Sunday, January 31, 2010

Is the economy getting better?

Maybe. We send out a newsletter once a month and for the end of 2008 and all of 2009, we've had between 10-20 or more email bounce backs each month. While some of those could be bounced back for other reasons, our assumption is that the person is no longer at their job. Keep in mind that most of the email addresses in our list are business addresses and not personal home email addresses.

So a few days ago I sent out the January 2010 newsletter and I only had 3 'user unknown' email bounces. December 2009 was under 10, but only a little. A definite improvement.

Here is the January 2010 newsletter if you are interested:

I guess I could call this the "Email Bounce Economic Index".

Saturday, January 16, 2010

NetScanTools (tm) Basic Edition 2.0 Released Jan 14, 2010

This update to the Freeware Basic Edition changes the layout of the left control panel to make it less confusing. I also added the registered trademark notice for NetScanTools. The SQLite DLL to the latest version as was the whois database it works with. The biggest change was a switch to Inno Setup away from the old Wise installer. This reduced the size of the final installation .exe nearly 1 MB and it gives full compatibility with Windows 7. Speaking of Windows 7, NetScanTools Basic is fully Windows 7 compatible.

You can get NetScanTools Basic 2.0 here.

Friday, January 15, 2010

NetScanTools LE 1.10 Released 1-12-2010

We released NetScanTools Law Enforcement (LE) v1.00 on Jan 1 and we quickly heard from our friends at a government training center that they would really like to have a basic packet capture tool in it.

We had planned on putting in Packet Capture for the purpose of showing that the evidence in the reports could be substantiated and validated if required. The Packet Capture tool is currently independently run from the main program, so in order to validate your work, you would need to start it before you work on a task. That way you would collect the same packet information and save it. The Packet Capture trace file MUST be saved separately when you are done with your tasks, this is not automatic at the moment.

Packet Capture files are 100% Wireshark compatible, so if you need to show a chain of communication in the process of retrieving information from external network sources, you can do so using that free packet analysis tool. Our Packet Capture tool has a basic packet viewer so you can see the contents of the packets and search for something within a packet.

At some point the Packet Capture tool will be better integrated. Maybe in the next version.

You can read about NetScanTools LE and download a 30 day trial here:

NetScanTools LE v1.10 was released on Jan 14, 2010.

Monday, January 11, 2010

SNMP Scanning

What do we mean by SNMP Scanning? For the purposes of this article, it means scanning a range of IP addresses to see what devices are running SNMP servers. Some people call this SNMP Community Name guessing or bruteforcing.

What is SNMP and what is it used for? SNMP stands for Simple Network Management Protocol. It's used by network devices like routers and switches to report information about the device. Even a Windows computer can be made to divulge information using SNMP! (Windows does not install it by default). This information can be device information like temperature, packet counts or packet statistics or even IP addresses of devices connected to the device. The info is arranged in a heirarchical order somewhat like directories on a hard drive.

SNMP comes in 3 flavors or versions: 1, 2c and 3. Most devices support 1 and 2c, while newer devices will support v3 and usually have backwards compatibility with versions 1 and 2c. Versions 1 and 2c are very similar and report data to a client if the client includes a simple plain text password-like phrase called a 'community name'. We're going to limit our discussion to v1 and v2c.

SNMP usually runs on UDP port 161. Some people like to put it on an alternate UDP port to avoid what we are going to do in this article. Since it's a UDP based protocol, there is no full connection, so when we talk to an SNMP server it won't respond to us unless the question we are asking is correct. There are two essential parts of the question: the MIB item we are asking for and the community name (password) to get it. Both have to be correct to get a good response.

Back to the point of this article. How do you find the devices in your network running SNMP? One way is to do a Port Scan of every device in the IP range on port 161. This might work, but since SNMP is UDP you are depending on the targets returning an ICMP Port Unreachable message to you if the device is NOT running SNMP. This is a lot to ask, especially if the devices have a firewall or are set to not reply with ICMP. You run the risk of lots of false positives with port scanning.

Another way is to use a specialized tool called SNMP Dictionary Attack which is part of NetScanTools Pro. This tool can make an SNMP query to each IP address and it can send known or common community names to the devices. If you are a network administrator, you already know what the community names of your devices are, so here's a shortcut that you may want to try (if not, then skip this). Locate dctnry.txt in your NetScanTools Pro installation directory and open it with notepad. Enter your common community names at the beginning of the list, one per line and save it (we are going to improve this soon).

Using NetScanTools Pro to scan for SNMP servers on devices. Start NetScanTools Pro and locate the SNMP tools under the Tools left panel group. Select Dictionary Attack under the dropdown list labeled Select SNMP Action. Press Perform Action (no other settings are necessary). This opens the tool.

Now press the Target List Editor button on the left panel to open the editor. You can do one of several things here. You can enter IP addresses one at a time or you can define a range of IPs or you can import a list of IPs. The bigger the list, the longer the scan takes - recommend 256 or less IPs. Once you have created your list press OK and then press Setup. In Setup you can define the SNMP version(s) you want to use. If you choose both v1/v2c, it takes twice as long to scan. You can also adjust the time to wait for an SNMP response. Once you are satisfied with the values, press OK and now we are ready. Put the 'Attack Speed' in the middle range and press the 'Attack' button.

The scan proceeds with the results being presented in the grid as they are found. If the device responds to the SNMP queries, you will see 'Community Name Found' along with the community name, version and system name. If not, you will see 'No SNMP on this device' if an ICMP message came back. You may also see a definitive 'No route to device' if you are on the same subnet as the device. If you edited the dictionary list first, this process will go pretty quickly if you are on the same subnet, but it may take awhile if you are scanning devices outside your subnet.

You can watch the scan status on the lower bar. This tool will work best on the same subnet as the devices, but it is not limited to that subnet (the demo version is limited to the local subnet). While you watch it scan, if the device status is blank, it will continue to try community names until it exhausts the list or the device responds.

When you are done or when you feel the scan has gone on long enough, you can review the results. You should be able to see which devices are running SNMP and their community names.

This is a brute force password guessing tool that will show SNMP responses if the device is running SNMP and you have the correct community name. It scans a list of IP addresses and tests them with multiple SNMP queries in an attempt to get a response. It can take awhile and the community name may not be in the dictionary, so you may not be able to find the community name. We have created a fairly comprehensive list and it does cover many common passwords like the default 'public' and 'private'. Try out the tool in our demo or if you have the full version, give it a try. The demo is here:

As with all scanning tools, we must warn you that your actions may be construed as hostile and may violate local laws. So you need to limit your scans to your own systems or have the permission of the IP address range owner before scanning. There will be lots of traffic directed toward the SNMP port, so intrusion detection systems (IDS) will see it. This is not a stealthy scan operation.

Friday, January 1, 2010

NetScanTools LE Released!

January 1, 2010

Northwest Performance Software, Inc. announces the release of NetScanTools LE 1.00. LE = Law Enforcement.

NetScanTools LE is an Internet Information Collection tool that gives you reports about an IP Address, Hostname, Domain Name, Email Address or URL (web address). This is NetScanTools designed especially for Law Enforcement. We asked our Law Enforcement NetScanTools Pro users what tools they really needed. We took their favorite tools, streamlined them into a new interface and made the program 'case' oriented. And 'case' oriented means that all your queries are documented, time stamped and saved automatically. Reports are direct and to the point. There are no distractions in the reports - you get the results you need, not fancy logos.

For more information and to request a 30 day trial, please visit:

Kirk Thomas

Happy New Year!

Wishing you a good and prosperous 2010!