Wednesday, December 7, 2011

Recent Software Releases

We have put out several new releases in October, November and December. Let's start with the Managed Switch Port Mapping Tool. We released 1.99.6, 1.99.7, 1.99.8 and we are now on v1.99.9. These new versions address issues recently found during our work on v2.0 and we added some new minor features.

We also released ipPulse v1.81 and v1.82 in that same timeframe. The most important changes were in the secure email sending section of the program.

NetScanTools Pro was also updated with a minor release 11.11 back in October. There will be one more release of it before the end of the year.

The new IPv6ScopeFinder program was also released back in October. It's free so try it out if you use IPv6.

-Kirk

Tuesday, October 18, 2011

IPv6ScopeFinder

What? It's a new freeware tool designed to quickly help you locate the right Scope ID to use when trying to send packets to a neighboring link local IPv6 address. For instance, you could use it to find the ScopeID when you needed to use command line ping to find out if IPv6 is working on the workstation across the room. I'm talking about the part of the link local address after the percent sign: fe80:11:22:33%6, where '6' is the Scope ID of the network interface on your machine that connects to the network that routes packets to the machine with the IPv6 address fe80:11:22:33.

Read about it and download it here.

Friday, October 7, 2011

IsThreadDesktopComposited prevents program startup

Problem: a NetScanTools Pro v11.10 user emailed with a strange problem. He could not get NetScanTools Pro to start on Windows XP sp3, instead he would get this message: "Entry Point Not Found. The procedure entry point IsThreadDesktopComposited could not be located in the dynamic link library USER32.DLL."

The first thing I did was use Dependency Walker to see if our program called that entry point in user32.dll. It did not. So I searched online and found the answer.

Apparently some misguided installers are putting a Vista file called dwmapi.dll into the Windows XP Windows\System32 directory. Some programs like NetScanTools Pro v11 are affected by this and give the IsThreadDesktopComposited error. Some people have noticed this happening after a Windows Live Messenger or Mail upgrade but I have not independently confirmed this.

Solution:
1. locate dwmapi.dll in the windows\system32 directory
2. rename or remove it
3. reboot to be sure it's unloaded from memory

Friday, September 16, 2011

IPv6 on Windows XP

Back on June 21 I posted about IPv6 teredo interface not working on Windows 7 and how to correct this using commmand prompt netsh commands.

Just in case anyone is having the same problem on Windows XP, here is the solution for it. The problem is the same, the commands are slightly different.

Command for showing the teredo interface state:
netsh interface ipv6 show teredo

If it says the state is offline with error of none, try this:
netsh interface ipv6 set teredo enterpriseclient

That should do it. The IPv6 network components were incorrectly thinking your computer was in an enterprise situation.

Thursday, September 15, 2011

Looking for a Packet Flooder?

Check out the video on youtube after you read this post.

We have noticed that many people looking at our Packet Generator got there because they were looking for a 'Traffic Generator' or a 'Packet Flooder' - but found that the Packet Generator is really not capable of filling an interface up to the bandwidth they want. They now have their wish. And it works with IPv4 or IPv6.

NetScanTools Pro v11.10 (not released yet) has a new tool called 'Packet Flooder'. It can generate UDP packets at a very fast rate using multithreading. The packet payload can be either random numbers or alphabetical 'abcdefg' etc. The payload length can be random or fixed. The target port can be random or fixed.

Another new thing you may notice is the bandwidth gauge and historical chart. You are going to see more of these in future versions. The gauge shows the real time bandwidth utilization and the historical chart shows it over time.

Enjoy!

Saturday, September 3, 2011

Labor Day Sale

This weekend and through Tuesday Sept 6, 2011 we are having a Labor Day Sale. The biggest discount is NetScanTools LE - 62% off. So instead of $129, it's now $49 this weekend only. We also have a 25% discount on NetScanTools Pro installed or USB, the Managed Switch Port Mapping Tool, ipPulse and the Pro/Switch Port Mapper bundle.

Drop by http://www.netscantools.com/labordaysale.html and check out the savings.

Have a great holiday weekend!

Friday, September 2, 2011

IPv6 Link Local Addressing

As I've been working to adding IPv6 capabilities to NetScanTools Pro. As I have worked with link local addressing I have learn some interesting things. In the IPv4 world if you want to ping an address or connect to a computer on your local network, the software can easily find out the best interface (if you have more than one) to send packets out of to the other computer - all you had to do was supply the IP address. It does this using routing tables and ARP.

In IPv6, it's not quite so easy. In Windows or any other OS, you will often have two or more interfaces capable of talking IPv6. Since all link local addresses begin with FE80:, there is no method for saying this one address is on this segment and this one is on that segment like there is in IPv4 (by using IP address and subnet mask).

Essentially you have to tell the software you are using which interface to use to get to the link local address. If you have one interface to your switch and all the other devices are on the same VLAN, then it's pretty easy. You do this by appending a %# where # is the IPv6 interface number in Windows - also called the Scope ID. In unix derived operating systems like Ubuntu or OS X Lion, you would use %eth0 for the main interface.

How do you know which interface to use? That's where you have to know your network. In my case, this particular XP machine assigns '6' as the Scope ID - you can see this using ipconfig /all. It could be any number, but it's usually a single digit. So to ping an IPv6 address you would enter smoething lik "ping -6 FE80::3CC0:1%6" on the command line (no quotes). Or if you were using NetScanTools Pro v11 Ping Enhanced you would enter FE80::3CC0:1%6 as the target. If you leave off the %6 or change it to another number the software will not know which interface to send the packets out of. In NetScanTools Pro, you will see an error message. The command line ping will tell you the net is unreachable if you use the wrong Scope ID.

Just a few things I've learned about IPv6 link local addressing.

Wednesday, August 17, 2011

Installing Wireshark on a USB flash drive with NetScanTools Pro

You may or may not know it, but Wireshark (www.wireshark.org) also comes as a portable version that you can install on a USB flash drive. I did a tutorial video on how to install it on a USB flash drive. I also show how to link NetScanTools Pro 11 to Wireshark so that you can launch Wireshark from within NetScanTools Pro. Pretty cool. They can both live on the USB and be fully portable, no installation required.

It's on youtube and will be on the videos section of netscantools.com soon.

http://www.youtube.com/watch?v=ZAhnuZiOSR0

Kirk

Friday, August 12, 2011

NetScanTools (r) Basic Edition 2.2 Released August 11, 2011

This new release of NetScanTools Basic has some user interface cleanup and adds a link to signup to be notified when a new release is ready.

The tools are still the same in this release.

We have some facinating plans for v3 - but I can't talk about them yet.

Tuesday, August 9, 2011

Windows XP suddenly got real slow

Last Friday I was trying out GMER, a rootkit detector and remover on our oldest XP machine using IDE ATA/ATAPI disks. It seemed to work fine, but since there were lots of files, I stopped it after a couple hours. Then I noticed something: the cursor was 'jumpy' and the computer seemed a bit slow. GMER (http://www.gmer.net/) didn't find anything bad, but that was the only thing that I had used on the machine that was out of the ordinary. So I shut the computer down until Saturday evening. I started it up to do backups. The Acronis backup software claimed it was going to take 6 hours to do an incremental backup - it usually takes less than half an hour. What was going on?

I noticed that the cursor was still jumpy. Strange. I started Task Manager and saw that most CPU activity was in 'System Idle Process' so there wasn't any specific program hogging CPU time. So I ran a chkdsk from the command line. It was so slow I had to terminate it. More strangeness. I checked the event log and saw no errors - I was looking specifically for disk errors. Just to be safe I did a chkdsk /f and rebooted. Went away for an hour and XP was finally back up when I came back. But still the cursor was jumpy.

Next I used SysInternals (MS) Process Explorer and saw the real problem: Hardware Interrupts. Normally interrupts account for less than 5% of CPU time, but they were going up into the 90%+ range whenever any program touched the hard drive. This meant something was wrong with the hard drive itself or the interface. After a long search on Google I found the answer.

Apparently XP will change the disk controller transfer mode from the DMA transfer modes (Ultra DMA in our case) stepwise all the way down to slow PIO (parallel IO) mode in steps if six or more timeout or CRC errors are seen. By going to Computer Management/Device Manager I could see that the boot drive C: was in PIO mode. Apparently GMER hit the disk hard enough (combined with the age of the machine) that it had enough drive errors to lower it to PIO mode.

How get it back to Ultra DMA mode: from Device Manager right click on the offending IDE channel (drive 0) in my case, then select Uninstall. Now restart. Sounds scary, but it's not because it does actually reboot OK. After it starts, it will ask you to confirm changes and it will restart again. Problem solved.

This process and a full explanation of what is happening can be found at:
http://support.microsoft.com/kb/817472 - don't bother with the hotfixes, they apply to earlier SP's, I had SP3. The section marked 'workaround' is the one I used.

I don't think I'll be using GMER on that particular machine again, but I've used it on other machines - no rootkits.

Monday, August 8, 2011

New Installer for NetScanTools Pro v10 Demo

Yes, I know your question - where is the v11 demo? not done yet.

For years we've been using the old Wise 9 Standard Edition Installer. As of today there is one less thing using it: the NetScanTools Pro v10 Demo now uses Inno Setup. This is a great installer and it produces an install file that's 7MB smaller than Wise while accomplishing the exact same thing.

I'll be converting the Pro v11 installer to Inno Setup soon. A little more involved than the demo, but not impossible. Once that's done, the only thing using Wise will be the patch for the USB. I don't have a good replacement for that yet. Suggestions?

Thursday, August 4, 2011

Changes coming in Packet Generator

Changes are coming to NetScanTools Pro v11 Packet Generator that will help you do QoS testing. Lots of work has gone into changing the interpacket timing algorithms so that the leading edge (beginning) of a packet is as close as possible to the timing you have entered. For instance, if you have entered a 10ms packet interval (interpacket timing), Packet Generator now puts the packets out at the desired interval with microsecond resolution.

This new algorithm will be applied to all packet types, TCP, UDP, ICMP, CDP and RAW. It is best used for sending UDP packets because if you are thinking VOIP or video that's where things like jitter and packet delay variation are important.

Other changes to Packet Generator include the removal of that floating status window - it caused timing delays due to updating the window. The new packet burst mode is now operational where if you put the packet delay at zero (0), it sends a burst of packets defined by the number of duplicated packets to send out to the target. This burst mode sends the packets as fast as the interface can send them.

Both accurate interpacket timing and burst mode can be helpful in termining the location of bottlenecks and poorly performing devices.

A couple other things are being added to Packet Generator before release - and there was one bug that was fixed which affected users that have more than one outgoing interface.

Tuesday, August 2, 2011

New NetScanTools LE Video

I posted a fairly detailed overview of NetScanTools LE (Law Enforcement edition). Please have a look:

http://www.youtube.com/watch?v=7npesBKfMoc

Thursday, July 28, 2011

Managed Switch Port Mapping Tool v1.99.5 Released

This latest release was made available for download today. It adds support for SMC switches. We tested it thoroughly with an SMC6128L2 switch and there are now SMC specific extensions in our software to gather more information about the switch.

There was one fundamental operational change that you should be aware of: ping sweep has been moved up near the start of the switch mapping process. This was done to force the switch to update it's bridge tables with any mac addresses that may have 'aged' out of the tables. That way as many devices as possible will be seen. Be sure to put in all the IPv4 ranges you need to be pinged ahead of time.

Another set of changed dealt with the operation of the IP to hostname resolver. We added a control in Settings to turn use of the caching table on or off. We also added a control in Settings to be sure that it is erased on exit. The reasoning behind this is that in a DHCP environment, IPs change and you should probably be clearing the table more often. The table is used much like a 'hosts' file for quick resolution of IPv4 addresses to hostnames in successive mappings. This will become more necessary in v2.0. In order to minimize DNS queries, we use this table. Now there are more options for erasing it to remove what will become stale information. One other thing we added was a check for duplicate hostnames - what we mean by this is two IPs having the same hostname. If this is found, you get to see the hostname(s) and IPs that are sharing the hostname. You would definitely want to manually erase the IP/hostname Resolver table in Database Maintenance if this occurs. If it repeats after doing that, you have a DNS problem.

Another change was in the area of print margins. A user pointed out that the print margins were rather large. Investigation revealed that the default margins were supposed to be 25mm. But in reality it was more like 250mm or one inch. If you are using a 96 dpi printer, then it is one inch. The File menu now has Print Page Options to allow you to change this.

Finally, in an effort to get away from the ancient Wise installer that we've used for years, this release now uses Inno Setup. Inno Setup reduced the size of the installer by around 1 MB. That doesn't sound like much but it is when you consider many downloads. It's also a modern and fast installer, so it works better on Windows 7.

http://www.switchportmapper.com/
or
http://www.netscantools.com/spmapmain.html

Enjoy!
Kirk

Wednesday, July 20, 2011

Need to know what's attached to your Nortel switch?

Watch this video to see how to use the Managed Switch Port Mapping tool to find out what's attached to a Nortel® BES110-24T switch.

http://www.youtube.com/watch?v=DhDimMRpO8I

Enjoy!

Monday, July 11, 2011

NetScanTools (r) Basic Edition 2.1 Released July 8, 2011

On Friday we released NetScanTools Basic 2.1 - our first update to this software since January 2010. This is our freeware version of NetScanTools. It has just a few helpful tools that introduce people to the NetScanTools Product line.

Tools:
DNS Tools - simple query (ipv4 to hostname etc.), Who Am I (shows your IPv4 address, hostname and DNS servers), Test Default DNS (takes IP address or hostname and asks each default DNS server for translation).

Ping - uses standard ICMP ping to contact an IPv4 or hostname.

Graphical Ping - uses standard ICMP ping to contact an IPv4 or hostname and it graphs the response times over time.

Traceroute - uses ICMP packets to show the route between your computer and a target computer.

Ping Scanner - uses ICMP packets to ping every IPv4 address between a start and ending IPv4 address.

Whois - shows basic whois information for around 70 domain extensions and IPv4 addresses.

These tools are simplified in comparison to NetScanTools Pro which means you don't have all the options available and you only get one mode of operation - for example traceroute is ICMP only instead of ICMP, UDP, TCP etc.

Have a look and enjoy!
Kirk

Tuesday, June 21, 2011

IPv6 Teredo Problems and Solutions on Windows 7-64 bit

I came back from the Wireshark Sharkfest '11 Conference excited to try some of the things I had learned. Imagine my dismay when I fired up my Windows 7-64 test box only to find that certain parts of NetScanTools Pro 11 that are IPv6 aware ceased working. Immediately I was able to see that it was the parts of the program that depended on the getaddrinfo function call that were failing. How did I know that? I used the other 'home-grown' NetScanTools resolver functions to talk with DNS (they bypass Windows resolver entirely and talk directly to any DNS) and by using Wireshark I could see the AAAA records coming back from DNS. I could see that the getaddrinfo function was not getting and reporting the IPv6 AAAA records. Very strange.

So I looked at a couple of things. First I did a cursory check of the network settings with ipconfig. All appeared normal. Then I spent some time recompiling NetScanTools Pro while playing around with various options in the addrinfo hints structure passed into getaddrinfo. That was not fruitful. Nothing I did could make the getaddrinfo function return the AAAA record. I was seeing the 11004 WSANO_DATA error. So I put that aside and looked more carefully at the IPv6 networking subsystem.

Next I tried to see if it was NetScanTools failing or something deeper. So I tried using command line "ping -6 ipv6.google.com". This failed with a message effectively admitting that it couldn't resolve the hostname to an IPv6. Good - sort of. Next I tried the other way doing a "ping -6 2001:4860:b006::69". That came back with even more ominous wording "Ping transmit failed. General Failure.". But I could use both command line ping and NetScanTools Pro IPv6 Ping to contact Link-Local IPv6 addresses on my local network - as I should be able to do. The IPv6 routing table didn't yield any real clues either.

Using both NetScanTools Pro, ipconfig and various netsh command line things I was able to see that while isatap was active, I was not seeing teredo - I had seen it before when using command line ping and when using NetScanTools Pro. Teredo was what I wanted to try decoding with Wireshark. NetScanTools Pro showed me that Teredo was there but it had an admin status of 'Down'. So I tried various netsh commands to reactivate Teredo. They all appeared to work, but Teredo never reappeared in the list of hidden devices in Device Manager. I tried the solutions floating around on the internet for making sure IPv6 was active and getting Teredo to show up in Device Manager, but still no luck.

A little history might help. I had recently installed VMware Workstation 7.1.4 on that machine because it's a test machine and I needed lots of OS's available. Could it be that? I don't know for sure because I spent time on VMware forums looking for similar problems - but didn't see any. It could have been a Windows Update patch that turned off Teredo, but I just don't know for sure. The two VMware Virtual Ethernet Adapters both had link-local fe80 IPv6 addresses, so IPv6 wasn't entirely dead. AND of all things, I could start Windows Server 2008 in a virtual machine with all of it's IPv6 functions working perfectly including NetScanTools Pro. I did find this page dealing with firewall settings for Teredo and found that everything was OK: http://support.microsoft.com/kb/968510

So today I spent lots of time with the netsh commands. I used "netsh interface IP show config" to see all the interfaces similar to ipconfig. By doing a "netsh interface ipv6 show interface" I could see all the active connections. What was missing was Teredo. I used "netsh interface set interface teredo set state default" to make sure it was there and it answered OK. But still no Teredo. Then I found this interesting command "netsh interface IPv6 show teredo". It said the State was 'offline' and the Error value was "client is in a managed network". Progress. Big progress.

So I put that error string into google and found a reference to this blog: http://blogs.msdn.com/b/p2p/archive/2007/03/22/teredo-and-the-pnrp-global-cloud.aspx
Essentially Teredo detected (incorrectly) that the machine was in a corporate environment - this is probably due to multiple OS's and several switches being active with all their chatter. So the fix was to use "Netsh interface teredo set state enterpriseclient". Once I did that, there was no need for rebooting or anything. "netsh interface IPv6 show teredo" now showed the correct info like Local Mapping and External NAT Mapping. And all of a sudden both command line ping and NetScanTools Pro IPv6 enabled tools began to work again.

I guess the thing that bugs me is this: why is there this huge dependency on Teredo for IPv6 in Windows 7? If I ask for a name resolution using getaddrinfo with a hint of AF_INET6 I EXPECT a response if AAAA records are coming back from the default dhcp assigned system DNS. It shouldn't matter that IPv6 is fully enabled on the system using Teredo or anything else. So my workaround will be to write EXTRA CODE to resend an AAAA or PTR record request from my own private resolver on failure of getaddrinfo because I can't trust it. I hope someone at Microsoft reads this and helps me understand why it was behaving this way.

All I wanted to do was try to decode Teredo traffic with Wireshark...

Kirk Thomas
NetScanTools Developer and Sharkfest '11 attendee

Sunday, June 12, 2011

Managed Switch Port Mapping Tool v1.99.4

On June 9 we released the latest version of the Managed Switch Port Mapping Tool. It addressed an ongoing problem we had been having with Side by Side DLL configurations - we switched to static linking to eliminate this nagging problem. We also fixed a problem that usually only showed up if you were using a low color resolution screen such as when you run the program using Remote Desktop. If you viewed the About information on low color resolution, it would crash - it no longer does that. We also tested the software successfully with HP ProCurve 1810G-8 Switch running their new p2.2 firmware and made a minor change that allows mapping of older Enterasys Cabletron switches. In keeping with current conventions and the changes made in NetScanTools Pro v11, the word Setup was replaced with Settings throughout the program.

Please visit http://www.switchportmapper.com/ to download the free 30 trial. If you need a trial period reset code, please contact our sales dept.

Kirk

Wednesday, May 25, 2011

ipPulse 1.80 mentioned in the press

On May 16, TMCnet published an article about our recent release of ipPulse 1.80:

http://ipcommunications.tmcnet.com/topics/ip-communications/articles/175157-ippulse-version-180-simplifies-monitoring-ipv4-connected-devices.htm

Thanks to Mini Swamy, a contributing editor for TMCnet.

Kevin Beaver Review of NetScanTools Pro v11

Kevin Beaver, the author of Hacking for Dummies , did a nice review of NetScanTools Pro v11 today. It's here on his blog:

http://securityonwheels.blogspot.com/2011/05/if-you-dont-have-netscantools-pro-v11.html

Thanks Kevin! You can follow Kevin on twitter@kevinbeaver

Tuesday, May 10, 2011

ipPulse 1.80 released May 10, 2011

Today I released ipPulse 1.80 in response to a customer request to add the ability to send alert emails through secure email servers. It can now do that. I've tested it with our own servers and also with Yahoo, Gmail, and Hotmail/Live servers. Those last three servers require security, so it was pretty necessary. There were also some other changes - here are the details:

-Added the ability to send notification emails through secure email servers using TLS. This allows you to send notifications through a number of services including Yahoo, Hotmail and Gmail. Examples are in the help file.
-Updated the program icon.
-Renamed Setup to Settings. This is a more commonly understood term for the program settings.
-Added button to select a minimal set of columns in the Settings/Program Control/Edit Column Visibility window.
-Added logic to define a minimal set of columns in case all saved columns are invisible.
-Reformatted and revised help file.

If you have the unlocked version of ipPulse, please download and install over the top. Also, be sure to test sending an email before actually running ipPulse against a list of IPs. Turn on SMTP logging while you do the test so that you can see what's happening.

ipPulse 1.80 is here:
http://www.nwpsw.com/ippulsemain.html

Thursday, April 21, 2011

NetScanTools Pro 11.01 Released April 18

Yes, after only two weeks, out comes another release. During those two weeks work was being done on the USB version. And, of course, our customers did find a few things we needed to fix and those are done. This release addresses the problem of running the program on less than 32 bits per pixel color depth and some other problems with Automated Tools. So now both the installed version and USB version are done. The databases were updated too.

Please be sure to explore the new features like sending RAW ethernet packets. This is cool because you can craft and send anything you want - malformed packets or OK packets. SNMP also now supports version 3, there is a completely rewritten Connection Monitor, a Routing Table tool and more. Don't forget to use the 'Add to Favorites' checkbox on each manual tool. That way you won't be scrolling through tools looking for your favorites.

Kirk

Friday, April 8, 2011

NetScanTools Pro 11 finally released!

After a year+ of work, NetScanTools Pro version 11 was released. There are many new and improved things in this release that I'm sure you will be interested in. This is a true major release.

New Interface - completely update and it is still an 'outlook' style interface, there is a left panel control bar and tools appear on the right side. This new interface gives us the ability to bring back 'Favorites' - something that was present in the old 'tabbed' interface of the earlier versions of NetScanTools Pro. You can see a slideshow of it in the screenshot section of the product grid on http://www.netscantools.com/.

The goal of this release was to enhance yet simplify by clearly showing the intended use of each tool. This meant that some tools were split into two parts, for example the ARP tool became the ARP Cache Tool and the ARP Scan Tool. Some tools and things within tools were renamed to conform to industry standard conventions, for example 'Setup' was a more common term when NetScanTools was first released, but now 'Settings' is more common and better understood.

New Tools - Connection Monitor, MAC Address to Manufacturer, Network Interfaces - Wireless, Routing Table - IPV4, and SNMP Scanner Tool.

Additions to current tools:

DNS Tools - Core now has IPv6 Simple Query lookups, Get Basic DNS Records now retrieves the IPv6 AAAA records, we added Flush Default DNS Cache and Edit DNS HOSTS File.

DNS Tools - Advanced has three new tools, IPv4 or Hostname to ASN, Get VOIP SRV Records and Get Misc SRV Records.

Packet Generator now supports sending ARP/RARP packets and RAW packets. RAW packets means that you craft the whole packet from the destination and source ethernet header MAC addresses all the way to the end. And we've added a new tool to help you do that: a Hex Editor.

Ping now supports IPv6 addresses.

Ping Scanner (AKA NetScanner) has the ability to translate IPv4 addresses using either the Default System DNS or a specific DNS. We also added Scan Delay Time to slow it down if necessary and added a way to import an IPv4 list into it. To simplify results, we made the columns dynamic in other words they appear and disappear according to the additional scan tasks settings.

Port Scanner was completely rewritten and works much better than the v10.x predecessor. It's much faster and more accurate. We've added a section for scanning commonly used ports and there's an editor for that list in case you need to change it.

Promiscuous Mode Scanner adds the Multicast Address 3 test.

Service Lookup replaces the old Database Tests.

SMTP Server Tests now supports STARTTLS and you can select the Protocol (TLS1, SSL2, SSL3), Algorithm (DES, 3 DES, MD5, RC4, SHA) and Minimum Key (40-256 bit) Preferences (not all settings are supported in all operating systems).

SNMP was split in two for clarity, Core and Advanced. It now supports all modes of SNMPv3 (you may need to obtain the OpenSSL libeay32.dll for support the authPriv encrypted mode - we cannot distribute that). We have added WalkBulk, GetNext and GetBulk to the Core tool. The Advanced tool has a launcher for both the Dictionary Attack Tool and the new SNMP Scanner Tool. The Dictionary Attack tool is much faster than before in terms of loading a list of IPs and clearing the display.

Whois now supports IPv6 input queries and if you enter a domain, we attempt to do an IPv6 and IPv4 address resolution on the 'www.' prefixed hostname. History buttons have been added so that you can view previous whois queries made during the current session.

This brings us to overall design considerations. Favorites was a common request during the lifetime of version 10. It was not easily done in version 10, but it was a priority goal in version 11. You can now check a box on each manual tool to add it to the left panel Favorites group. As in NetScanTools LE, we now have a mandatory results database. This is required so that we can bring up historical reports from each tool both manual and automated. Automated Tools was completely rewritten. The Automated Tools use an engine to operate each manual tool given the input and the results are saved to the database. In previous versions, the Automated tools were actually a duplicate of the manual tool that did the same action - not efficient. Running more than one tool at a time is important to some customers, so this new program shell gave us the methods for doing so. As in 10.x, reports are shown in the web browser - the database gives us the method to be able to show old reports from other sessions. The left panel now has tool groupings like DNS Tools, Packet Tools etc. This helps users find tools they need quickly. IPv6 will be a focus of version 11. We have some support in there now, but as version evolves, more IPv6 compatibility will be added - stay tuned!

Please review the video and image gallery on the main netscantools.com page. More information will be posted shortly along with new images and videos.

Tuesday, March 15, 2011

SQLite, AUTO_VACUUM and Windows ACLs

This article applies to Windows 7 32/64 and Windows Vista 32/64 with UAC active.

In January an enduser pointed out to me that every time he tried to use the Real Time BlackList tool in NetScanTools Pro, he got an SQLite error message about the database being 'read-only' - it could not be opened. The software was installed on Windows 7-64 bit and NetScanTools Pro is operating at 'asInvoker' privilege which is normally USER privileges.

After doing the usual tech support routines by checking file properties, I was stumped - until yesterday when I was able to duplicate it on two Windows 7 machines.

The SQLite database is copied into our own directory created at install time under c:\ProgramData which is the common user data area. The thought was that any account using the program would be able to access the database. That was the idea. It's not the only database we put in there and the others were opening fine so I set out to find out why.

The only thing different about this database is that it has the pragma "AUTO_VACUUM" set. It appears that with AUTO_VACUUM SQLite moves freed pages around within the tables. This requires write privileges. SQLite error messages should do more than simply state that the database is read-only by checking the file ACLs given the calling process account privileges then stating the incompatibility with the current AUTO_VACUUM state.

To see the file access privs on an account level, you have to go into our C:\ProgramData\NWPS\NetScanToolsPro common user directory and do an "icacls *.*" on the command line. You will see that indeed user level privileges (BUILTIN\Users) only have (I)(RX) - inherit, read, execute privileges while the other higher level accounts have (F) full privileges. Since AUTO_VACUUM requires write access to the database to make changes, it will not have the proper privs for a user level account. So, yes, opening the database fails (I just don't think the message is good enough).

So now, how to fix it. Recreating the database with AUTO_VACUUM off fixes it. But what if you need to write (as a USER) to the Real Time Blacklist database using the tool we provide to edit the database? You can't because the administrators group are the owner.

The solution is to change the directory and file ACLs. I did this by modifying the installer to call a function of my own design which applied FULL access privs (grfAccessPermissions=GENERIC_ALL) to grfInheritance=SUB_CONTAINERS_AND_OBJECTS_INHERIT at our NWPS\NetScanToolsPro directory level. If that is done and you do the icacls command, all files in that directory show the "Everyone:(I)(F)" which means that every account can fully access the files and that includes our SQLite database that we couldn't open. You have to use AllocateAndInitializeSid, SetEntriesInAcl, and SetNamedSecurityInfo so accomplish this. You have to do this in the installer because it is running at admin privileges.

To summarize, if you have a program running Windows 7 or Vista at USER level that needs to access an SQLite database with write privileges contained in the C:\ProgramData common user directory that was not created by your program - you've got a problem. And that problem is even worse if it has AUTO_VACUUM enabled. You have to modify the file access privileges to FULL control in order to allow SQLite to operate on the database correctly.

Thursday, March 3, 2011

Tip: Find Root DNS for a Top Level Domain

Have you needed to find the root DNS servers for a particular top level domain?

Applies to: NetScanTools Pro, NetScanTools LE, NetScanTools Basic, NetScanTools Standard (obsolete).

It’s actually pretty easy, but how you enter the top level domain makes all the difference in the world. Examples of a top level domain are: .uk, .com, .nu, .se, .ca etc.

How to do it:

1. Switch to the DNS Tools – Core tool or on older software, the Name Server Lookup tool.
2. Enter the DNS you are going use under Advanced Query.
3. Select the NS record type, you may have to go into AQ Setup or Setup to do this.
4. Enter the top level extension in the IP/host/domain entry area. The correct method is to enter the extension followed by a period: ca. or uk. or com. –if you leave off the period or put the period before the extension, the query will fail.
5. Press NSLOOKUP.

Results will look like these two examples, the first for .ca (Canada) and the second for .se (Sweden):

[Start Query]
NSLOOKUP Starting Timestamp: 02/24/11 14:49:37
Command line equivalent: "nslookup -recurse -type=NS ca."
Looking up [ca.]

DNS Name: 4.2.2.2
IP Address: 4.2.2.2

Non-authoritative answer:
ca NS nameserver = f.ca-servers.ca
ca NS nameserver = e.ca-servers.ca
ca NS nameserver = j.ca-servers.ca
ca NS nameserver = a.ca-servers.ca
ca NS nameserver = c.ca-servers.ca
ca NS nameserver = m.ca-servers.ca
ca NS nameserver = l.ca-servers.ca
ca NS nameserver = z.ca-servers.ca
ca NS nameserver = k.ca-servers.ca
ca NS nameserver = sns-pb.isc.org
Server Response Time = 0.117 seconds
[End Query]

[Start Query]
NSLOOKUP Starting Timestamp: 02/24/11 14:54:34
Command line equivalent: "nslookup -recurse -type=NS se."
Looking up [se.]

DNS Name: 4.2.2.2
IP Address: 4.2.2.2

Non-authoritative answer:
se NS nameserver = d.ns.se
se NS nameserver = e.ns.se
se NS nameserver = c.ns.se
se NS nameserver = a.ns.se
se NS nameserver = b.ns.se
se NS nameserver = g.ns.se
se NS nameserver = h.ns.se
se NS nameserver = i.ns.se
se NS nameserver = f.ns.se
se NS nameserver = j.ns.se
Server Response Time = 0.430 seconds
[End Query]

What you see in the two examples above are the authoritative name servers for the root domains.

NetScanTools Pro 10.98.2 Released

On February 23, 2011 we released NetScanTools Pro 10.98.2 both installed and USB versions. Many of the changes have to do with privileges and will primarily affect Windows 7 and Vista users.

Here are the release notes.
-Improved messages that show if writing to a registry location fails. They now suggest escalating the privileges by starting the program with 'Run as administrator'.
-All temporary snmp files are now removed on program exit.
-Improved handling of WinPcap interfaces where both IPv4 and IPv6 addresses are bound to the interface. Affects several programs.
-Internal changes to DNS Tools resolver.
-Port Scanner and NetScanner (Ping Scan) now show warning messages if privileges are not sufficient to run UDP scan and Subnet Mask test respectively.
-Updated SQLite to version 3.7.4.
-Updated database files.

Enjoy!

Thursday, February 17, 2011

XP IPv6 Weirdness

This article is about a computer that has IPv6 installed on Windows XP SP3.

I was using Wireshark today checking on the operation of the NetScanTools Pro v11 port scanner when I noticed something weird. Every 10 seconds a set of regularly spaced AAAA record queries were going to my ISPs DNS (default DNS for this system). The AAAA queries were all for 'mycomputername.domain.actdsltmp' and each time the DNS would respond back with 'no such name'. So I started closing down the browser and all the open programs - no change, the queries continued. Since this amounts to DNS harassment and a waste of bandwidth, I decided to find the cause. The 'domain.actdsltmp' part of the request is there because we have an Actiontec GT701 that provides that to my computer as a default domain name.

I could not find a way to shut it off short of uninstalling IPv6, so I did a nice workaround that works well. I added these two records to my hosts file using NetScanTools Pro - you can use something else if you want, it's just a text file. The first record is for IPv4 and the second for IPv6:

127.0.0.1 mycomputername.domain.actdsltmp
::1 mycomputername.domain.actdsltmp

The purpose of those records is to intercept outgoing DNS queries before they happen. This is because Windows DNS queries start with the hosts file, then failing to find the mapping in there, the actual outgoing DNS query is made to the default system DNSs.

Those two records tell whatever is asking for those hostnames that the loopback addresses (IPv4 and IPv6) are the addresses to use. This makes sense anyway because it's asking for a translation of your own computer name.

Tuesday, February 15, 2011

NetScanTools Pro v11 Beta

Just released NetscanTools Pro version 11 beta 3 to select customers. If you are a customer with an active NetScanTools Pro maintenance plan and you want to try the beta, contact support today.

Beta 3 represents many changes based on the input of beta testers. Thanks to all who are helping!

Kirk

Thursday, February 3, 2011

NetScanTools Pro NetScanner/Ping Sweep Tips

These comments apply to NetScanTools Pro 10.98.1 and earlier. NetScanner/Ping Sweep uses ICMP ping packets to find active computers in the IP range or list of IPs.

1. If you are scanning a range of IPs that include Windows computers with active NetBIOS or SMB Windows computer name access - please - -please - please make sure that the checkbox labeled "Delete NetScanner Temporary Files on Exit" is checked. See NetScanner/Ping Sweep Setup.

2. If you see what you know is the wrong hostname for an IP, first press the Edit Hosts File button and see if the IP is in there. If it is, edit it out and make sure the Add Responding IPs to Hosts File box is unchecked. If the hosts file is not the problem, you need to review DNS. NetScanner uses the builtin resolver in Windows to resolve IPs to hostnames using DNS queries, if those fail a node status request is sent directly to the target to try to get the Windows hostname. Switch to the DNS Tools - Core tool and enter the IP that has the wrong hostname. Then press Test Default DNS. This tool does a direct PTR query to all the DNS's used by your computer. Look for two or more PTR records showing different hostnames. If you see it here, then the problem is in DNS. If the IP does not have PTR records in DNS, then go back to NetScanner and double click on the IP in question to view the NetBIOS/SMB information returned during the scan. You may see the incorrect hostname in the NetBIOS response. If so, then make sure #1 above is implemented - if not, exit the program, restart and rescan.

3. Keep Add responding IPs to hosts file unchecked. It is an artifact of an earlier version of NetScanTools and is no longer relevant in today's systems.

4. If you are looking for MAC addresses, please make sure Retry Send ARP is checked and Get NetBIOS Info is checked. The first one uses ARP to get MAC addresses if you are on the same subnet. The second one queries Windows computers throught the NetBIOS/SMB protocol to obtain MAC addresses. Remember MAC addresses in an IPv4 network are not routed.

5. If you want to ping a set of non-contiguous, random IPs, please create a list of IPv4 address, one per line and save it to a text file. There can be no other information in this file, only the IP addresses. On NetScanner/Ping Sweep, press Load Targets, then Load Text File. Navigate to the IP text file and open it. Now press Start NetScan and answer Yes to the question about scanning the list. You may want to go into Setup and uncheck the box labeled Enable Post-Sweep Delete of Nonresponding IPs - it's up to you.

Tuesday, January 18, 2011

Phishing Fax? or just plain fishy

This afternoon we got a one page fax from someone in Vancouver WA wanting a quote for some specific printer supplies (we don't sell printer supplies - duh). The letter was well written with a good logo and plentiful contact info including physical address, phone, fax, and an email address.

So the first thing I did was go to their website based on the email address. Oops! just a standard Windows Lives template - STRIKE ONE!

Next I did a whois on the domain, the name matched the name on the fax but - STRIKE TWO!! - the domain was registered just yesterday and domain privacy is enabled. Now I'm curious.

So I went to Google maps and put in the address and did a street view. Turns out it is a residential street with older one story inexpensive small ranch houses - STRIKE THREE!!!

Next I went to the State of Washington business lookup database and found there is no legal business registered by that name - STRIKE FOUR!!!! (anybody from the state of WA listening?)

Just for good measure I did some additional google searches and found out this person has registered 104 domains - STRIKE FIVE!!!!!

The fax wanted availability of items, pricing, method of payment and contact person (name, phone...) - this gives the phisher a name and possibly an email for their database - if they are a phisher. They wanted the quote faxed back, which gives them a verification that the original fax number (mine) was good and possibly a new fax number as part of the fax back of the quote.

What are they doing? good question. Are they looking for additional contact info to build or verify their sucker list of fax numbers, email addresses, names and phone numbers? Who knows?

Phishing or fishy? definitely fishy if nothing else.

me

Friday, January 14, 2011

Fix for Product Registration Problem on Win 7-64

A recent change in the NetScanTools Pro manifest (v10.98.1) allowing USER accounts to run the program had a negative side effect: there have been more people having trouble completing the registration process. This is due to the fact that we store information in a common area of the registry called HKEY_LOCAL_MACHINE (HKLM). It has been there for many years and is there because it can be accessed from any logged in user, ie. it is not user specific. Recently Windows 7 64 bit has been seen as strongly enforcing the 'read-only' status of this part of the registry causing our product registration process to fail. The workaround is to start the program using right-click 'Run as administrator'. This has worked for most people.

I spent a good deal of time this week looking for a better solution. I looked at storing the registration information in a common area, but that presents it's own problems. I found a suggestion on a forum that made sense and worked: Create the registry key in HKLM with read/write permissions for the EVERYONE group during installation. Why during installation? Because when an installer is run, it is run at higher privileges (administrator) than a normal user has.

So I have now modified the methods used to create the HKLM key during running of the installer so that the key has read/write privileges. This has been tested on all versions of Windows that NetScanTools Pro v10 supports: 7 down through 2000, also on Server 2003 and 2008. Now any privilege level user should be able to complete the registration process without a problem. You still need admin privs to install the software - I can't change that.

Along the way I learned a bit about SID, ACE, ACLs, security descriptors and how to apply them to registry items using SetSecurityDescriptorDacl, RegCreateKeyEx and RegSetKeySecurity. Complicated.

The installer for NetScanTools Pro v10.98.1 was modified to include this change and published on Jan 13, 2011 at 3:53pm Pacific Time.

Tuesday, January 11, 2011

Managed Switch Port Mapping Tool v1.99.2 Released

Last night I released a new minor revision to the Managed Switch Port Mapping Tool. "Minor" is in the eye of the beholder. In reality, there were some big internal changes:

The SNMP engine was upgraded to v5.5. The complete effects of this are unknown, but may help out some mappings due to different SNMP implementations. I've been using this version of the SNMP engine for several months in the development of NetScanTools Pro v11.

The SQLite DLL was upgraded to 3.7.4. SQLite is arguably the most widely distributed non-client/server database engine. It's in your iPhone, Firefox and more.

Other changes were also important but less recognizable. We had one user who had problems with the Switch Port Mapper hanging up. Together we found that it was a corrupted snmp.tmp file. This new version deletes that file automatically when you exit the software and also deletes the html report .tmp file.

Another user had a strange problem a couple weeks ago and it was what accelerated this release. Someone at his university had a MAC with a dynamically updated DNS name of "John's MAC" (with the double quotes). First of all DNS names are not to have single quotes or spaces in them - it is a violation of DNS RFCs - why the DNS accepts them I have no idea. When our software tried to execute the SQL command with that extra quote, it failed because single quotes are used to define strings in SQL. So now our software removes single and double quotes returned by DNS.

The final important change was to the way VLANs were handled. The change corrected the VLAN results shown when you map a Cisco Small Business SF 300-08 switch. Previously there were 'extra' VLANs noted like vlan 0 which doesn't exist.

In case you are wondering, the Managed Switch Port Mapping Tool is Windows compatible software used to discover MAC and IPv4 addresses of devices connected to an SNMP managed network switch. If any of this interests you, please visit http://www.switchportmapper.com/ or http://www.netscantools.com/spmapmain.html

Thursday, January 6, 2011

Shortened URLs Unmasked

Twitter users in particular are bombarded daily with a plethora of shortened URLs. Shortened URLs are especially useful on Twitter because really long URLs like http://netscantools.blogspot.com/2011/01/addressing-confusion.html are tough to fit into 140 characters and somehow retain a meaningful message. Those long URLs can be shortened up into something like http://tinyurl.com/37dnopw. While convenient, they do present a security risk. Not only can a URL to an informative article be shortened, but so can a URL to a page full of malware be hidden by the shortened URL. How can you know where that URL goes?

The methodology of shortened URLs is fairly straightforward. When you access the shortened URL, the shortened URL provider's web server sends back a HTTP 301 Moved Permanently message with the new location URL. You can clearly see it in the two examples below - I used NetScanTools Pro's URL Capture to grab the text. Your web browser will not show these hidden headers and it will act on them before you have a chance to think about the final target URL. That's why I used the tool in NetScanTools Pro - it grabs only the text and does not accept anything else like scripts or images.

This first methodology used by tinyurl.com is the simplest. It only sends back the 301 redirect message.

Starting Timestamp: 01/06/11 22:06:18
Input URL: http://tinyurl.com/37dnopw
Web server IPv4 address: 195.66.135.140
***###Received Web Page text begins after this line###***
HTTP/1.0 301 Moved Permanently
Location: http://netscantools.blogspot.com/2011/01/addressing-confusion.html
X-tiny: cache 0.00097513198852539
Content-type: text/html
Content-Length: 0
Connection: close
Date: Fri, 07 Jan 2011 06:05:40 GMT
Server: TinyURL/1.6

The next methodology used by the bit.ly URL shortening service is a bit more involved. Not only does it send back the HTTP 301 moved message, but they also provide a web page with the embedded redirected target link just in case the web browser does not follow the 301 command.


Starting Timestamp: 01/06/11 22:06:40
Input URL: http://bit.ly/i9TxQY
Web server IPv4 address: 128.121.254.205
***###Received Web Page text begins after this line###***
HTTP/1.1 301 Moved
Server: nginx/0.7.67
Date: Fri, 07 Jan 2011 06:06:01 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Set-Cookie: _bit=4d26ad49-003c1-00673-b3a08fa8;domain=.bit.ly;expires=Wed Jul 6 02:06:01 2011;path=/; HttpOnly
Cache-control: private; max-age=90
Location: http://www.us-cert.gov/current/index.html#apple_releases_mac_os_x4
MIME-Version: 1.0
Content-Length: 328

...web page omitted...

There are plugins for Firefox and other browsers which do that first step of contacting the URL shortening server, then they present the final target to you - and it's your decision as to whether to continue. I have showed the mechanism and how to use our software to see this. Not only is this text only URL capture tool in NetScanTools Pro, it is also in NetScanTools LE (law enforcement).

Be careful!

NetScanTools LE 1.40 Released Jan 6, 2011

This release was posted around noon today and it includes the following changes:

-Notes field can now accept much more information than in previous versions.
-Packet Capture now parses spanning tree protocol, hp switch protocol and makes sure WinPcap uses the interface IPv4 address in the event that IPv6 is also enabled on the computer.
-updated left panel control icon images.
-Updated dates to 2011.
-Updated SQLite DLL to version 3.7.4.0.
-Updated database files.

You can find it at http://www.netscantools-le.com/ or if you already have the program, click on Help/check for new version.

Wednesday, January 5, 2011

Addressing Confusion

In my December 2010 newletter I talked about NetScanTools Pro 10.98.1 on Windows 7-64 bit. I talked about how the change to the manifest from 'require administrator' (which did not allow unescalated use on a User privileges account) to 'asInvoker' allowed User privileges accounts to run NetScanTools Pro without logging in as an administrator -- some business installations only allow user level privs for their employees. But the biproduct of that change was to disallow writing to HKEY_LOCAL_MACHINE (HKLM) on Windows 7-64 and possibly Vista as well. For security reasons, UAC only allows read-only privileges in HKLM when you are not an administrator process. The process (ie. NetScanTools Pro) must have elevate privs to administrator for UAC to allow writing to that part of the registry.

NetScanTools Pro 10 only writes to one specific portion of HKLM and it only does that when you complete your registration (Validate and Save) or if you change your Maintenance Plan expiration date or Email Address using About/Edit Maintenance Plan. If you try that on Windows 7-64 with normal administrator or user privs, you get an error that it cannot write to the registry. It does not write to HKLM in the normal course of program operation, registry writes are done to HKEY_CURRENT_USER (HKCU).

The next release 10.98.2 will address this by giving a much more descriptive message explaining that in order to complete the task, you have to exit and restart with 'run as administrator'. It will also have some other changes to address some things we recently learned about the SNMP toolset.

We are working on 10.98.2 and should have it done shortly.