Wednesday, December 7, 2011
We also released ipPulse v1.81 and v1.82 in that same timeframe. The most important changes were in the secure email sending section of the program.
NetScanTools Pro was also updated with a minor release 11.11 back in October. There will be one more release of it before the end of the year.
The new IPv6ScopeFinder program was also released back in October. It's free so try it out if you use IPv6.
Tuesday, October 18, 2011
Read about it and download it here.
Friday, October 7, 2011
The first thing I did was use Dependency Walker to see if our program called that entry point in user32.dll. It did not. So I searched online and found the answer.
Apparently some misguided installers are putting a Vista file called dwmapi.dll into the Windows XP Windows\System32 directory. Some programs like NetScanTools Pro v11 are affected by this and give the IsThreadDesktopComposited error. Some people have noticed this happening after a Windows Live Messenger or Mail upgrade but I have not independently confirmed this.
1. locate dwmapi.dll in the windows\system32 directory
2. rename or remove it
3. reboot to be sure it's unloaded from memory
Friday, September 16, 2011
Just in case anyone is having the same problem on Windows XP, here is the solution for it. The problem is the same, the commands are slightly different.
Command for showing the teredo interface state:
netsh interface ipv6 show teredo
If it says the state is offline with error of none, try this:
netsh interface ipv6 set teredo enterpriseclient
That should do it. The IPv6 network components were incorrectly thinking your computer was in an enterprise situation.
Thursday, September 15, 2011
We have noticed that many people looking at our Packet Generator got there because they were looking for a 'Traffic Generator' or a 'Packet Flooder' - but found that the Packet Generator is really not capable of filling an interface up to the bandwidth they want. They now have their wish. And it works with IPv4 or IPv6.
NetScanTools Pro v11.10 (not released yet) has a new tool called 'Packet Flooder'. It can generate UDP packets at a very fast rate using multithreading. The packet payload can be either random numbers or alphabetical 'abcdefg' etc. The payload length can be random or fixed. The target port can be random or fixed.
Another new thing you may notice is the bandwidth gauge and historical chart. You are going to see more of these in future versions. The gauge shows the real time bandwidth utilization and the historical chart shows it over time.
Saturday, September 3, 2011
Drop by http://www.netscantools.com/labordaysale.html and check out the savings.
Have a great holiday weekend!
Friday, September 2, 2011
In IPv6, it's not quite so easy. In Windows or any other OS, you will often have two or more interfaces capable of talking IPv6. Since all link local addresses begin with FE80:, there is no method for saying this one address is on this segment and this one is on that segment like there is in IPv4 (by using IP address and subnet mask).
Essentially you have to tell the software you are using which interface to use to get to the link local address. If you have one interface to your switch and all the other devices are on the same VLAN, then it's pretty easy. You do this by appending a %# where # is the IPv6 interface number in Windows - also called the Scope ID. In unix derived operating systems like Ubuntu or OS X Lion, you would use %eth0 for the main interface.
How do you know which interface to use? That's where you have to know your network. In my case, this particular XP machine assigns '6' as the Scope ID - you can see this using ipconfig /all. It could be any number, but it's usually a single digit. So to ping an IPv6 address you would enter smoething lik "ping -6 FE80::3CC0:1%6" on the command line (no quotes). Or if you were using NetScanTools Pro v11 Ping Enhanced you would enter FE80::3CC0:1%6 as the target. If you leave off the %6 or change it to another number the software will not know which interface to send the packets out of. In NetScanTools Pro, you will see an error message. The command line ping will tell you the net is unreachable if you use the wrong Scope ID.
Just a few things I've learned about IPv6 link local addressing.
Wednesday, August 17, 2011
It's on youtube and will be on the videos section of netscantools.com soon.
Friday, August 12, 2011
The tools are still the same in this release.
We have some facinating plans for v3 - but I can't talk about them yet.
Tuesday, August 9, 2011
I noticed that the cursor was still jumpy. Strange. I started Task Manager and saw that most CPU activity was in 'System Idle Process' so there wasn't any specific program hogging CPU time. So I ran a chkdsk from the command line. It was so slow I had to terminate it. More strangeness. I checked the event log and saw no errors - I was looking specifically for disk errors. Just to be safe I did a chkdsk /f and rebooted. Went away for an hour and XP was finally back up when I came back. But still the cursor was jumpy.
Next I used SysInternals (MS) Process Explorer and saw the real problem: Hardware Interrupts. Normally interrupts account for less than 5% of CPU time, but they were going up into the 90%+ range whenever any program touched the hard drive. This meant something was wrong with the hard drive itself or the interface. After a long search on Google I found the answer.
Apparently XP will change the disk controller transfer mode from the DMA transfer modes (Ultra DMA in our case) stepwise all the way down to slow PIO (parallel IO) mode in steps if six or more timeout or CRC errors are seen. By going to Computer Management/Device Manager I could see that the boot drive C: was in PIO mode. Apparently GMER hit the disk hard enough (combined with the age of the machine) that it had enough drive errors to lower it to PIO mode.
How get it back to Ultra DMA mode: from Device Manager right click on the offending IDE channel (drive 0) in my case, then select Uninstall. Now restart. Sounds scary, but it's not because it does actually reboot OK. After it starts, it will ask you to confirm changes and it will restart again. Problem solved.
This process and a full explanation of what is happening can be found at:
http://support.microsoft.com/kb/817472 - don't bother with the hotfixes, they apply to earlier SP's, I had SP3. The section marked 'workaround' is the one I used.
I don't think I'll be using GMER on that particular machine again, but I've used it on other machines - no rootkits.
Monday, August 8, 2011
For years we've been using the old Wise 9 Standard Edition Installer. As of today there is one less thing using it: the NetScanTools Pro v10 Demo now uses Inno Setup. This is a great installer and it produces an install file that's 7MB smaller than Wise while accomplishing the exact same thing.
I'll be converting the Pro v11 installer to Inno Setup soon. A little more involved than the demo, but not impossible. Once that's done, the only thing using Wise will be the patch for the USB. I don't have a good replacement for that yet. Suggestions?
Thursday, August 4, 2011
This new algorithm will be applied to all packet types, TCP, UDP, ICMP, CDP and RAW. It is best used for sending UDP packets because if you are thinking VOIP or video that's where things like jitter and packet delay variation are important.
Other changes to Packet Generator include the removal of that floating status window - it caused timing delays due to updating the window. The new packet burst mode is now operational where if you put the packet delay at zero (0), it sends a burst of packets defined by the number of duplicated packets to send out to the target. This burst mode sends the packets as fast as the interface can send them.
Both accurate interpacket timing and burst mode can be helpful in termining the location of bottlenecks and poorly performing devices.
A couple other things are being added to Packet Generator before release - and there was one bug that was fixed which affected users that have more than one outgoing interface.
Tuesday, August 2, 2011
Thursday, July 28, 2011
There was one fundamental operational change that you should be aware of: ping sweep has been moved up near the start of the switch mapping process. This was done to force the switch to update it's bridge tables with any mac addresses that may have 'aged' out of the tables. That way as many devices as possible will be seen. Be sure to put in all the IPv4 ranges you need to be pinged ahead of time.
Another set of changed dealt with the operation of the IP to hostname resolver. We added a control in Settings to turn use of the caching table on or off. We also added a control in Settings to be sure that it is erased on exit. The reasoning behind this is that in a DHCP environment, IPs change and you should probably be clearing the table more often. The table is used much like a 'hosts' file for quick resolution of IPv4 addresses to hostnames in successive mappings. This will become more necessary in v2.0. In order to minimize DNS queries, we use this table. Now there are more options for erasing it to remove what will become stale information. One other thing we added was a check for duplicate hostnames - what we mean by this is two IPs having the same hostname. If this is found, you get to see the hostname(s) and IPs that are sharing the hostname. You would definitely want to manually erase the IP/hostname Resolver table in Database Maintenance if this occurs. If it repeats after doing that, you have a DNS problem.
Another change was in the area of print margins. A user pointed out that the print margins were rather large. Investigation revealed that the default margins were supposed to be 25mm. But in reality it was more like 250mm or one inch. If you are using a 96 dpi printer, then it is one inch. The File menu now has Print Page Options to allow you to change this.
Finally, in an effort to get away from the ancient Wise installer that we've used for years, this release now uses Inno Setup. Inno Setup reduced the size of the installer by around 1 MB. That doesn't sound like much but it is when you consider many downloads. It's also a modern and fast installer, so it works better on Windows 7.
Wednesday, July 20, 2011
Monday, July 11, 2011
DNS Tools - simple query (ipv4 to hostname etc.), Who Am I (shows your IPv4 address, hostname and DNS servers), Test Default DNS (takes IP address or hostname and asks each default DNS server for translation).
Ping - uses standard ICMP ping to contact an IPv4 or hostname.
Graphical Ping - uses standard ICMP ping to contact an IPv4 or hostname and it graphs the response times over time.
Traceroute - uses ICMP packets to show the route between your computer and a target computer.
Ping Scanner - uses ICMP packets to ping every IPv4 address between a start and ending IPv4 address.
Whois - shows basic whois information for around 70 domain extensions and IPv4 addresses.
These tools are simplified in comparison to NetScanTools Pro which means you don't have all the options available and you only get one mode of operation - for example traceroute is ICMP only instead of ICMP, UDP, TCP etc.
Have a look and enjoy!
Tuesday, June 21, 2011
So I looked at a couple of things. First I did a cursory check of the network settings with ipconfig. All appeared normal. Then I spent some time recompiling NetScanTools Pro while playing around with various options in the addrinfo hints structure passed into getaddrinfo. That was not fruitful. Nothing I did could make the getaddrinfo function return the AAAA record. I was seeing the 11004 WSANO_DATA error. So I put that aside and looked more carefully at the IPv6 networking subsystem.
Next I tried to see if it was NetScanTools failing or something deeper. So I tried using command line "ping -6 ipv6.google.com". This failed with a message effectively admitting that it couldn't resolve the hostname to an IPv6. Good - sort of. Next I tried the other way doing a "ping -6 2001:4860:b006::69". That came back with even more ominous wording "Ping transmit failed. General Failure.". But I could use both command line ping and NetScanTools Pro IPv6 Ping to contact Link-Local IPv6 addresses on my local network - as I should be able to do. The IPv6 routing table didn't yield any real clues either.
Using both NetScanTools Pro, ipconfig and various netsh command line things I was able to see that while isatap was active, I was not seeing teredo - I had seen it before when using command line ping and when using NetScanTools Pro. Teredo was what I wanted to try decoding with Wireshark. NetScanTools Pro showed me that Teredo was there but it had an admin status of 'Down'. So I tried various netsh commands to reactivate Teredo. They all appeared to work, but Teredo never reappeared in the list of hidden devices in Device Manager. I tried the solutions floating around on the internet for making sure IPv6 was active and getting Teredo to show up in Device Manager, but still no luck.
A little history might help. I had recently installed VMware Workstation 7.1.4 on that machine because it's a test machine and I needed lots of OS's available. Could it be that? I don't know for sure because I spent time on VMware forums looking for similar problems - but didn't see any. It could have been a Windows Update patch that turned off Teredo, but I just don't know for sure. The two VMware Virtual Ethernet Adapters both had link-local fe80 IPv6 addresses, so IPv6 wasn't entirely dead. AND of all things, I could start Windows Server 2008 in a virtual machine with all of it's IPv6 functions working perfectly including NetScanTools Pro. I did find this page dealing with firewall settings for Teredo and found that everything was OK: http://support.microsoft.com/kb/968510
So today I spent lots of time with the netsh commands. I used "netsh interface IP show config" to see all the interfaces similar to ipconfig. By doing a "netsh interface ipv6 show interface" I could see all the active connections. What was missing was Teredo. I used "netsh interface set interface teredo set state default" to make sure it was there and it answered OK. But still no Teredo. Then I found this interesting command "netsh interface IPv6 show teredo". It said the State was 'offline' and the Error value was "client is in a managed network". Progress. Big progress.
So I put that error string into google and found a reference to this blog: http://blogs.msdn.com/b/p2p/archive/2007/03/22/teredo-and-the-pnrp-global-cloud.aspx
Essentially Teredo detected (incorrectly) that the machine was in a corporate environment - this is probably due to multiple OS's and several switches being active with all their chatter. So the fix was to use "Netsh interface teredo set state enterpriseclient". Once I did that, there was no need for rebooting or anything. "netsh interface IPv6 show teredo" now showed the correct info like Local Mapping and External NAT Mapping. And all of a sudden both command line ping and NetScanTools Pro IPv6 enabled tools began to work again.
I guess the thing that bugs me is this: why is there this huge dependency on Teredo for IPv6 in Windows 7? If I ask for a name resolution using getaddrinfo with a hint of AF_INET6 I EXPECT a response if AAAA records are coming back from the default dhcp assigned system DNS. It shouldn't matter that IPv6 is fully enabled on the system using Teredo or anything else. So my workaround will be to write EXTRA CODE to resend an AAAA or PTR record request from my own private resolver on failure of getaddrinfo because I can't trust it. I hope someone at Microsoft reads this and helps me understand why it was behaving this way.
All I wanted to do was try to decode Teredo traffic with Wireshark...
NetScanTools Developer and Sharkfest '11 attendee
Sunday, June 12, 2011
Please visit http://www.switchportmapper.com/ to download the free 30 trial. If you need a trial period reset code, please contact our sales dept.
Wednesday, May 25, 2011
Thanks to Mini Swamy, a contributing editor for TMCnet.
Thanks Kevin! You can follow Kevin on twitter@kevinbeaver
Wednesday, May 18, 2011
Tuesday, May 10, 2011
-Added the ability to send notification emails through secure email servers using TLS. This allows you to send notifications through a number of services including Yahoo, Hotmail and Gmail. Examples are in the help file.
-Updated the program icon.
-Renamed Setup to Settings. This is a more commonly understood term for the program settings.
-Added button to select a minimal set of columns in the Settings/Program Control/Edit Column Visibility window.
-Added logic to define a minimal set of columns in case all saved columns are invisible.
-Reformatted and revised help file.
If you have the unlocked version of ipPulse, please download and install over the top. Also, be sure to test sending an email before actually running ipPulse against a list of IPs. Turn on SMTP logging while you do the test so that you can see what's happening.
ipPulse 1.80 is here:
Thursday, April 21, 2011
Please be sure to explore the new features like sending RAW ethernet packets. This is cool because you can craft and send anything you want - malformed packets or OK packets. SNMP also now supports version 3, there is a completely rewritten Connection Monitor, a Routing Table tool and more. Don't forget to use the 'Add to Favorites' checkbox on each manual tool. That way you won't be scrolling through tools looking for your favorites.
Friday, April 8, 2011
New Interface - completely update and it is still an 'outlook' style interface, there is a left panel control bar and tools appear on the right side. This new interface gives us the ability to bring back 'Favorites' - something that was present in the old 'tabbed' interface of the earlier versions of NetScanTools Pro. You can see a slideshow of it in the screenshot section of the product grid on http://www.netscantools.com/.
The goal of this release was to enhance yet simplify by clearly showing the intended use of each tool. This meant that some tools were split into two parts, for example the ARP tool became the ARP Cache Tool and the ARP Scan Tool. Some tools and things within tools were renamed to conform to industry standard conventions, for example 'Setup' was a more common term when NetScanTools was first released, but now 'Settings' is more common and better understood.
New Tools - Connection Monitor, MAC Address to Manufacturer, Network Interfaces - Wireless, Routing Table - IPV4, and SNMP Scanner Tool.
Additions to current tools:
DNS Tools - Core now has IPv6 Simple Query lookups, Get Basic DNS Records now retrieves the IPv6 AAAA records, we added Flush Default DNS Cache and Edit DNS HOSTS File.
DNS Tools - Advanced has three new tools, IPv4 or Hostname to ASN, Get VOIP SRV Records and Get Misc SRV Records.
Packet Generator now supports sending ARP/RARP packets and RAW packets. RAW packets means that you craft the whole packet from the destination and source ethernet header MAC addresses all the way to the end. And we've added a new tool to help you do that: a Hex Editor.
Ping now supports IPv6 addresses.
Ping Scanner (AKA NetScanner) has the ability to translate IPv4 addresses using either the Default System DNS or a specific DNS. We also added Scan Delay Time to slow it down if necessary and added a way to import an IPv4 list into it. To simplify results, we made the columns dynamic in other words they appear and disappear according to the additional scan tasks settings.
Port Scanner was completely rewritten and works much better than the v10.x predecessor. It's much faster and more accurate. We've added a section for scanning commonly used ports and there's an editor for that list in case you need to change it.
Promiscuous Mode Scanner adds the Multicast Address 3 test.
Service Lookup replaces the old Database Tests.
SMTP Server Tests now supports STARTTLS and you can select the Protocol (TLS1, SSL2, SSL3), Algorithm (DES, 3 DES, MD5, RC4, SHA) and Minimum Key (40-256 bit) Preferences (not all settings are supported in all operating systems).
SNMP was split in two for clarity, Core and Advanced. It now supports all modes of SNMPv3 (you may need to obtain the OpenSSL libeay32.dll for support the authPriv encrypted mode - we cannot distribute that). We have added WalkBulk, GetNext and GetBulk to the Core tool. The Advanced tool has a launcher for both the Dictionary Attack Tool and the new SNMP Scanner Tool. The Dictionary Attack tool is much faster than before in terms of loading a list of IPs and clearing the display.
Whois now supports IPv6 input queries and if you enter a domain, we attempt to do an IPv6 and IPv4 address resolution on the 'www.' prefixed hostname. History buttons have been added so that you can view previous whois queries made during the current session.
This brings us to overall design considerations. Favorites was a common request during the lifetime of version 10. It was not easily done in version 10, but it was a priority goal in version 11. You can now check a box on each manual tool to add it to the left panel Favorites group. As in NetScanTools LE, we now have a mandatory results database. This is required so that we can bring up historical reports from each tool both manual and automated. Automated Tools was completely rewritten. The Automated Tools use an engine to operate each manual tool given the input and the results are saved to the database. In previous versions, the Automated tools were actually a duplicate of the manual tool that did the same action - not efficient. Running more than one tool at a time is important to some customers, so this new program shell gave us the methods for doing so. As in 10.x, reports are shown in the web browser - the database gives us the method to be able to show old reports from other sessions. The left panel now has tool groupings like DNS Tools, Packet Tools etc. This helps users find tools they need quickly. IPv6 will be a focus of version 11. We have some support in there now, but as version evolves, more IPv6 compatibility will be added - stay tuned!
Please review the video and image gallery on the main netscantools.com page. More information will be posted shortly along with new images and videos.
Tuesday, March 15, 2011
In January an enduser pointed out to me that every time he tried to use the Real Time BlackList tool in NetScanTools Pro, he got an SQLite error message about the database being 'read-only' - it could not be opened. The software was installed on Windows 7-64 bit and NetScanTools Pro is operating at 'asInvoker' privilege which is normally USER privileges.
After doing the usual tech support routines by checking file properties, I was stumped - until yesterday when I was able to duplicate it on two Windows 7 machines.
The SQLite database is copied into our own directory created at install time under c:\ProgramData which is the common user data area. The thought was that any account using the program would be able to access the database. That was the idea. It's not the only database we put in there and the others were opening fine so I set out to find out why.
The only thing different about this database is that it has the pragma "AUTO_VACUUM" set. It appears that with AUTO_VACUUM SQLite moves freed pages around within the tables. This requires write privileges. SQLite error messages should do more than simply state that the database is read-only by checking the file ACLs given the calling process account privileges then stating the incompatibility with the current AUTO_VACUUM state.
To see the file access privs on an account level, you have to go into our C:\ProgramData\NWPS\NetScanToolsPro common user directory and do an "icacls *.*" on the command line. You will see that indeed user level privileges (BUILTIN\Users) only have (I)(RX) - inherit, read, execute privileges while the other higher level accounts have (F) full privileges. Since AUTO_VACUUM requires write access to the database to make changes, it will not have the proper privs for a user level account. So, yes, opening the database fails (I just don't think the message is good enough).
So now, how to fix it. Recreating the database with AUTO_VACUUM off fixes it. But what if you need to write (as a USER) to the Real Time Blacklist database using the tool we provide to edit the database? You can't because the administrators group are the owner.
The solution is to change the directory and file ACLs. I did this by modifying the installer to call a function of my own design which applied FULL access privs (grfAccessPermissions=GENERIC_ALL) to grfInheritance=SUB_CONTAINERS_AND_OBJECTS_INHERIT at our NWPS\NetScanToolsPro directory level. If that is done and you do the icacls command, all files in that directory show the "Everyone:(I)(F)" which means that every account can fully access the files and that includes our SQLite database that we couldn't open. You have to use AllocateAndInitializeSid, SetEntriesInAcl, and SetNamedSecurityInfo so accomplish this. You have to do this in the installer because it is running at admin privileges.
To summarize, if you have a program running Windows 7 or Vista at USER level that needs to access an SQLite database with write privileges contained in the C:\ProgramData common user directory that was not created by your program - you've got a problem. And that problem is even worse if it has AUTO_VACUUM enabled. You have to modify the file access privileges to FULL control in order to allow SQLite to operate on the database correctly.
Thursday, March 3, 2011
Applies to: NetScanTools Pro, NetScanTools LE, NetScanTools Basic, NetScanTools Standard (obsolete).
It’s actually pretty easy, but how you enter the top level domain makes all the difference in the world. Examples of a top level domain are: .uk, .com, .nu, .se, .ca etc.
How to do it:
1. Switch to the DNS Tools – Core tool or on older software, the Name Server Lookup tool.
2. Enter the DNS you are going use under Advanced Query.
3. Select the NS record type, you may have to go into AQ Setup or Setup to do this.
4. Enter the top level extension in the IP/host/domain entry area. The correct method is to enter the extension followed by a period: ca. or uk. or com. –if you leave off the period or put the period before the extension, the query will fail.
5. Press NSLOOKUP.
Results will look like these two examples, the first for .ca (Canada) and the second for .se (Sweden):
NSLOOKUP Starting Timestamp: 02/24/11 14:49:37
Command line equivalent: "nslookup -recurse -type=NS ca."
Looking up [ca.]
DNS Name: 184.108.40.206
IP Address: 220.127.116.11
ca NS nameserver = f.ca-servers.ca
ca NS nameserver = e.ca-servers.ca
ca NS nameserver = j.ca-servers.ca
ca NS nameserver = a.ca-servers.ca
ca NS nameserver = c.ca-servers.ca
ca NS nameserver = m.ca-servers.ca
ca NS nameserver = l.ca-servers.ca
ca NS nameserver = z.ca-servers.ca
ca NS nameserver = k.ca-servers.ca
ca NS nameserver = sns-pb.isc.org
Server Response Time = 0.117 seconds
NSLOOKUP Starting Timestamp: 02/24/11 14:54:34
Command line equivalent: "nslookup -recurse -type=NS se."
Looking up [se.]
DNS Name: 18.104.22.168
IP Address: 22.214.171.124
se NS nameserver = d.ns.se
se NS nameserver = e.ns.se
se NS nameserver = c.ns.se
se NS nameserver = a.ns.se
se NS nameserver = b.ns.se
se NS nameserver = g.ns.se
se NS nameserver = h.ns.se
se NS nameserver = i.ns.se
se NS nameserver = f.ns.se
se NS nameserver = j.ns.se
Server Response Time = 0.430 seconds
What you see in the two examples above are the authoritative name servers for the root domains.
Here are the release notes.
-Improved messages that show if writing to a registry location fails. They now suggest escalating the privileges by starting the program with 'Run as administrator'.
-All temporary snmp files are now removed on program exit.
-Improved handling of WinPcap interfaces where both IPv4 and IPv6 addresses are bound to the interface. Affects several programs.
-Internal changes to DNS Tools resolver.
-Port Scanner and NetScanner (Ping Scan) now show warning messages if privileges are not sufficient to run UDP scan and Subnet Mask test respectively.
-Updated SQLite to version 3.7.4.
-Updated database files.
Thursday, February 17, 2011
I was using Wireshark today checking on the operation of the NetScanTools Pro v11 port scanner when I noticed something weird. Every 10 seconds a set of regularly spaced AAAA record queries were going to my ISPs DNS (default DNS for this system). The AAAA queries were all for 'mycomputername.domain.actdsltmp' and each time the DNS would respond back with 'no such name'. So I started closing down the browser and all the open programs - no change, the queries continued. Since this amounts to DNS harassment and a waste of bandwidth, I decided to find the cause. The 'domain.actdsltmp' part of the request is there because we have an Actiontec GT701 that provides that to my computer as a default domain name.
I could not find a way to shut it off short of uninstalling IPv6, so I did a nice workaround that works well. I added these two records to my hosts file using NetScanTools Pro - you can use something else if you want, it's just a text file. The first record is for IPv4 and the second for IPv6:
The purpose of those records is to intercept outgoing DNS queries before they happen. This is because Windows DNS queries start with the hosts file, then failing to find the mapping in there, the actual outgoing DNS query is made to the default system DNSs.
Those two records tell whatever is asking for those hostnames that the loopback addresses (IPv4 and IPv6) are the addresses to use. This makes sense anyway because it's asking for a translation of your own computer name.
Tuesday, February 15, 2011
Beta 3 represents many changes based on the input of beta testers. Thanks to all who are helping!
Thursday, February 3, 2011
1. If you are scanning a range of IPs that include Windows computers with active NetBIOS or SMB Windows computer name access - please - -please - please make sure that the checkbox labeled "Delete NetScanner Temporary Files on Exit" is checked. See NetScanner/Ping Sweep Setup.
2. If you see what you know is the wrong hostname for an IP, first press the Edit Hosts File button and see if the IP is in there. If it is, edit it out and make sure the Add Responding IPs to Hosts File box is unchecked. If the hosts file is not the problem, you need to review DNS. NetScanner uses the builtin resolver in Windows to resolve IPs to hostnames using DNS queries, if those fail a node status request is sent directly to the target to try to get the Windows hostname. Switch to the DNS Tools - Core tool and enter the IP that has the wrong hostname. Then press Test Default DNS. This tool does a direct PTR query to all the DNS's used by your computer. Look for two or more PTR records showing different hostnames. If you see it here, then the problem is in DNS. If the IP does not have PTR records in DNS, then go back to NetScanner and double click on the IP in question to view the NetBIOS/SMB information returned during the scan. You may see the incorrect hostname in the NetBIOS response. If so, then make sure #1 above is implemented - if not, exit the program, restart and rescan.
3. Keep Add responding IPs to hosts file unchecked. It is an artifact of an earlier version of NetScanTools and is no longer relevant in today's systems.
4. If you are looking for MAC addresses, please make sure Retry Send ARP is checked and Get NetBIOS Info is checked. The first one uses ARP to get MAC addresses if you are on the same subnet. The second one queries Windows computers throught the NetBIOS/SMB protocol to obtain MAC addresses. Remember MAC addresses in an IPv4 network are not routed.
5. If you want to ping a set of non-contiguous, random IPs, please create a list of IPv4 address, one per line and save it to a text file. There can be no other information in this file, only the IP addresses. On NetScanner/Ping Sweep, press Load Targets, then Load Text File. Navigate to the IP text file and open it. Now press Start NetScan and answer Yes to the question about scanning the list. You may want to go into Setup and uncheck the box labeled Enable Post-Sweep Delete of Nonresponding IPs - it's up to you.
Tuesday, January 18, 2011
So the first thing I did was go to their website based on the email address. Oops! just a standard Windows Lives template - STRIKE ONE!
Next I did a whois on the domain, the name matched the name on the fax but - STRIKE TWO!! - the domain was registered just yesterday and domain privacy is enabled. Now I'm curious.
So I went to Google maps and put in the address and did a street view. Turns out it is a residential street with older one story inexpensive small ranch houses - STRIKE THREE!!!
Next I went to the State of Washington business lookup database and found there is no legal business registered by that name - STRIKE FOUR!!!! (anybody from the state of WA listening?)
Just for good measure I did some additional google searches and found out this person has registered 104 domains - STRIKE FIVE!!!!!
The fax wanted availability of items, pricing, method of payment and contact person (name, phone...) - this gives the phisher a name and possibly an email for their database - if they are a phisher. They wanted the quote faxed back, which gives them a verification that the original fax number (mine) was good and possibly a new fax number as part of the fax back of the quote.
What are they doing? good question. Are they looking for additional contact info to build or verify their sucker list of fax numbers, email addresses, names and phone numbers? Who knows?
Phishing or fishy? definitely fishy if nothing else.
Friday, January 14, 2011
I spent a good deal of time this week looking for a better solution. I looked at storing the registration information in a common area, but that presents it's own problems. I found a suggestion on a forum that made sense and worked: Create the registry key in HKLM with read/write permissions for the EVERYONE group during installation. Why during installation? Because when an installer is run, it is run at higher privileges (administrator) than a normal user has.
So I have now modified the methods used to create the HKLM key during running of the installer so that the key has read/write privileges. This has been tested on all versions of Windows that NetScanTools Pro v10 supports: 7 down through 2000, also on Server 2003 and 2008. Now any privilege level user should be able to complete the registration process without a problem. You still need admin privs to install the software - I can't change that.
Along the way I learned a bit about SID, ACE, ACLs, security descriptors and how to apply them to registry items using SetSecurityDescriptorDacl, RegCreateKeyEx and RegSetKeySecurity. Complicated.
The installer for NetScanTools Pro v10.98.1 was modified to include this change and published on Jan 13, 2011 at 3:53pm Pacific Time.
Tuesday, January 11, 2011
The SNMP engine was upgraded to v5.5. The complete effects of this are unknown, but may help out some mappings due to different SNMP implementations. I've been using this version of the SNMP engine for several months in the development of NetScanTools Pro v11.
The SQLite DLL was upgraded to 3.7.4. SQLite is arguably the most widely distributed non-client/server database engine. It's in your iPhone, Firefox and more.
Other changes were also important but less recognizable. We had one user who had problems with the Switch Port Mapper hanging up. Together we found that it was a corrupted snmp.tmp file. This new version deletes that file automatically when you exit the software and also deletes the html report .tmp file.
Another user had a strange problem a couple weeks ago and it was what accelerated this release. Someone at his university had a MAC with a dynamically updated DNS name of "John's MAC" (with the double quotes). First of all DNS names are not to have single quotes or spaces in them - it is a violation of DNS RFCs - why the DNS accepts them I have no idea. When our software tried to execute the SQL command with that extra quote, it failed because single quotes are used to define strings in SQL. So now our software removes single and double quotes returned by DNS.
The final important change was to the way VLANs were handled. The change corrected the VLAN results shown when you map a Cisco Small Business SF 300-08 switch. Previously there were 'extra' VLANs noted like vlan 0 which doesn't exist.
In case you are wondering, the Managed Switch Port Mapping Tool is Windows compatible software used to discover MAC and IPv4 addresses of devices connected to an SNMP managed network switch. If any of this interests you, please visit http://www.switchportmapper.com/ or http://www.netscantools.com/spmapmain.html
Thursday, January 6, 2011
The methodology of shortened URLs is fairly straightforward. When you access the shortened URL, the shortened URL provider's web server sends back a HTTP 301 Moved Permanently message with the new location URL. You can clearly see it in the two examples below - I used NetScanTools Pro's URL Capture to grab the text. Your web browser will not show these hidden headers and it will act on them before you have a chance to think about the final target URL. That's why I used the tool in NetScanTools Pro - it grabs only the text and does not accept anything else like scripts or images.
This first methodology used by tinyurl.com is the simplest. It only sends back the 301 redirect message.
Starting Timestamp: 01/06/11 22:06:18
Input URL: http://tinyurl.com/37dnopw
Web server IPv4 address: 126.96.36.199
***###Received Web Page text begins after this line###***
HTTP/1.0 301 Moved Permanently
X-tiny: cache 0.00097513198852539
Date: Fri, 07 Jan 2011 06:05:40 GMT
The next methodology used by the bit.ly URL shortening service is a bit more involved. Not only does it send back the HTTP 301 moved message, but they also provide a web page with the embedded redirected target link just in case the web browser does not follow the 301 command.
Starting Timestamp: 01/06/11 22:06:40
Input URL: http://bit.ly/i9TxQY
Web server IPv4 address: 188.8.131.52
***###Received Web Page text begins after this line###***
HTTP/1.1 301 Moved
Date: Fri, 07 Jan 2011 06:06:01 GMT
Content-Type: text/html; charset=utf-8
Set-Cookie: _bit=4d26ad49-003c1-00673-b3a08fa8;domain=.bit.ly;expires=Wed Jul 6 02:06:01 2011;path=/; HttpOnly
Cache-control: private; max-age=90
...web page omitted...
There are plugins for Firefox and other browsers which do that first step of contacting the URL shortening server, then they present the final target to you - and it's your decision as to whether to continue. I have showed the mechanism and how to use our software to see this. Not only is this text only URL capture tool in NetScanTools Pro, it is also in NetScanTools LE (law enforcement).
This release was posted around noon today and it includes the following changes:
-Notes field can now accept much more information than in previous versions.
-Packet Capture now parses spanning tree protocol, hp switch protocol and makes sure WinPcap uses the interface IPv4 address in the event that IPv6 is also enabled on the computer.
-updated left panel control icon images.
-Updated dates to 2011.
-Updated SQLite DLL to version 184.108.40.206.
-Updated database files.
Wednesday, January 5, 2011
NetScanTools Pro 10 only writes to one specific portion of HKLM and it only does that when you complete your registration (Validate and Save) or if you change your Maintenance Plan expiration date or Email Address using About/Edit Maintenance Plan. If you try that on Windows 7-64 with normal administrator or user privs, you get an error that it cannot write to the registry. It does not write to HKLM in the normal course of program operation, registry writes are done to HKEY_CURRENT_USER (HKCU).
The next release 10.98.2 will address this by giving a much more descriptive message explaining that in order to complete the task, you have to exit and restart with 'run as administrator'. It will also have some other changes to address some things we recently learned about the SNMP toolset.
We are working on 10.98.2 and should have it done shortly.