing digital assets updated and harden them. There is no reason why you should be running old, weak crud on the internet.
  2. Apache Security read if you are running an Apache web server.
  3. How to Improve Security on the Edge with Windows Web Server 2008 and Internet Information Services with Security Guidance of ISS Security if you are running Windows Server.
  4. Best option: Rent space on Amazon AWS or Microsoft Azure they have DDoS defenses and can get you an inexpensive, new server version up and running. This gets a web server off your network, cheaply, with defenses available and limits damage only to reputation no information leakage. Also, if hardware breaks, no interruption for the most part and they fix everything within tight time service level agreements.
  5. Scan your public servers and internal servers with Evil FOCA from Informatica64. Scan all your domains, download all documents, analyze and take a look at what you have up for the public to see and the baddies to exploit. Review your metadata exposure.
  6. Google Dorking is a good passive reconnaissance tool but if I wear my Ethical Hacker Hat I wouldn’t use it before committing a crime. I would move to non-tracking search engines such as also combined with untraceable connections and several hops away. Run regular searches using different search engines to learn your public exposure.
  7. Use ShodanHQ against your domain, IP range and keywords by using a filter. I love Shodan J Try a super advanced search word like: police. I’m disappointed but not surprised: Owen Sound Police Services – FirePro event data server and Wildwood Crest Police webmail server. Try and limit the amount of data available on your public facing assets. Please don’t advertise unless you are running a Honeypot so obviously!
  8. If budgets have your IT bogged down. Network and pool external resources and contractors. What if four departments could share 1 full time, traveling IT Security contractor?
  9. Cover over all Web enabled Cameras when not in use, especially in interrogation rooms!:

  1. Read the SANS Diary Internet Storm Center every day and listen to the Podcast.


Using Google Dorking or any other advanced internet searches are not illegal nor indicators of cyber terrorism. However, exposing private IT assets to the internet without proper hardening helps no one but criminals.

TSA, Opt-out and you’re a “Criminal Hacker” Yippee!

The continuing adventures of the Freedom Fondle and the nerve of some who choose to opt-out

Traveling to and from the USA, even for US citizens is a challenge. I’m getting used to the “random” SSSS on my boarding pass, intrusive and wholly inappropriate questions about my work, employer, ethnicity and religion. The accusations of carrying a fake passport because I have an “accent” or otherwise known as traveling whilst Hispanic in the USA. I travel with limited clothing as I expect them to be ripped or otherwise destroyed in-front of my eyes, again by Customs and Boarder Patrol. I stopped carrying anything which could even remotely be confused with the Arabic language. I travel with very limited, encrypted data. My family expects detainment and knows to contact a USA attorney if I don’t check in quickly enough after landing. Today was a new one and rather unexpected. I forgot to expect the unexpected with the TSA.

I opt-out when I’m traveling within the United States. This isn’t an option when flying from Europe to the USA due to an underwear obsessed, idiotic terrorist; but it is and a right whilst traveling within the USA boarders. As per usual I arrived in plenty of time for my flight, checked-in and got in the security theater TSA line for the shredding of my 4th amendment rights. As I approached the full body scanner I politely informed the male officer I wished to opt-out. Without engaging with any other ancillary officers, I waited patently to be freedom fondled in full public view. Standing up for your rights sometimes involves strangers groping my private parts, and I can live with that.

The female TSA officer by the scanner decided to loudly voice her option of those who opt-out. Standing by the full body, 4th amendment dissolving scanner. She explained to her male co-worker at a volume all in the area could clearly hear. A rant on how “all these criminals, so-called hackers, are a bunch of useless posers who should be in a jail cell not flying or pulling their BS by opting out”. For a few minutes she continued to spew her utter ignorance in an attempt to intimidate and humiliate me. I had no choice but to listen, the other passengers being screened had to as well. I wore no identifiable “hacker” shirt, just glasses and my usual pile of technology. My jacket was from an off-Broadway play, Avenue Q and I wore glasses. I guess glasses, computers and opting out is now a sure sign you are a criminal hacker that should be thrown into jail. I must have looked dangerous in my -7.00 bottle thick glasses!

Hopefully the situation will have a somewhat happy ending. When my freedom fondling by a different TSA officer began. I explained I wished to file a complaint, in writing, as soon as her glove was off. I was sent to a very understanding and sympathetic supervisor. After explaining I had absolutely no verbal or other engagement with the verbally abusive officer. I was given a form, the officer’s full name and a very friendly verbal acknowledgment that no TSA officer should act in such a verbally abusive manner. As many of the passengers on my flight heard the comments whilst being screened. I didn’t have to engage in any flight chit-chat. An added bonus for being labeled a criminal prior to boarding an airplane (?)

Not all the TSA are bad, just enough to taint the organization and cause disrepute to the actual honest hard-working agents. Hopefully my written complaint will be taken. Hackers are not criminals, nor are those who opt out. Those in government positions which chose to openly attempt to intimidate people into giving up their rights are.

We are the Calvary! Attackers & ArcSight ESM

Detecting compromised hosts affected by Droppers on compromised with a correlation engine

I was alerted the by a really proactive collogue via a whitelist. Further digging lead me to an excellent dissection up by Dancho Danchev. This might be a watering hole or just a nice money making opportunity. Recently journalism websites have been targeted for Watering Holes, however money is usually the bigger reason.

How can ArcSight ESM or similar correlation engines for detection if any of your organization’s assets have been affected?

Proxy and DNS and some IPS/IDS & Firewalls monitoring can report domain names and IPv4 addresses. In most cases both domain name lists and IP address lists are helpful for basic proactive detection.

IP4 & Domain watch list from my collogue and the Dancho Danchev blog and two additional domains I found for a Filter.
Detection Ratio is
how many URL Scanners in Virus Total detected any malicious code:


Domain Name

Detection Ratio




Virus Total Report             


Virus Total Report       


Virus Total Report         


Virus Total Report     


Virus Total Report                


Virus Total Report          


Virus Total Report                 


Virus Total Report            


Virus Total Report  


Virus Total Report  


Virus Total Report 


Virus Total Report                


Virus Total Report          


Virus Total Report       


Virus Total Report


Virus Total Report


Virus Total Report



A list for Filters & or Active Lists to help verify infection or issue. Redirection or secondary related information after the infected, compromised website is visited and your organizations asset is possibly redirected to further mayhem.


Domain Name



Website Screen Shot

Last Scanned 31/12/12




The attack is carried through the HTTP protocol.

How to detect via ArcSight ESM

  • Setup your Filter (s) “NBC-Com Suspect Attackers” which includes both the IP and the Domain Name information
    • Otherwise, Setup your Filter “NBC-Com Suspect Attackers_IP” if you only have IP logged data
    • Otherwise, Setup your Filter “NBC-Com Suspect Attackers_DN” if you only have IP logged data
  • Open a new Channel with log data from a Firewall, Web Proxy Server, DNS Server or any Connector which contains IPv4 or Domain Names
  • Set the dates of the Channel back to at least 21/02/2013
  • Add Protocol = HTTP & OR Port = 80 as a condition of the Channel
  • Add in the Filter(s) as a condition of the Channel
    • Protocol = HTTP & OR Port = 80
    • Filter = “NBC-Com Suspect Attackers”
  • Give the Channel time to load, adjusting the sliding timeline as required for performance and monitoring
  • Investigate hosts communicating with the suspect external actors
    • Assign higher priority to those end points which are most critical, try to communicate the most externally, behave in a strange manner or breach the perimeter.
    • I commonly add these suspect hosts to an Active List to observe as Potentially Compromised Hosts if they are not re-imaged or otherwise cleaned.
    • Use the data to build out a report showing how many compromised assets your department caught that anti-virus or anti-malware could not J




Power outages, mud and slow internet

ITSec Challenges in a less developed country Appropriate Reddit

It is a strange feeling when the tour book is strangely correct about your holiday location. There really is only 1 international ATM machine for an island of 330,000 people. The power goes out, allot. The police take up, um, “road side collections” and can be quite heavily armed. I don’t know when I felt more scared, being taken sued last year or when my father-in-law politely drove off after refusing to pay an on the spot fine/bribe. Tanzania like any other country has challenges. Some, quite frustrating to IT goals such as extremely expensive, low quality, slow internet service or frequent, unstable quality electricity. It is possible to have the necessary technology to run an organization in the harsh IT environment.

Friendly tips for basic IT sanity in Tanzania

  1. Don’t expect electricity clean, stable electricity all the time.
    1. Use uninterruptable power supplies on all your desktops.
    2. Have building battery backups of a generator with fuel.
    3. Always connect your electronics to a power strip that is at least a surge protector.
  2. Expect to lose your stuff.
    1. Any country where the majority of the population lives on about $1.70 a day gives way to desperation/petty theft.
    2. Employees can be easily bribed by your competition. Pay and treat them well.
    3. Encrypt your drives, from hard drives to SD cards. It is far better to just lose your smartphone with encrypted data than to lose your smartphone with sensitive or embarrassing information on it which is accessible.
    4. Weather and the environment is harsh, think about hardware failures.
  3. Limited number of talented IT technologists
    1. One of the islands we visited, part of Zanzibar has received electricity in 2010. Schools near Dar es Salam have no desks let alone electricity. Computer technology is new here.
    2. Learn some Swahili, it will help you explain issues. Google translate Swahili is in its infancy and cannot currently be relied upon.
    3. Research your staff or support company well. There are very few options but ask around before you sign any contract or new hire.
  4. Bandwidth is not up to European standards.
    1. Some Europeans and Asians have the good life when it comes to the internet. Lightning fast speeds and great quality. This is Africa.
    2. Expect to pay allot for any internet services.
    3. Have a backup provider just in case yours fails.
    4. Do not take the cheapest unless it is a promotional deal from a reputable provider.
    5. Use a router/modem that also has a 3G or higher backup connection. This can keep your office or you up and running if your provider loses power.
  5. Cost and availability
    1. What is available in other parts of the world might not be in Africa.
    2. High end hardware or software might not be sold or supported here due to lack of customer base.
    3. If you must import hardware bring spares.
  6. Security
    1. Availability: Backup to a mirrored drive, save to the cloud uploading and synchronizing as required. Use more than 1 DNS provider and do not solely rely on your ISP.
    2. Integrity: Lock down those USB drives and use end point protection.
    3. Confidentiality: install encryption software for hard drives, cloud backups and email. The government and possibility others most likely monitor unencrypted communications

Tanzania and similar countries are challenging but can yield successful IT implementations. Few places in the world make the challenge worth it. Beaches, live coral, lions, elephant, galloping giraffe and the Rift Valley. The people are generally happy, beautiful terrain, enticing lagoons and cultures.

I didn’t plan on spending my New Year’s Eve covered with mud after trying to push a SUV out of an impassible road. Luckily someone came along with a shovel by chance within an hour. Our rescuers tried to tow us out but the rope broke. Although it was the best New Year’s Eve ever, we could have avoided the mud baths if we had packed a rope and shovel.


























Hospital patient insecurity due to lacking patches or decent passwords

This time only 493,000 patients lost their privacy, systems left wide open for years.

A hospital in Gouda, the Netherlands called Groene Hart Ziekenhuis (Green Heart Hospital) had according to Bonnie at the Nederlands Genootschap van Hackende Huisvrouwen (Netherlands Society of Hacking Housewives) and reported to the journalist Brenno de Winter (@brenno) allowed weakly configured servers which contained confidential information accessible to the internet which contained patient data for almost half a million people. These sensitive systems had been left in an insecure state for several years. This is nothing new in the Netherlands; the same group reported a similar data leak involving over 800,000 Dutch citizens and residents at another facility in July, 2012.

Information which was exposed:

  • Patient Name
  • Date of Birth
  • Address
  • Tax ID number (BSN like US Social Security number)
  • Telephone number
  • Patient number
  • Insurance number
  • Diagnosis
  • Medication
  • Lab results
  • X-rays and similar medical imaging
  • Treatment plans

Why was the information accessible?

  1. Unpatched and outdated versions of Microsoft, Adobe Flash and VMWare. Recently the CSIS Denmark released a report that highlighted 99.8 % of malware or virus infections could be mitigated by patching these applications along with Adobe Reader and Java.
  2. The password for the administrator account was ‘groen2000‘. The password is both easily guessable and extremely weak 40 bit strength. Using Jack the Ripper, and a beefed up system could crack the password in seconds. I wonder if 2000 was the last year the systems were patched?

Why are medical facilities, hospitals, insurance companies and doctor offices seemingly so lacking in security and unsympathetic towards patient privacy?

  • Shockingly, the maximum fine in the Netherlands for data breaches is only 4,500 euro. This is cheaper in some cases then implementing anti-virus or buying a decent firewall. My previous Dutch GP once told me without flinching “Our systems are secure because we use MacOS, no anti-virus is needed.” If the punishment is cheaper, way cheaper that remediation I would take a fine any day.
  • DRA the agency tasked with ensuring data privacy and investigating breaches is staffed with about 80 personnel, which includes all support staff whilst the Dutch Animal Police has over 500 officers.

Link to original story:

More proof that patching, keeping systems on supportable versions and strong, secured passwords are a basic requirement for you and all organizations. Lastly, Dank uw wel/thank you very much to Bonnie and the
Nederlands Genootschap van Hackende Huisvrouwen, it is good to know we have highly technical, expert, hacker housewives willing to take a risk and help protect our privacy when governments fail to do so.





Patches! We don’t need no stinking Patches!

And you thought implementing a vulnerability program was too expensive!

Recently the CSIS Denmark released a report which highlighted 99.8 % of malware or virus infections could be mitigated by patching five key applications. Those applications, some of our favorite:

Internet Explorer – Lots of bells and whistles elements built into the browser which must be kept up-to-date for them all to be as secure as possible. IE is now a very secure browser for the most part, if kept patched! As with all browsers, if there is a dodgy website setup to exploit a browser weakness, unless it is a zero day (rare), patching will protect from this risk and is easy to deploy locally and administratively.

Windows Vista & Server 2003 – Both operating systems need to be kept up-to-date with a roadmap for upgrade to Windows 7 & Server 2008 respectively. If you weren’t aware, most users would rather still use Windows XP over Vista and would love to be upgraded to Windows 7. Both Server 2003 and Windows Vista have been out for a number of years and those naughty cyber-criminal syndicates are very familiar with exploitation. The operating systems are weaker than their upgrade counterparts due to some architectural flaws. An operating system infection is dreadful, you can’t trust any installed applications or the OS itself. They can also take the greatest amount of time and highest cost to remediate.

Adobe Acrobat Reader/Writer – The business, internet, research, and education necessary applications all computer users at one time (or 20 times today) have used much to our delight and frustration. Due to the widespread usage of the apps and lack of patch management they are a juicy, luscious easy target.

Java JRE– Again, widespread usage and lack of general patch management is a driving force behind infections. Also, this application, similar to many Adobe products, suffers from a less than favorable security reputation.

Here how expensive not patching and vulnerability testing is:

You have to call the CEO and or the board to an emergency meeting. A trusted third party supplier infected your network and compromised very publically a primary database of customer information. It seems quite sensitive customer information that is. The CEO and or other higher up well known for arse-chewing or at least the level that can terminate you instantly is on vacation. As an extra bonus, it is 2 am his/her friendly, understanding corporate officer’s local time. No matter if your IT Security department had sign off, documented meetings, warnings etc.… to the upper management or board that a program was needed it will still cost reputation, business and possibly jobs before the dust is all cleared.

If you are new to the topic, a fantastic resource for assistance is Reddit NetSec and need some solid answers. Try to avoid loss from the door being left unlocked to all your organization’s information because of an aged or insecure application that in most cases just needs a free patch. If your patch and vulnerability testing is lacking, get up to speed now. If all else fails, you can learn to use some new tools and update your CV/resume, just in case due to pressures within your organization there is a risk of ever having to make that loud, uncomfortable and/or demoralizing phone call.

There are low cost, awesome, high feature, speedy tools that can be used to express the importance of patching and vulnerability testing. They also have a low learning curve for new users:

Nessus– There is a limited free version which is perfect to perform quick (non) commercial tests. If you contact them and explain you wish to use a demo with more features I’m guessing they will likely send you one. Once you use Nessus it’s a fairly easy sell after presenting the app’s generally solid results.

FOCA-This is one of my favorite tools, always impressed when I use it. It is a succulent, meta-data driven beauty that makes basic to medium level pen testing feel like a holiday on a warm tropical beach during winter. At a push of a button, to paraphrase from their Hack in the Box presentation: Perfect for the lazy pen-tester. FEAR the FOCA!

Belarc Advisor– There are fully functional (free) home and low cost corporate versions. Its HTML based and can be parsed with functions such as displaying software keys, if patches were correctly installed with hyperlinks for rectification, review of user accounts and a custom security score. I have used it for more years than I care to reveal lest I date myself out of the abundant job market.