New Version 13 available

Version 13 of NetworkToolbox is available

The main focus for Version 13 was not just compatibility but also taking advantage of iOS 13. There was a lot coding necessary under the hood but here are the main features of this version:

  • IOS 13 Dark Mode compatibility
  • Support for new iOS 13 UI elements (e.g. pulling down the Help screen)
  • New NFC Reader. New NFC Tags can also be written (iOS 13 required)
  • Improved Bonjour Tool
  • Improved advanced Scanning (now turned back on per default)
  • Fonts will now not just be listed but also displayed
  • Improved IP Geolocation detection
  • The Pi-Hole tool now shows the IP Address if the Network Name is not available
  • The Pi-Hole tool now supports a filter
  • Updated MAC Database
  • Added SHA256 Hash to the Base64 Tool
  • A new Tool Two-Tone has been added
  • The Tool Pwned had to be removed (see below for details)

Besides several UI improvements, there are two highlights. There is the new NFC Reader and Writer which allows write to NDEF NFC Tags and the new Bonjour Tool and advanced Scanning improvements.

New NFC Reader / Writer

Apple has opened their API for improved NFC Tag reading and also writing in iOS 13. For implementing the new NFC Features I bought several different types or Tags for testing. Such Tags are available as Stickers, small or large and as Credit-Card size cards.

Using and writing such Tags is quite funny and could even be useful. For instance you can write a website link to a Tag and whenever you get close to the Tag with your iPhone (even without using my App), you will be prompted to open the website. This even works with Phone number if you would write something like ‘tel:1234’ to the Tag.

There are several different NFC standards available but I was able to read and write at least NDEF Standard Tags. What can’t be read are still Credit-Cards or Passports even though it’s technically possible but App Developers need to get permission from Apple to be able to develop Apps that can read such Tags as well. I did not apply for this because I doubt that Apple will give me permission.

Bonjour and Advanced Scanning

iOS 13 also adds some more networking and background processing features. This allowed me to completely re-write the Bonjour implementation and advanced scanning feature.

This way, you will now see way more information when performing a Network Scan or even when looking up IP Addresses from within other Tools (e.g. even the Pi-Hole Tool).

Since some networks were causing problems in the past when “Advanced-Scanning” was turned on, I changed it to be off by default.

I have changed this now back to on by default but if you are experiencing issues (e.g. unintentional crashes or freezes), please try to turn advanced scanning off (either in the settings or in the Network scan tool).

Had to remove the pwned tool

Unfortunately, I had to removed the “Have I been pwned” Tool. This tool used to use an API offered by Troy Hunt. . This API had been misuses by others so Troy had to remove free and public access to the API. However, you can still check your Email address on his website for free and I really recommend using this from time to time.

iOS 13 ceveats

As this version is now compatible with iOS 13 and even takes advantage of several new APIs and features of iOS 13, there are two disadvantages. One is, that the SSID and BSSID is no longer available for displaying in the Devices Tool. Apple has removed that information like others in the past for privacy reasons. This is debatable because there is additonal privacy related information still available to Apps and both SSID and BSSID can still be displayed from the Settings App or Apples Tools. However, it’s positive in general that Apple cares for privacy and it’s not such a big disadvantage. Another, also minor, drawback of this Update is, that it now requires at least iOS 11 and no longer iOS 10 as the previous version.

I hope you enjoy this update. Let me know if you are experiencing issues or have feature suggestions.

Stay safe!



Best security and privacy solution

I am wondering, how many of you are already using a Pi-hole server or have installed a Pi-hole server as described in a previous blog here.

For those, who have not or don’t want to read my TL/DR, here is a quick summary:

  • Pi-hole is a solution that dramatically reduces spying of your privacy and security
  • It blocks Ads on your network
  • It works on any network for any PC (Mac or Windows) and even all Apps on your mobile devices
  • It helps to see what's going on on your network
  • It is easy to install without much network expertise
  • It just needs to be attached to your network with a regular network cable
  • It is free, OpenSource and you only need a small cheap ($ 40) Raspberry-Pi mini computer
  • It speeds up internet access
  • You can easily block unwanted connections or traffic
  • If there is any issue, it's easy to revert back
  • It is supported by NetworkToolbox

There are other solutions available with higher costs, even recurring costs but they are not better.

I personally don’t want to miss Pi-hole anymore.

So again, let me know what you think. Are you as happy about Pi-hole as I am ? Or do you think you don’t need it ? Or is it too complicated to install or is my instruction too complicated ? Or don’t you trust the Pi-hole guys?

Just drop me a mail using the form on my website or use the support button inside the App.

Keep safe,

and don’t trust the evil.



What a drama !

Yesterday, soon after the 12.9.3 update was finally released by Apple after several days and some unfortunate discussions about HealthKit and the Sensor Tool, I received reports from users where the App didn’t start anymore after downloading the update.

By that time, I had no idea why this happens since many users reported successful installations and also my testing on several devices and different iOS Versions didn’t reveal any issues.

Around 9pm it got obvious that at leaset several, but not all, older iOS Versions before and until 12.1. were affected. On the iOS Simulator, where I usually test everything on different iOS Versions, everything was fine.

So I started looking into my drawer to find an iPhone or iPad with an old enough but not too old iOS Version and finally found an iPhone 6 plus with iOS 12.1. After charging the completely empty device, I luckily was able to reproduce this issue.

Usually, once it’s possible to reproduce an issue it is immediately solved but not in this case. The App didn’t even start so there was no chance for debugging. It was clear that it has to do with Swift (the development language) because a certain Swift library could not be loaded. I was wondering if older iOS Versions didn’t support the version of Swift but that should not be an issue.

I tried everything like removing code that I recently added, restored and tried older code etc., nothing helped.

Then I tried to run the latest update of my Electronic Toolbox App on that iPhone 6 plus because Electronic Toolbox has received similar changes recently and to my surprise (and relief) it ran.

So I started looking for differences and after some time, I found the reason. It was a minor compiler setting out of hundreds of other settings which was the root cause. This setting will normally never be touched by a developer since it’s set correct by the Development environment automatically. For some reason it was now set in a way to let the App crash on older iOS Versions. It even has nothing to to with the error or with iOS Versions. However, once I changed that setting, the App ran on the iOS 12.1 device.

Around 2am I sent another Update to Apple. After that, I contacted Apple and explained the situation and asked for an expedite review.

This morning at 11:30am Apple indeed started their review but…

..rejected the App and claimed that it is marked as App that uses Bluetooth LE but the App is no Bluetooth LE App. I was able to sort this out with Apple and on 11:52am they released the update 12.9.5.

Sorry guys for this issue and the trouble you have had and thanks for your patience. Thanks also to Apple for their quick response.

To be honest, I don’t need that every day.



New Version 12.9.3 is available

Finally, the new Version, which is now 12.9.3 is available.

Unfortunately, Apple left me other choice than to remove the Sensors feature of the Device Tool. Even though this has had nothing to do with Networking, I found this feature quite nice and it took some time to get developed – anyways, there are more important things so let’s tick this matter off.

As previously posted, this update is again a larger update with many improvements and new Tools.

There were a couple of changes necessary for preparation to the next iOS Version. Also, major parts of the App have been re-coded in the newest Swift development language.


But more important for you are the following improvements:

  • Improved VPN Support
  • Improved Bonjour Tool (now also displays readable Service names)
  • Under Device -> System, more information about the current Model
  • Improved Network Neighbor Tool

The Network scanning engine has again been further improved:

  • Additional scanning methods to find ‘hidden’ devices
  • You can now select Quick scanning for a faster (even though less deep) scan
  • Advanced scanning will reveal more information about devices​

New Tools

And finally, there are four new Tools.

New Info Tool
ToolInfos@2x-150x150 New Version 12.9.3 is available

This Tool provides tables with network related information:

  • List of Ports and their services​
  • List of HTTP Status codes and their meaning​
  • HTML Tags
  • Bonjour Services and descriptions
  • URL Encoding Characters for Windows-1253 and UTF-8
  • Common User Agents
Server Check
ToolServerCheck-150x150 New Version 12.9.3 is available

This Tool can be used to check a Web-Server for leaked information or unintentionally exposed files or content.

Due to wrong configurations, bugs or security issues on the Web-Server, a Server may expose information or files that should normally not be exposed. Such information may help Hackers to break into the system or even steal confidential data.

This Tool reveals such issues.

ToolDorks-150x150 New Version 12.9.3 is available

This Tool can be used to find information which was unintentionally indexed by Google.

It offers pre-defined Google Dork queries, also known as “Google Hacking” and conveniently collects the results for further investigation.
ToolPiHole-150x150 New Version 12.9.3 is available

This Tool interfaces to your Pi-hole Server, if available.

This way, you can use the App to further analyze DNS queries made on your network. This can now also be used to replace the former connections tool because it is also possible to analyze iPhone or iPad App communication.

Best of all, this Tool can replace the former Connections Tool.


I hope you will enjoy this update!

I am especially glad to provide the Pi-hole Tool. I am using it every day. Of course, you will have to setup your own Pi-hole server but don’t be scared, that’s quite easy and once that’s done, you will be amazed about the improved security on your network and all the Ads which are gone, instantly. I have created a small documentation on how to setup a Pi-hole server on a cheap Raspberry Pi here.

If you like my App, please let others know and don’t forget to leave a review. That helps! – Thank you!

If you have issues, ideas, suggestions, please contact me. I want to know about it. Ideally, for this, use the Support button or the Form on my Website.

Stay safe and … don’t trust the evil.

Best regards,


Block everything evil using Pi-hole

Until recently I was using my own solution to block Trackers, Ads and other unwanted network traffic. My solution works pretty well for years. Now I have replaced it by Pi-hole which is an open-source software which can run nicely on a cheap Raspberry Pi.

pihole-1-e1558691810774-1024x931 Block everything evil using Pi-hole

Pi-hole is easy to install, easy to use and offers a great user interface that gives you a great overview of what’s going on on your network and easy black- and whitelist maintenance.

Pi-hole also offers an API which will be integrated in NetworkToolbox soon.

I have created a small tutorial on how to install Pi-Hole on a Raspberry Pi.

Office 365 private data collection

Microsoft has not yet learned their lessons. They still can’t stop collecting private data whenever they can.

I am using Office 365 for several years and reasons (lack of alternatives). Office 365 will be updated in the background and often I didn’t noticed that it has been updated a couple of times.

With one of these latest updates, Microsoft seemed to have added some new features (from their point of view).

They have added features that are “analyzing my content“. When I read this, I had to read it twice because I couldn’t believe what I read:

office365 Office 365 private data collection

You will find this option (intentionally hidden) as follows:

  • Start Word
  • On the left side at the bottom of the screen select Options
  • On the new screen select “Trust Center”
  • Click on “Trust Center Settings…”
  • Select “Privacy Options”
  • Click on “Privacy Settings”

(quite hidden, isn’t it?)

Now, it’s up to you to keep everything enabled or disable everything – which is what I did.

But be aware: Microsoft will strip down the functionality once you do that (see the yellow box below the setting) and I was wondering if I will get some money back due to the fact that they remove features they were advertising – probably not.

Don’t trust the evil!



WiFi Finder App collected WiFi Passwords

I still get requests from users to add a WiFi scanning tool to my App. My Answer is always that this is not possible for any App because Apple restricts access to the WiFi interface – which is good. (See also wifi-scanning)

What could happen if unrestricted access to the WiFi interface would be possible can be seen recently in an incident on Android.

A quite popular “WiFi Finder” app has collected private WiFi passwords. Those Passwords were stored as plain text along with SSID, Geolocation on a server maintained by the Chinese App developer. Even worse, that information left exposed and unprotected, allowing anyone to access and download the contents in bulk.

The App has already been banned from the Google Play Store and the Server was shut down.

Don’t trust the evil!

Best regards,


Update 12.2.1 available

Update 12.2.1 is basically a maintenance update.

  • A few bugs and crashes were fixed (thanks for reporting these issues)
  • The network scanning engine has been further improved (it is now faster than ever and finds previously hidden devices)
  • The SMB Tool can now be used to upload and delete files
  • The MAC Database has been updated

The next update will bring new Tools.

Thanks for your great support!

Best regards,


New version 12.1.1. available

Icon-santa-300x300 New version 12.1.1. available

Update 12.1.1 of NetworkToolbox is available. This will be the final update for this year and more is to come next year.

Before talking about this update, I would like to announce a link to the NetworkToolbox Post Archive:

Here, you can easily find older Posts which are still valid (like the “Wifi Scanning” or “iOS 11 and MAC Addresses” posts)  but, as I found, it is sometimes difficult to find older Posts either in the News Section of the App or the Website Blog.

Version 12.1.1

Among some other smaller changes and fixes, here are two highlights of this update:

1.) Improved Import/Export

You can now Export lists from various scanning Tools.

Also, you can now export the Password and Devices Lists, edit them with your preferred Software like Numbers on your Device or Mac or Excel on your PC. These files can then be Imported back to the App.

Along with this, the “Add to Custom Devices” functionality in Network Scan has also been improved so it’s now easier to maintain the missing MAC Addresses and custom names manually.

Details are explained in the Manual.

2.) New Batch Tool

This new Tool can be used to perform actions like Ping, Port-Scan, Deep-Scan etc. over a list of Addresses.

The addresses for this new Batch Tool can be collected from other Tools (Menu -> Add to Batch).

You can also import Address lists to this Batch tool from csv files maintained in Numbers or Excel.

Lists and results can be exported back to CSV files.

Also this Tool is explained more in detail in the Manual.


Thank you for 2018!

Finally, I like to thank you for a fantastic 2018 with NetworkToolbox. Thanks to your feedback and suggestions, I added several new Tools and features this year and of course was able to fix some bugs which may happen even after in-depth testing.

Thanks again and to all of you all the best for 2018!

Don’t trust the evil.


Spyware detection and dial codes

Before talking about Spyware detection, a few words about Spyware in general.

If you are using at least iOS 10, Spyware can only be installed on Apple devices by somebody having physical access to the device and it requires quite some time to install the Spyware and requires the device to be jailbroken. The newest iOS Version (at the time of this writing it’s iOS 12.1) can not be jailbroken at all.

There are other Spying possibilities e.g. based on iCloud Access but that’s another subject and simply changing the App ID password will prevent that.

So if you are using iOS 12.1 you can ignore the following because there can’t be Spyware on your device.

I have already written about how to detect if your device is jailbroken but again, that’s impossible if using iOS 12.1 but here are some additional tests which can easily be performed:

1.) Dial Codes

Some Spyware programs are using dial codes, to open the Spyware user interface. The following list contains known dial codes of the most common spyware software:

*#900900900 Opens the FlexiSpy uninstall Menu
*00# Opens the mSpy User Interface
*123456789# Open the MobileSpy Menu

(The last one is only known to be available on Android but it would not harm to try the code)

For trying these codes, just open the Phone App and type in the code combination and hit the dial key. If nothing happens or you get a “not available” message, all is good – at least regarding these Spyware programs.

1.) Browser History

If somebody installed Spyware on your device, he or she might have been in a rush and forgot to delete the browser history so you can try the following:

Open Safari, tap on the book Icon then tap on the watch Icon to see the browser history. Here look for one of the following addresses:

Next, open Settings -> Safari -> Advanced -> Website Data and also look for the same addresses there.

If you can find one of these addresses, at least somebody (maybe you) visited these websites which usually will be needed when installing one of these Spyware programs.

Other Dial Codes

While talking about dial codes and even though most of you will know the following, just in case, here are some additional dial codes for other purposes:


Will show your IMEI number. (The International Mobile station Equipment Identity number is a number used to identify a device that uses terrestrial cellular networks)


This is the so called “Field Test” which provides information about cell signal, including more precise reception reading.

*67 followed by a phone number
#31# followed by a phone number

Hides your phone number to the call destination


Enable call waiting


Disable call waiting.

Call waiting is the feature that allows you to hear another incoming call when you’re already on active phone call, often referred to as a ‘beep’. Turning off Call waiting means that incoming callers will be sent directly to voicemail if you’re actively on any call with the iPhone.

Stay safe,


New Version 12 available

A few minor adjustments for the new iPhone Models XR, XS / Max and iOS 12 were necessary.

These adjustments are included in Version 12 of NetworkToolbox which will be available later today.

Even though Apple increased security of iOS 12 by restricting some more APIs, I was able to keep the functionality of the App by using some (official!) workarounds.

This App update also fixes a bug in the Health check tool, where the Ping feature didn’t work anymore after the last update.

Also, the WiFi BSSID Vendor name will now be displayed in the Device tool, if it can be reveled.

Some other reported minor bugs were also fixed of course.

Stay secure!

Best regards,


New Version 11.5.5. available today

Today, another update (Version 11.5.5) is available containing these changes:

  • The Ping tool now offers the possibility to enter TTL and packet size
  • The telnet (Socket) tool can now also directly be used to test passwords

New tools:

  • new ARP / NDP Network neighborhood tool

This tool displays the contents of the so-called ARP Table (for IPv4) or NDP Table (for IPv6).

These tables are providing information about devices (IP Addresses) on your network that have once be seen or are still communicating with your device.

For this reason, this Net Neighbor tool is a valuable addition to a Network Scan.

A Network Scan always lists all devices that can currently be reached. It is basically a snapshot of the current network situation.

Some devices might be missing in a Network Scan because they might not actually be ‘reachable’ at the time of the scan. Or they may got woken up by a scan very slowly and did not yet respond to connection request.

Such devices can be found with the Net Neighbors tool.

  • new Routing Table tool

The Routing tool was previously integrated (slightly hidden) inside the Devices tool but is now available as separate tool with additional features and information.

Like the new ARP / NDP tool, separate tables for IPv4 and IPv6 addresses, ordering by network interface and detailed routing information are provided.


Dear users,

these changes and improvements have been implemented upon your requests and suggestions and I was happy to be able to implement these features for you for free. There are several additional ideas and requests on my list and I am continuously working on them so you can expect further updates, like usual.

Most if the time I receive your requests and ideas by using the Support / Feature request button from inside the App. This is perfect and that’s the best option for me and for you. Alternatively, you can use the Form on the website.

Sometimes (to my surprise sometimes once per month), I receive suggestions or questions using the website form where the author had a typo in the Mail address. My usual response then results in an error – which is not nice. This issue can be prevented by using the Support button.

But moreover, I sometimes (still!) see suggestions or questions in App reviews. Even though it’s now possible to add a developer response message to the review, it’s quite difficult to communicate this way. So please, if you have a suggestion, question and especially if you think you discovered a bug, please please use the support button and let me know.

Thanks a lot!



New App Version 11.5.4 available

On Friday, the long awaited and overdue update will be available.

This is again a larger update with many improvements, new Tools and fixes:


The Devices Tool has been completely rewritten

  • It provides more and individual information about Wifi, Cell, Lan and VPN connections
  • Hardware information about Capture Devices (e.g. Cameras) added
  • Information about Maximum Frame Rate added
  • URL Cache can now be Cleared
  • Cookies can now be Cleared
  • Detailed information about Clipboard content added
  • Information about all installed Fonts added

Local Files Tool

  • This tool now fully integrates into Apple’s Filesharing feature. Now, downloaded files or files that should be uploaded can also be accessed from the iOS Files Tool.

Health Check Tool

  • A new test has been added to perform a simple connection test

Other minor changes

  • The App also includes several improvements for the iPhone X and iPhone x plus devices.
  • Necessary changes for iOS 11.4.1
  • The Icon size can now be changed even smaller (Settings -> Appearance -> Icon size)
  • The HTTP Tool can now also display structured JSON data
  • Further improved Network and Port Scanning
  • The Resources section has been updated (please have a look)

New Tools:

New Base Conversion Tool

  • Encode / Decode Base64 or Hex data

Have I been pawned

  • This Tool uses the HIBP API to check if an Email address has been compromised

Lan Cable support

And finally, the App now supports the Redpark L5-Net Ethernet Cable which is a very nice solution to connect the App to a cabled network and do in-depth analysis without WiFi or Cell.

You can read more about the Cable on my Blog Redpark LAN Cable for NetworkToolbox or in the News section of NetworkToolbox.

The manual has already been updated for the new version so if you can’t wait and want to get more details about the changes, just have a look to the manual.

PLEASE NOTE: All new Tools will be added to the end of the Icons. This way, you can see what’s new. If you want to have them sorted using the default order. just go to Settings -> Appearance -> Organizer -> […] and select Reset to defaults.

I hope you will enjoy this new update but as always, I am already working on the next update.

Please, don’t forget to write or update your review.

Best regards,


Redpark LAN cable for NetworkToolbox

NetworkToolbox uses the available interfaces (WiFi or Cell) to connect to the Internet or your local Network. Sometimes, you may want to physically connect a cable from your iPad or iPhone to a certain network device. In this case, you can use a solution I proposed in 2016 here in my post NetworkToolbox with wired Ethernet connection.

This solution uses an official Apple USB Network Adapter along with Apple’s USB to Lightning connector. The disadvantage of this solution is, that the USB to Lightning connector needs to be powered because otherwise the USB Network Adapter won’t work.

I am in close contact to Redpark for several years now. They are providing fantastic Adapters. Now, just recently they introduced a new Ethernet Cable for iPad and iPhone called L5-NET. This Adapter is better than the previously proposed solution with Apple Adapters because it’s way cheaper and because, and that’s the most important point, it doesn’t require additional powering. It can just be plugged into the Lightning socket of your device and the other end offers a plain regular network Plug.

redpark-300x207 Redpark LAN cable for NetworkToolbox

Version 11.5 of NetworkToolbox now directly supports this cable. It now shows when the cable is plugged in and what IP Addresses are assigned to it.

Now, you can attach your device, wherever you are, to a local LAN and perform security checks directly using my App.

If you connect the cable to your iPhone or iPad, this cable is being recognized by iOS but you never know if iOS already uses the LAN Cable and it’s connection as default network device. Ideally, better switch off WiFi and Cell if you want to be certain, that the cable is used.

Now, you can also use NetworkToolbox to find out if this is the case. Just head to the Device Tool, select Network and you can see which Network interfaces are still enabled and which one is used as default interface.

Venmo and the Web-Service Tool of my App

Venmo (about 1.5 million users) allows people to send payments to other Venmo accounts. Venmo belongs to PayPal and is quite popular in the US especially among young people. The Venmo service lacks (for some time and still) of essential security safeguards.  Most of Venmos accounts can be freely accessed via a Web-Service by anybody. It is completely unprotected. The information available from this Web-Service includes very private and intimate data including chat messages, picture and payment information. Venmo don’t see this as an issue as their users have the possibility to opt-out for data sharing with the public but most users are not aware about that.

Now, back to my App:

NetworkToolbox contains a Web-Service Tool and this Venmo security issue is a very nice example on how to use this Tool.

We know that the so called ‘endpoint’ for the Venmo Web-Service is (where x is the number of accounts you like to receive).

To use this Web-Service, we first, open the Web-Service Tool and tap on the [=] button in the ‘Service:’ line.

On the following screen, we enter as URL for the Endpoint. Next we enter /api/v5/public?limit=20 in the URL Parameter field and hit the check-mark button to save and close this screen.

venmo-1-e1532067770204-300x200 Venmo and the Web-Service Tool of my App

Next, back on the main page of the tool, we enter 443 for port as this is a https:// connection.

venmo-2-e1532067867896-300x261 Venmo and the Web-Service Tool of my App

Next, we hit the Get button and will see the following results:

venmo-4-e1532068076472-300x120 Venmo and the Web-Service Tool of my App

So we have 20 data-sets as to be expected because of the limit=20 parameter. When tapping on the data line, you will see the details of these data-sets:

venmo-3-e1532068192413-621x1024 Venmo and the Web-Service Tool of my App

And when drilling further down you will see details about the person behind this account:

venmo-5-e1532068376516-264x300 Venmo and the Web-Service Tool of my App

Including their picture:

venmo-6-e1532068430689-300x253 Venmo and the Web-Service Tool of my App

Don’t trust the evil.


P.S. A new update for my App will be available soon. Today I am finishing the tests, fix a few things that were reported from Beta testers (Thank you!!!) and once that’s done, I will send this update to Apple. This was indeed overdue.

P.P.S. My “Don’t trust the evil” signature was derived from Google’s “Don’t be evil”. As Google (aka Alphabet) now removed it’s slogan (probably for a reason) I wonder if I should find a new one as well ? – maybe not as this term still remains true whereas Google’s slogan was wrong all the time.

New Windows update 1803

windows-150x150 New Windows update 1803Some of you may have already updated to the newest windows version 1803. In general, it is always good to update to any latest version of any Operating System or other software update because this is the only chance to stay up to date with security patches. So if you have not already updated, it’s better to do it sooner rather than later.

However, here is what I would recommend to do after installing the update:

1.) Check your privacy settings (again)

Unfortunately, with every update, MS introduces new features where privacy is turned off per default. Even worse, sometimes your privacy settings of a previous version will be disregarded and need to be enabled again.

So this 1803 update is a good opportunity to review your privacy settings again. For this, just press the Windows Key and S simultaneously and enter the term privacy in the Cortana search field of Windows.  Next, select Privacy Settings. I usually turn off almost everything.

Just go though the permissions on the left side of the screen and decide whether or not you want to enable certain permissions on the right side. Please note: often, you have to scroll on both sides (permissions and settings) and some delicate settings are only available after scrolling. I am wondering if Microsoft had a reason for that.

2.) Cortana Web Search

I use Cortana Search quite often, as described above. However, I use my favorite browser and search engine to search the web. I usually don’t like Cortana to search the web when entering a search term in the search field of Windows. Not just that Microsoft then knows what I am searching for, it’s also cumbersome to pick the right findings in the search results of Cortana if it’s mixed with web searches.

The Registry settings I was using in the past to disable this web searching behavior has changed. To disable web searching, now follow these steps:

  • Open regedit (Windows -R and enter regedit)
  • Drill down to the registry entry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search
  • Here, create a new 32-Bit DWORD entry called BingSearchEnabled with a value of 0
  • Next, create another 32-Bit DWORD entry called CortanaConsent also with a value of 0
  • After a restart, searches will only be performed locally

To change this back to normal, just delete these two registry entries.

Don’t trust the evil,

stay secure!





Getting information about an IP Address

A dear user came up with a question and I would like to share my answer with you as you might have the same question.

The question was, why is the IP Address (e.g. not working in the Whois tool and why is this IP Address converted to 3.4. ?

Short Answer: The Whois Tool requires a base domain name and not an IP Address.

But why is converted to 3.4 ?

TL;DR: When entering, the Tool assumes is a domain name with 1.2. being a subdomain of domain 3 with TLD 4. For your convenience and because Whois queries require a base domain without subdomains, it strips the subdomain part (1.2.) from what has been entered.

So far so good.

But why can’t this Tool simply automatically resolve an entered IP Address and use the resolved domain for the query. The reason is, that an IP Address could host many domains and not just one.

So what is the best way to find out more about an IP Address ?

There are basically two options in my App:

1.) The (I) Inspect Tool

First, you can try the (i) Inspect Tool. This Tool is quite powerful and provides a lot of information about any IP Address available on the network such as Domain, Reverse Domain, Provider and DNS Records – if available. From here, you can tap on the […] button and perform a Whois for each discovered Domain.

2.) The Certificates Tool

I mentioned this option a few times before, but it is still often forgotten or underestimated. What this Tool does is, it looks for any certificate available on the given IP Address. If it finds a certificate, it decodes the content and displays the result. The result reveal domain names running on that IP Address.

Below is an example for IP Address

First, the results of the (i) Inspect Tool:

ip-info-685x1024 Getting information about an IP Address

Second, the results of the Certificates Tool:

cert-info-969x1024 Getting information about an IP Address

So you can see, there is a lot information that can be revealed from a single IP Address using my App.

To all of you celebrating Christmas, have a Merry Christmas and all the best for 2018!

Stay safe and secure!

Best Regards,


Version 11.0.5 available

This is my Christmas Update with the following Changes:

  • Couple of bugs fixed in the Devices Tool
  • Now you can also call Wake on LAN from the Devices Tool
  • A few bugs were fixed in the IP Calculation Tool
  • Some Screen layout issues fixed in the Logbook

Some Improvements:

  • You can now clean the “recent lists” without switching to the settings
  • The Speed Test Tool has been improved

And finally, there are now two new Tools:

  • An NFC Tool to scan NFC NDEF Tags (other types are not supported (yet?) by Apple)
  • A Unit Conversion Tool has been added

I still have to update the Manual but I thought that I don’t want to let you wait any longer. The Manual update will follow during the next days.

Thanks for your suggestions and support,



A few words about KRACK

You will have heard about the KRACK (Key Reinstallation Attacks) vulnerability. I think all information (even – as usual – some over hyped and misinterpreted) is available from many sources. If you are interested, I would recommend reading Mathy Vanhoef’s information on his website

However, here is a summary:

  • The WPA2 WiFi encryption has a weakness that can be used to sniff network traffic
  • Your WPA2 password can not be discovered by this attack, however it is not necessary for sniffing the traffic by using this attack
  • Almost all routers and WiFi Network devices are affected (including iPhones and iPads using the current iOS Versions)
  • This vulnerability can (only) be fixed with updates on both ends, Router AND Client

What to do:

  • Look for updates (for your Router AND your Clients). Throw away devices that can’t be updated.
  • Until updates are installed, prevent using sensitive information (e.g. Banking) on any WiFi device. Better use cabled devices for this.
  • If you really have to, double check if you are indeed using HTTPS while submitting sensitive information. Man-in-the-middle attacks, which are possible by using this vulnerability, will most of the time cause HTTPS connections to end up as HTTP connections in order to capture the traffic.
  • Carefully look out for unusual logins on your accounts or anything else unusual. In doubt, change passwords for accounts using cabled devices.
  • After everything calms down, take this opportunity to change all your passwords

Don’t trust the evil,




Next update 11.0.3 now available – UPDATE 2

After finishing and submitting my Update, I contacted Apple and asked for an Expedite review. Within one hour, Apple reviewed and released the App.

This was probably world record. A big thank you to Apple!


Unfortunately, there was a bug in the UPnP Scanning engine which was causing the App to crash when there is a ‘misbehaving’ UPnP device.

As this happened in the UPnP Scanning engine which is also used for the new Advanced Scanning feature, the new feature wasn’t working for some of you.

I hope that the new update will now work for you as expected.

To locate and fix this bug, it was very helpful that some of you enabled Crash-log submission in the Settings ( iOS Settings -> Privacy -> Analytics -> enable: Share Analytics as well as Share with App Developer). This way, I was receiving the anonymous crashlog via Apple and was able to analyze the cause. Thank you!

Have a great weekend (at least I will have one now as the update is out),



UPDATE Sunday 1st Oct:

In case some of you are wondering about the availability of the update, Apple currently has major outages. They maintained some of their servers yesterday, now claim that everything should be up and running but that obviously is not the case. Some support websites are not available and other Apple websites have wrong contents. So much to Apples world record of releasing Network Toolbox.

UPDATE Monday 2nd Oct:

Finally, the new update seems to be available after almost two days.

Thanks for your patience.



Version 11 of NetworkToolbox will be available Thursday!

Good news though. The new update will be available Thursday, September the 28th!

I have just updated the manual. For instance the chapters for Network Scanning and the new tools like Whois, DNS and UPnP. So if you want to see what’s coming, just have a look to these manual chapters.

This is, what has been changed:


► New WhoIs Lookup Tool (see details about any domain and who has registered it)
► New DNS Tool (query ANY! DNS Server for domains, see records and response times)
► New visual Traceroute (see trace routes on a map)
► New UPnP Tool (see which UPnP devices are noisy on your network)


► Extensive improvements of the Network Scanning engine
► Improved Morpheus Map
► Improved Bonjour Browser
► Terminal and SSH support for Backspace and CR/LF

Bug Fixes:

► Fixed Crash in External Apps Tool
► Special Keyboard Bar are now visible, no longer transparent
► Display of wrong MAC Addresses fixed
► Bug in MAC Database fixed which caused some Vendors not to be found
► Fixed bug in traversal test or Password test where entries, already tried were not marked accordingly

As always, this version was again a challenge. Please note, with iOS 11 MAC Addresses can no longer be displayed as the API has been removed by Apple for privacy reasons. However, the vastly improved scanning engine now combines many other information available about any IP Address on your network. This not just compensates the missing MAC address. Now you can see as much information as discoverable in one single place. Network scanning was never easier and more convenient before.

As this was again a major update with several weeks of development time, please consider to rate my App to keep it rolling.

In case you may find any bug, please let me know, I want to fix it!

Thank YOU!


Keeping you updated

Even though I provided a couple of Data updates, you might be looking forward to my next App update as it was quite some time ago, when I released my last App update.

As mentioned in my previous post, I will wait until iOS 11 has been released and then, shortly after, I will release a new App update.

However, I am happy to let you already know some of the features I have finished so far:

Simulator-Screen-Shot-6.-Sep-2017-19.53.46-e1504720984403-928x1024 Keeping you updated

On this screenshot, you will notice two new tools: A DNS tool and a Whois tool. The DNS Tool will allow to query not just your default DNS Server but any DNS Server. This allows in-depth analysis of possible DNS issues. The Whois tool offers a lot of in-depth information about any domain. Most of this information is presented in a structured form (not as plain text as in some other Apps) so you can further analyze the results, as usual.

Furthermore, not to see on the screenshot, I finally finished developments for a Visual Traceroute tool.

And of course, I already fixed several bugs and added several improvements like support for Backspace and the ability to change the CR – CR/LF type in the terminal tools.

Looking forward for being able to release this Update soon.



☛ NetworkToolbox, iOS 11 and MAC Addresses

Last time, when iOS 10.2 has been introduced, the ability for NetworkToolbox to show MAC Addresses was no longer available as Apple has removed access to MAC Addresses due to security concerns and to increase our privacy. (see MAC Addresses are back)

It was a real challenge to find a workaround to be able to show the MAC Address again. My solution still works under iOS 10.3.3.

Now, with iOS 11 knocking at the door, you may wonder if it will still work. The answer is no. Unfortunately. Apple made my workaround unusable again in iOS 11.

I already investigated into this again for several days (and nights) but it seems, this time, Apple did a great job. They even fixed some additional (severe) security issues I found last time while I was looking for an alternative to get the MAC Address.

However, the consequence of this on iOS 11 is now, not only the lack of the ability to show the MAC address. The main disadvantage is, that I no longer can display the device Vendor, which is derived from the MAC Address using the internal MAC Database. This is and was a very valuable information while scanning a local network as it often helps to identify a device. Unfortunately, this is gone now.

I spoke to two Apple employees. Both told me, that Apple wants to protect users against Developers who misuse the MAC Address to track user activities and they said that this has precedence over the missing feature for my App.

I told them that this is a very good approach with good intentions but even without a MAC Address there are a couple of (even easier) ways to track user activities and, depending on the setup, a MAC Address can even be derived from IPv6 Address and that there isn’t much Apple can do against it.

I also recommended to add a security setting which could be used to allow/disable MAC Address access similar to camera or microphone access. So users can decide which App should be allowed to have access to the MAC Address.

One of these Apple employees told me that he is using my App quite often and found my statements and suggestions quite reasonable.

I am not sure (I even doubt) that my conversation with Apple will change the situation but maybe if more people (like you) would let Apple know, maybe it will.

Nevertheless, here are the plans for my next steps:

  • Shortly after iOS 11 has been released, I will create another Update of NetworkToolbox

(Shortly ‘after’ because I want to create an update based on and for the final iOS 11 version which makes sense as the App already runs just fine on iOS 11 (except for the MAC Address) and thus, wouldn’t require an immediate update)

  • I will give the MAC Address issue another (short!) try but will not waste too much time. Instead, I will polish the Network Scanning tool that it will provide as much usability as possible even without a MAC Address
  • Finally and in addition, that next update will include things, I already worked on (most of them have already been finished).


Thanks for your suggestions, which helped to make this App even better.

Stay tuned,



To Petya or NotPetya

You will have heard about the recent attack to Windows PCs called Petya or NotPetya.

The reason why some people say NotPetya is, that it is not a new version of the former Petya malware, even though it looks so.

This one is again (like WannaCry) based on the recently released NSA Tools (see my related post here).

But it is worse than WannaCry and was just built to create chaos and damage on as many systems as possible. The current damage is already massive. I bet you will hear more about it during the next days.

I will not repeat all the rumors about the source or intentions here.

Here is just, what I have done and what you should do (sorry, I should rather say “have to do”):

  • BACKUP BACKUP BACKUP (everything you don’t want to loose, your Pictures, Movies, Documents, Source-code, Letters, Tax Statements, Banking Documents etc.)
  • UPDATE UPDATE UPDATE (everything PCs, Routers, NASes, Mobile Devices)
  • Replace or switch off your Windows XP PCs
  • Do this on every Windows PC:
    • Start a command prompt with admin rights (right click on the Windows Icon in the lower left corner and select ‘Command Prompt (Admin)’
    • And type:

petya To Petya or NotPetya

These commands will create three files perf, perfc.dll and perfc.dat and will mark them read only. The current version of NotPetya will stop working if these files were found. This is a very simple thing and most likely, a new version of NotPetya will disregard these files. However it doesn’t hurt and has no other side effect.

Finally, if you are already infected, for instance if you see a sudden Checkdisk message trying to repair your hard-drive or anything else unusual:

  • Immediately switch off your PC (even if Checkdisk says you should not)
  • Disconnect your PC from your network
  • Try to boot it stand alone. If this doesn’t work anymore, most likely, your data is lost.
  • Switch off your router / disconnect from the Internet
  • Check your other PCs as you might have a chance that they are not yet infected.


Don’t trust the evil.




NSA Tools available to everybody – Update your PCs. Quick!

As you may have heard, a Group called Shadowbrokers have stolen Hacking tools from the NSA and made them available to the public.

I had a chance to take a look at these tools. A few days ago they already released some tools but those tools were quite outdated and not really harmful if you don’t use an old Windows XP or Vista PC. But these new tools are indeed up-to-date and I was able to use the tools to compromise one of my Windows 10 PCs which hasn’t been updated for a few days. After it was updated with the latest Creators Update from Microsoft including all security updates, that was no longer possible.

The NSA Tools also include tools to disable or hide themselves against all known virus scanners, including Microsoft.

There are rumors that NSA has informed Microsoft about the fact that their tools were stolen along with information about the vulnerabilities these tools are using so Microsoft was able to fix these vulnerabilities. This makes sense as these vulnerabilities are existing for quite some time now and it is interesting that Microsoft has created these fixes before Shadowbrokers have released the Tools to the public.

About the NSA tools

Some people already asked if these hacking tools are indeed from the NSA or ‘just’ from Hackers. I have seen many similar tools by many developers and of course developed my own. The available tools have been developed in Java, Python and Perl, some are available as binaries.

Even though I found some humor like in the Zippybeer tool which contains an ASCII image like this:

zipbeer-254x300 NSA Tools available to everybody - Update your PCs. Quick!

I found the code really really well organized and straight forward. Typical hacker code contain typos, they often don’t really care about code quality and a lot of code I have seen looks really ‘messy’ or even contains messages to other hackers. This code looks excellent, very reliable and foolproof with a lot of try/catch and exception handling to ensure that the tools are doing what they are supposed to do or fail and let the user know why and not leaving a trace. This code hasn’t been developed in a rush and it is indeed professional, just like a commercial software. This is why I am pretty sure that it comes from the NSA.

What you need to do

So if you didn’t already, hurry and update your Windows PCs. If you are using older Windows Versions than Windows 10, disconnect them from the internet.

This is not because of the NSA as they may have already (or soon) finished new tools which will still be able to compromise your PC. This is mainly because these NSA tools are now available to the public. They are easy to use and I suspect not only by people with good intentions.

Don’t trust the evil.

Happy Easter.


Major CloudFlare data leak on millions of Websites – and Apps

cf Major CloudFlare data leak on millions of Websites - and AppsNormally, you may find your stolen Email addresses and sometimes even stolen passwords in wrong hands because a certain website has been individually compromised – like happened with Adobe, DropBox or Yahoo recently.

Even though the Yahoo breach with more than 500 million affected user accounts sound like a major breach, a recent CloudFlare data leak has a new dimension.

CloudFlare is a service, used by millions of websites, to improve availability and speed. CloudFlare servers are working between the visitor of a website and the website itself and can be seen as a kind of cache.

What happened was, that since September 22nd 2016 and February the 18th 2017, CloudFlare had a bug which resulted in CloudFlare to respond back to the website visitor with memory contents of the CloudFlare servers instead of the contents of the visited website.

These memory contents often contain sensitive data of other websites such as API Keys, security tokens or even internal server and database passwords. Not only that this data may contain your personal data, even worse, with this information, the effected website and database can be compromised.

Things got worse as this leaked content has already been indexed by Search Engines like Google over the past Months. The issue with this is, that the data is now (still) available to everybody and can easily be found by using special Search terms. Google and other Search Engines are working on deleting such contents but it will be almost impossible to get rid of all leaked data.

Nick Sweeting provides a zipped list of sites (so far, he found more than 4 million sites) that are using CloudFlare which might be affected by this leak.

Not only Websites but also Apps (iOS and Android) such as FitBit and Uber are affected as they also use CloudFlare for data exchange. Data of such Apps have also been found by searching Google.

So what can you do?

Not much to be honest but you can take this as a gentle reminder to:

  • Change passwords frequently
  • Don’t use one and the same password for different services
  • Use fake accounts and fake Email addresses for registration wherever possible
  • Don’t trust the evil

Best regards,


Online shopping risks – check your store before placing an order!

Happy New Year everyone!

Yesterday, the German BSI warned (again!) about thousands of online stores worldwide which have been infected by online criminals in order to capture user’s payment data. Many store owner have been informed by the BSI some time ago but less than a half of them have fixed that issue.

Shopping on those still infected or unpatched stores is a high risk! Most likely, your payment data will end up somewhere else.

In 2015, Willem de Groot revealed this issue in the popular shopping software Magento which is widely used around the world.

Which scares me most is the fact that by that time, there were 3501 Stores infected, in March 2016 Willem found 4476 infected stores and late 2016 there were almost 6000 infected stores worldwide. Here is a list:

Fortunately, MageReport provides a tool, to check if a certain website is already infected or at least unpatched and a possible victim for cyber criminals.

So I would recommend to use that tool to check the online shops you are using before using them again.

I did so and guess what, three of them were infected – only one of them replied back to me after I informed them about their issue.


Don’t trust the evil!


MAC Addresses are back – Happy and secure Holidays

Icon-santa-300x300 MAC Addresses are back - Happy and secure HolidaysToday, Apple released my Update 9.02.03 which will bring back the MAC Addresses and fixes the Crash in the Device Tool reported by some users.

MAC Addresses

Bringing back the MAC Addresses was really a challenge and caused me some more gray hair and long nights during the last days. With iOS 10.2 Apple continued with their good intentions to protect our privacy by removing all sorts of information that might be misused by developers to uniquely identifying our devices. Apples approach is a good approach and I appreciate that in general. However, this has caused that I was no longer able to show the MAC Addresses in Network Scans anymore which was quite unfortunate as the MAC Addresses were also used along with the included MAC Database to show the vendor of each device. Finding a solution was really a challenge as I have to use official APIs because otherwise Apple would have rejected the App. The solution I found is indeed using official Apple APIs but in a very specific and unusual way (don’t want to elaborate more). This said, I expect Apple to even close this door at some point.

Device Tool crash

This was also a challenge. Some user reported the Device Tool to crash (one user even left a one-star bad review only because of this crash). I tried to reproduce this on any of my various test devices without success. Fortunately, some users contacted me regarding this crash (Thanks again!) and I asked those users to enable crash-log submission in iOS (Settings -> Privacy -> Diagnostics & Usage -> Automatically Send, then enable “Share With App Developers”). When switched on, Crash logs will be submitted to Apple and a few days (sometimes a week) later I am able to download anonymized logs from Apple. These logs showed that indeed for a few users, the App crashed for security reasons as it wasn’t allowed to access motion sensor data (Motion data will be accessed in the Device Tool for the Sensor section). The question is still, why only a few users were affected and why I was (and I am still not) able to reproduce this on all of my test devices. However, I hope at least I fixed this in the new version 9.2.3. If not, please let me know.


Thank you so much for all your reviews. It was overwhelming to read them all. Unfortunately they are now gone with this update but I don’t want to bother you again asking to update your review.

Instead, please have relaxing and secure Holidays.

Thank you all and let’s work together for a more secure 2017!

See you in 2017.

Best regards – and don’t trust the evil.


iOS 10.2 and missing MAC Addresses

Dear Users,

it seems that Apple has further improved their security measures in iOS 10.2. Unfortunately, this results in wrong MAC Addresses in NetworkToolbox.

I am currently working on a workaround so please be patient and wait for this fix.

Best Regards,


ALERT: Major attack to Routers. 41 Million Routers worldwide on risk.

alarm-300x245 ALERT: Major attack to Routers. 41 Million Routers worldwide on risk.Major attacks to routers are currently ongoing. These attacks already resulted in major outages of the German Telekom network and others in many countries.

The attack is using an old vulnerability on port 7547. This port is basically the interface for the Telecom companies to configure a router remotely. A variant of Mirai currently uses this vulnerability to install a bot using this interface.

Here is, what you can do:

1.) Restart your router

This will clean your router in case it was already affected. However, even after a restart, it may happen that the router will get infected shortly after by another attack as this attack is currently still going on.

2.) Check if your router is vulnerable

For this, you need to perform a reverse (from outside) Portscan on your public IP Address and Port 7547 by following these steps from NetworkToolbox:

– Select the Devices Tool
– Tap on Network
– Locate the Public IP Address
Take down this public IP Address (or bookmark to the Logbook)
Switch off (disable) WiFi mode on your device

Next, ensure that NetworkToolbox can use the Celular/Mobile network as follows:

– Quit NetworkToolbox
– Open Settings
– Tap on Celular Data
– Search for “NET-Toolbox” on the list
– Ensure that the switch for NET-Toolbox is switched ON


– Reopen NetworkToolbox
– Tap on the Portscan Tool
– As Address, enter the Public IP address you took down previously
– As Port enter 7547
– Tap on Scan

You should get an empty list (0 Results). If that’s not the case, your router might be vulnerable.

3.) Protect your router

First of all, you should look for a firmware update. German Telekom currently provides an update for the effected router which is installed automatically after restarting the router. Other may need to look for a router update on the suppliers/vendors website.

After an update has been installed, I would recommend to perform another portscan.

In addition, I suggest to disable this port if possible. Some Routers, like the German Telekom Routers, offer an option to disable the remote configuration feature which will also disable port 7547. On the German Speedport routers this feature is called “Easy Support”. On other routers it might be called “TR-069” or similar.

I would suggest to switch this feature completely off. Please note: if you are using a rented router, your provider may not be happy about this as they can no longer look into your router in case of issues.

Once the port can not be accessed from outside, you should be safe.

Some more background information:

As mentioned before, port 7547 will be used for remote access configurations on your router using a so called TR-069 interface. This interface is quite safe as it uses a callback feature that ensures that only the valid provider can access and change the configuration data.

This interface will also be used for instance by a Synology NAS if you would allow the NAS to configure your router on your behalf for convenience.

However, due to a bug in older implementations of the TR-069 protocol, this interface can also be used for code-injection.

So an open port 7547 alone does not mean you are vulnerable but along with a buggy firmware you are.

Then, either updating the firmware or disabling TR-069 (or closing the port if the router offers such a possibility) would fix a possible issue. If possible, I would suggest to do both (updating and closing the port).



Mirai and Yahoo


You may have heard about the biggest DDOS attack ever against my colleague Brian Krebs. Brian’s Website has been attacked by devices on the internet which have been compromised by a malware called Mirai (please visit Brian’s website for more details).

I read the source code of Mirai and developed a new security check for you which will be available in NetworkToolbox after checking  for the latest data update in the settings. This new security check will scan for the same vulnerabilities Mirai is using to infect devices.

So you may want to run this security check on some or all of your network devices. If the security check reports a certain device is vulnerable, it doesn’t mean it is already ‘infected’ by Mirai but if Mirai would by chance pass by and visit your network, it is most likely that it will infect that device.

According to what I have seen while inspecting the code, fortunately Mirai will disappear once you restart the infected device. So what you should do, once the new security check reports a vulnerable device is, to restart that device and either remove it from your network or try to update it’s firmware and perform another Security check.


You may also have heard of the latest news about Yahoo.There are three strong arguments why to leave Yahoo as soon as possible:

  1. As mentioned in previous posts, Yahoo is about to be sold. Most likely to Verizon. You may also remember my post of Verizon’s Super-cookie.
  2. 500 Million Yahoo accounts have been hacked.
  3. Yahoo has scanned all mails for NSA and FBI.

A single fact from the above list should be enough to say good bye to Yahoo but I am still surprised to receive many Questions and Support mails from user with Yahoo accounts.

A few weeks ago, I was about to block all Yahoo mails as this would reduce the amount of Spam mails quite a lot (Spam is probably a fourth reason against Yahoo). But since I still receive so many Yahoo mails, I decided against blocking yahoo.

Your question might be, what else should I use? Google? Definitely not! Keep in mind (and this applies very much to Yahoo as well): “Nothing is for free”. Think twice: why should a company who needs to earn money to pay at least their employees offer a service such as Email for free? If you want security, you have to pay – period.

My best advise is, to look for one of the many service Providers who offer simple web-hosting and Email services for a good price and (most important) with a good reputation. Such a provider can be used to register your favorite domain name such as your surname (or combinations like for instance) and they can run a well working Email service for you. This way, you will have personalized and nice Email addresses combined with a reliable and secure Email server. Such (good) providers will also take care of Spam and While/Black listing. Often way better than the big guns like Yahoo or Google.

For a temporary time, you can forward your Yahoo (or Google) mails to this address.

Don’t be trust the evil.


The Connections tool is gone – which is good!

A very provocative title isn’t it? But yes, it’s true, it is good. I will explain why.

I have received a couple of support mails regarding the no longer working Connections tool. Some people were just wondering when it will come back. Some are blaming Apple for it and one unpleasant person even had nothing else to do than blaming me with loads of unpleasant words and sentences that I don’t want to repeat here (but I will if this person doesn’t stop this).

So what has happened ? I am usually testing compatibility of my Apps with pre-release versions of iOS. In case some action is required I will prepare an update. At some point, Apple released a pre-release that prevented the Connection tool to work. Often, such thing happened and with further pre-releases things get back to normal – and so it does. The Connections tool started working again. But later, with the latest Release Candidate of iOS 10 it discontinued to work again so I started investigating why.

It turned out that Apple has completely removed an API I was using to generate the connection list for the Connections tool. By that date, I investigated in many alternatives which all turned out not to work (anymore or not at all on an i-Device). That was sad as I am also using this Tool quite often, whenever I like to analyze suspicious behavior of newly installed Apps and often discovered bad “calls home” or other undesired connections (e.g. Flurry).

On the other hand, while implementing the Connections tool some time ago, I was even surprised that Apple did offer the API in question as it also allows many other even bad things to do. Other Apps can and likely may have already used the same API for other, undesirable purposes. After implementing the Connections tool and submitting the App to Apple, I also expected that Apple will reject my App – which was obviously not the case.

The problem here is, that even though I call it API, it’s not really a typical “officially documented” API. It was rather a system call with very specific parameters. Such a system call is hard to identify within the review process and that’s probably why. But as mentioned before, this system call can also be used for many other things I definitely don’t want another App to do on my iPhone or iPad.

So even though it’s sad that the Connections Tool can now no longer be used, it is good that this particular API (or System call) is gone. This is indeed a real gain in security and I am hoping Apple will continue to walk this Path. I think it is way more important that our i-Devices can not be compromised and that bad Apps can harm our security and privacy and I think it’s worth the disadvantage that we now no longer have a Connections tool available.

I think Apple is doing a great job by not only continuously adding new great features but also care for security. This is why all my Android Devices (I have quite a few since I used to develop Android Apps as well but discontinued some time ago) remain in my drawer and will not be connected to my internal network. Those devices are quite insecure and exactly the opposite. Google doesn’t care about security and they are even the worst data spy themselves. A Connections tool for Android would still be possible of course but I would not trade any Android Device with any of my iPhones or iPads.

So as you can see, it is very unlikely that the Connections Tool may come back in the future but there is no reason to complain about Apple. They did their job well.

I leave it up to you to decide if it is me who needs to be blamed.

Don’t trust the evil!










New Update available!

main-225x300 New Update available!

A new version of NetworkToolbox is available.

The new version contains various changes, additions and fixes:

■ Renewed Bluetooth Tool

I have completely re-written the Bluetooth LE scanner. It is now more reliable and easier to use.

■ New Health Check Tool

This new Tool can be used to perform recurring pre-defined tests. You can add multiple sites (IP Addresses or hosts) and perform Ping, Certificate, Mailserver and other tests with a single button press. This way, you can quickly check the availability of components either in your home network or your Internet Servers.

■ New SMB Tool

You can now even browse Windows or other Samba shares using this new Tool. It is also possible to download files.

■ New Speed Test Tool

This new Tool implements the iPerf Speed Test standard and can be used to perform Network Speed/Bandwidth tests to one of the public iPerf Servers or even between two NetworkToolbox Apps running on the Network since the Tool also provides the possibility to run an iPerf Server.

■ Further improved network scan

Now, SMB Network Names and Vendor Names will be displayed in the list itself and not only on the detail screen.

■ Export Settings

As requested, you can now export the settings either for backup purposes or to submit the settings (including the user passwords etc.) to another iOS Device.

■ Reverse DNS and DNS Lookup improved

Even though the Tool is still called NS-Lookup, it is now rather a multipurpose tool that shows all kind of information available to an IP Address or host such as DNS Record information, Revers DNS Lookup, Provider information and more.

■ Macros for Telnet and SSH

It is now possible to write and maintain Macros that can be submitted from inside the Telnet or SSH Tool. Macros also let you sent special Key combinations and supports delays.

■ Other Telnet and SSH improvements

The Keyboard window will now only cover the necessary part of the screen and in case you are using a hardware keyboard, you will now see the full telnet/ssh screen.

Now you can also directly send special keys that are not available on the software or hardware keyboard.

■ WOL (Wake on Lan) has been built in

■ HTTP Head Tool improvements

This Tool now also shows the Status code returned from the Server and an explanation of the meaning this code.

■ IPv6 support

Most Tools now support IPv6 where appropriate. If available, you will see IPv4 as well as IPv6 addresses in the result lists of several tools. You can also enter IPv6 addresses in several Tools in the same way you enter IPv4 addresses.

■ New IP Calculations

With the introduction of IPv6 Addresses, there are also three new Calculations for the IP-Calculation Tool such as IPv4 to IPv6, 6to4/6RD and Teredo calculations.

■ New Manual

As you may already know, this App contains a lot of information and help texts with general information as well as for each individual tool and how to use it (Thanks again to Martin who helped me out here). Several users appreciated that but asked for a separate manual so they can read it side by side with the App. This is now possible. I have moved the existing content and added some more text to a separate manual, which can also be opened from here: but also still from inside the App by hitting the (i) button as usual. If you prefer a printed version, you can also download the manual as PDF file.

■ Bye-bye to the connections Tool

With iOS 10, Apple has removed an API which has been used for the Connections Tool. This means, that this tool no longer works under iOS 10 and you will get an according message if you try to use it. Even though it is not nice that this valuable tool now no longer can be used, Apples decision is a major increase on Security as this API could have also been used for other purposes by any App.

■ Other bug fixes and improvements

Besides the lost Connections Tool, NetworkToolbox is now fully compatible with iOS 10 and even uses some of the new advantages. On an iPad Pro, it can also run in Multitasking and Split Screen mode and it runs just fine on the new iPhone 7 devices.


As you can see, there were many changes with this new Update. It even took quite some time as due to IPv6 Support major parts of the App needed to be re-written.

This said, I wouldn’t be surprised if me or my valued Beta Testers would have missed one or two Bugs. Please don’t worry and just let me know so I can fix it timely.

Updating this App means that it will lose all your nice and kind reviews.

So please, after you installed the update, update your review as well or write a new one.

I hate these annoying nag-screens reminding users to write a review and don’t want to include that.

For your review, you can also tap here.

Thanks for your great support!


Kind regards,


New Manual and new Version soon

Today, I am happy to announce the new Manual which is now already online for you from here:

Several users found the included (i) Help texts useful but prefer to have the description side by side on another screen or even paper – which makes sense. This, I created the online manual.

Please note: This Manual already covers the next version with many new features and improvements. This new version will have this manual already included also from inside the App but I found it might already be useful for all users of the existing App version.

While talking about the next version. It took quite some time to get it done. This was basically because I had to re-write major parts of the App due to the fact that it now also supports IPv6. There are still some parts of the App which don’t fully work with IPv6 due to some oddities in iOS but I will either fix this during the next days or will leave it as is by now assuming that the majority of you will still use IPv4.

So please stay tuned for my announcement for the release of this update,
Best Regards,

NetworkToolbox with wired Ethernet connection – not only WiFi anymore! – UPDATE

network-toolbox-and-ethernet-236x300 NetworkToolbox with wired Ethernet connection – not only WiFi anymore! - UPDATESometimes, you may whish to connect to a network via Ethernet Cable in order to inspect or analyze a network. So far with NetworkToolbox it is only possible to connect to a network via Wlan/WiFi.

But there is good news today!

For this reason, some time ago, I bought me the Lightning Ethernet Cable (L2-NET) from Redpark. This cable requires some developments as it’s not supported by any iOS Device itself. I also had to register for Apples MFI Program which is necessary if you want to ship an App which uses a hardware accessory. I did that and I also did already develop almost all necessary changes for NetworkToolbox which was quite a lot as all network routines (especially the scanning and sniffing ones) will have to be adapted for this cable. Unfortunately, at the end, it turned out that the provided Library had some bugs but moreover the Cable often ended up in a situation where I had to completely re-start the device which was the reason why I never released this feature. I was in contact with Redpark a couple of times. They were very kind, committed and helpful but at the end it turned out that the cable issue cannot be solved at least not for NetworkToolbox. If this would change in the future, I will be more than happy to support this cable as I really like it.

However, here is something new:

You can use the new Lightning to USB 3 Camera Adapter along with the USB Ethernet Adapter.

The USB 3 Camera Adapter, which is basically a USB 3 Adapter, was introduced for the new (big!) iPad Pro (the new small iPad Pro doesn’t support USB 3 by the way). I wanted to buy this adapter for my big iPad Pro anyways but added the USB Ethernet Adapter to my order – just in case.

Once the package arrived, I tried to connect both Adapters together and plugged them to my iPad Pro. Then I got a message saying that the Ethernet Adapter consumes too much power and cannot be used.

Two things where surprising with this message: 1.) I didn’t get the usual message saying that this device is not supported, 2.) It even recognizes the second adapter as an “Ethernet Adapter”.

I then put a regular USB hub in between the two Adapters and provided power to the HUB.

Success !!  – as a result, I didn’t see any message anymore but also nothing else. No confirmation message, no additional menus in the Device settings (as it was the case with the L2-NET cable).

Then I switched off WiFi and Cellular, started NetworkToolbox and to my surprised, the Adapter was found and I even got a DHCP Ethernet Address. I was also able to Browser (real fast!) and perform Network scans with NetworkToolbox – pretty cool isn’t it ?

Next, I tried the same with other devices and found that at least my iPad air 2, iPhone 6 and 6s are working well. There may be others working as well but I have not tried it yet.

I then tried to use other HUBs and found that almost all I have are working, except for one old HUB.

I also tried different USB Ethernet Cables which all didn’t work.

I did not try but this solution may even work with the old iPhone Camera Adapter.

So in short, here is what you need:

If you plug all together and power the USB Hub, switch your iPad/iPhone to Airplane Mode (to disable all other communications), wait a few seconds and then try to use Safari to see if the connection is working. If not, double check the HUB or try another HUB.

Even though NetworkToolbox reports a local IP, it reports a public IP and correct DNS Server and is working very well with this solution.

Please let me know if anybody of you is successfully testing this solution on other devices, or even found that the old Camera Adapter is working well so I can update the compatibility list on this post.

UPDATE: Cristian from Gibraltar just reports that the old USB Camera Adapter works as well with the Ethernet USB Adapter. Thanks Cristian!

Don’t trust the evil!
Best Regards,

Email tracking even on your iPhone

email-tracking-300x200 Email tracking even on your iPhoneA dear user and contributor of NetworkToolbox just raised a point I would like to share with you.

While discussing my arguments against Web-Mail services and my suggestion to rather use a Mail client instead, he mentioned that he got frightened some time ago even while using his iPhone mail client. What happened was, that he received an Amazon gift voucher from a relative and while he wanted to thank him five minutes later for the gift, the relative told him that he already knew that he received his gift because he’d just received an email from Amazon informing him about it.

So you may wonder how this could have happened even on a relative secure Apple device. The trick is quite simple and widely used by many newsletters, eCards and even regular mails.There are many service providers offering such a feature to companies even garnished with sophisticated statistics about reading time and even the location of the recipient.

What the do is, they just add a small image (visible or not) to each email. This image has an individual name which is different for every recipient. Once the email has been opened, the email client tries to download this image from the server in order to show the email right.

The Server, where the image comes from just responds with the requested image, maybe an empty 1×1 white pixel. So far so good. But any Web-Server, and the server for such an email image is also a Web-Server, will see the requesting IP Address and, of course, the file name of the requested image. Remember, as mentioned before, the file name is basically a unique Identifier which identifies each recipient and the IP Address will help to track down the location and other information such as type of device (e.g. iPhone) as well as the client software the recipient is using. And of course, all of that is being logged and can trigger an email to somebody who is interested in knowing when you read their mail.

But for iOS users, it’s not too bad at all. There is something one can do against it what the dear user found out on his own while googling. There is a setting under Email settings called “load remote images” (or “Bilder vom Websever laden” for the German users) which should be switched off.

It is very unfortunate that this setting is turned on by default but I would strongly recommend turning it off. This setting will prevent the things I mentioned before from happening. The only disadvantage is, that some mails might look a bit strange without images which will no longer be loaded in the future once this setting has been disabled but it’s often not too bad and you can manually force the images to be reloaded. But then, keep in mind, the sender may (and most likely will) track this.

You may wonder why you see images in mails even while “load remote images” has been switched off. The reason is, that in that case, images have been embedded in the mail and thus, don’t need to be downloaded and thus, can also not be used for tracking. The disadvantage for this approach is, that such mails get bigger, are causing more network traffic while sent out and while downloaded on your device.

So, don’t trust the evil.
Stay safe!

The worst thing happened

ns-image2-266x300 The worst thing happenedWhat is the worst thing to happen with regards to network security you can imagine?

How about a network device that should care for your network security which has a back-door that allows access by everyone from everywhere? Yes, that’s scary, right?

Exactly this has happened to Juniper users – and we all are affected.

For your information, Juniper is the second largest company selling Routers, Switches, Firewalls and other network products after Cisco. Their products are widely used from small businesses, large companies, Network providers to governmental networks.

Recently Juniper indicated that they had discovered unauthorized code in their ScreenOS software used in their Netscreen firewalls. It turned out that this code contains two back-doors which allows full device access and VPN traffic monitoring. Further investigations revealed that all of their firewalls running software versions shipped from 2013 until recently can be accessed from everywhere by everyone via SSH using any username and password “<<< %s(un=’%s’) = %u”. An update will fix this issue.

So far, it is unknown how this backdoor slipped into their code.

Currently, Morpheus and Shodan finds more the 30.000 of these devices.

Maybe you personally don’t use Juniper hardware but be assured, your Provider, Bank, online Store, Company you are working for may likely use Juniper hardware.

It was good that Juniper offensively informed about their findings so that security researchers were able to start their own investigations. However, it took two years to find the back-doors. My personal assumption is, that organizations like NSA, GCHQ, Asian or Russian organizations are responsible for this and moreover, I further assume that similar Back-doors are available in other Network Devices such as those from Cisco and other “big Players”.

I even now see the other Back-doors I mentioned in my blog (here and here) from a different perspective. Not unlikely that these back-doors were not results of brain-dead developers but have the same source.

Regardless whether my assumptions are correct, many networks are currently at high risk. Even more because not only NSA, GHCQ etc. are able to access our data, now even inexperienced criminals can.

Due to the impact of this issue, there is not much one can do other than to follow following rules that make sense regardless of this impact:

Of course, there is much more we can do but most of the above is either easy to do or simply mandatory and without alternative.

Regardless, I wish you and your families a Merry Christmas and all the Best and secure 2016!


Linux cheat sheet added

As requested (and to be honest also for my own sake) I added a linux cheat sheet to NetworkToolbox.

This additional information resource doesn’t cover those simple and basic Linux commands. Instead it contains many less known and easy to forget commands, especially for network administration and information gathering.

If some of you are interested even in the simple commands, please drop me a line and I will be happy to add those as well.

In order to install this cheat sheet, just perform a data update by heading to the settings screen of NetworkToolbox, scroll down and press Check for data update.

After the update, you will see a new Icon in the Resources section of the App which contains the new Linux cheat sheet.

screenshot-1-e1450290144263-300x220 Linux cheat sheet added

screenshot-4-576x1024 Linux cheat sheet added

Anonymous against IS

Support Anonymous – and don’t trust the evil

Security check added for the recent Netgear security flaw

netgear-exploit-300x218 Security check added for the recent Netgear security flaw
I assume you have heard already from the recent findings of exploitable Netgear routers.

If not, here is a brief summary:

Due to another ignorance or security in-awareness of developers of the Netgear router firmware, it is possible to access several (thousands!) Netgear routers from the internet without entering correct credentials. For details see here.

If this alone isn’t scary enough, Netgear has again to be blamed for their slow and ignorant response to this serious security flaw.

Even though Netgear has finally released an update that fixes this issue, still thousand of routers can by found using Morpheus or Shodan which still run the old firmware and thus are exploitable.

To check if your own router is affected, I have written and just release a new security check for NetworkToolbox which can be downloaded by running a data update from the settings screen of NetworkToolbox.

After downloading, you will find a new entry called “Netgear router exploit” in the Security Check tool.

So, better check yourself with NetworkToolbox and don’t trust the evil.



The truth about XCode Ghost – UPDATE

xcode-300x213 The truth about XCode Ghost - UPDATE

See my update below.

As this already goes around in the news and not only in the technical press, you will have heard about the XCode Ghost issue and the so claimed “Apple’s biggest malware attack”.

What happened is in short: Some developers, mainly from China downloaded the so called XCode development environment, which is required to develop Apps from dubious websites instead of Apples official website or Apples App Store. The version they downloaded was infected and so were the Apps produced by this XCode version. Some Apps made it to the App Store and some are still available for downloading.

So far, so bad. Scary, isn’t it.

No, it’s not that bad.

Unfortunately, the press and even the people from paloalto networks who “revealed” this story first are currently mystifying this subject rather than informing fully and correctly. They even provide misleading and even obviously wrong information.

So here is my story:

I personally found one of the effected Apps on my device (CamScanner this App has yet been removed from the Store so I can’t provide the link). I reverse engineered this App and can confirm that it indeed contains the XCode Ghost “Virus”.

Further investigation of the code revealed that this code is almost harmless. At least as harmless as all the damn Flurry, AppCrashLog, UserActivity Libraries I am complaining about for quite some time.

It “just” collects even less than Flurry does and submits it to a server ( There is DEFINITELY NO key logger included, NO POPUP will be displayed that asks for an Apple ID/iCloud access or something similar. The rumors about this are absolutely wrong.

Of course, the code could have been more dangerous and my finding depends on just one App so this is not an “all-clear”.

However, most likely it is not as bad as the press writes. There is no prove (maybe yet) that there is any App “infected” in a way that user’s security is affected.

The reason why I am very confident about this is, that I was able to find the source code on the Internet which is 100% identical to the code I found in CamScanner and that also fit’s 100% to the story of paloalto networks. That source code is also garnished with a Chinese “excuse me” of the developer who is claiming to be the author of XCode Ghost.

Take a look yourself here: (maybe use Google translate to read it)

Until there is no further prove otherwise, I assume that this is exactly the code which is included now in some Apps on the App Store.

Apple is currently trying to identify these Apps (which should not be too difficult) and removing them. I however would also expect a list of these Apps from Apple (not like the one on the paloalto website which contains spelling errors and App Names that are available several times on the App Store) so we know which Apps may still reside on our devices.

For your information, and that’s also missing in all the other press statements, you just need to delete the App and it’s gone. There is nothing that remains on your device after you delete it.

And here is, what you can do as NetworkToolbox user:

As explained earlier, my App contains the recently introduced Connections tool. This is ideal to identify such unwanted connections. I just wrote a small tutorial which explains how to detect XCode Ghost using NetworkToolbox.

You may wonder what Apple can do to prevent this from happening in the future. To be honest, so far, there is nothing to blame Apple for right now because (as mentioned before) this code is “harmless” in terms that it doesn’t access secured information and it doesn’t use private APIs. Otherwise I would have been quite sure that Apple would have rejected the Apps (as happened to my Apps).

The most people that have to be blamed are the developers that downloaded XCode from the dubious websites and used it for submitting the Apps to Apple using it. The same thing could definitely have happened on the Microsoft Platform. Maybe even easier because Microsoft does not offer some real App Store approval process at all.Not to talk about Android where there is no protection at all for way easier kind of injections with way more uncontrolled device access.

But I guess, Apple will now most likely speed up and shorten the grace time period for developer of Apps that now have to use HTTPS/TLS rather than HTTP and need to announce and name all domains that their App connects to.


For long time, it seemed that I am the only one claiming that XCode Ghost is relatively harmless. All the so called ‘Security Researchers’, the big press like the German ‘Tagesschau’ and even Heise never got tired of repeating the same story that XCode Ghost has been the biggest hit to iPhone App users security ever and everybody is at risk.

Recently also FireEye (who already is one of my friends) was dared to say that they experienced some MITM (Man in the middle attacks) and offered to “protect their customers” against XCode Ghost.

I sent a lot of mails to those researchers and companies telling them that they are wrong in their assumptions and that they should spend a few minutes in analyzing the code. Probably that was either too difficult for them or they just didn’t listen.

For instance, I asked FireEye what the heck they think how MITM attacks could compromise the users of Apps with XCode Ghost. No answer. Dead end. Probably because the answer is, it makes absolutely no sense at all.

There are still numerous false alarms regarding Phishing and Clipboard interception capabilities of XCode Ghost.

Unfortunately, this all was said by inexperienced, unthinkingly, ignorant, arrogant and attention addictive so called security researchers and the unfortunate so called “press” and security websites just copied and pasted their wrong conclusions.

For me, this is definitely the real issue with XCode Ghost.

Anyway, I gave up repeating the truth about it, hoping many people will read this post and come to their own conclusion.

But it was nice to see that I am finally not alone with my conclusions. See here:

Don’t trust the evil!



Check for ATM Skimmers with NetworkToolbox

atm2-270x300 Check for ATM Skimmers with NetworkToolboxNowadays, ATM Skimmers use Bluetooth to transfer your stolen credit/debit card details and PIN code.

Brian Krebs today talked about this in a great story where he visited some Hotels in Mexico (even one I stayed in a few years ago) and found several Bluetooth Skimmers.

The hacked ATMs are using Bluetooth modules that are used to download the collected data from the Skimmer inside the ATM. This way, the criminals don’t need to get very close to the ATM to download the stolen data.

Even though this is another scary escalation of the Skimmer technology, the Bluetooth modules can be discovered even by NetworkToolbox. The Modules Brian found are standard Bluetooth modules from a company called Free2Move and that’s also the name these Bluetooth devices are propagating.

There are Bluetooth Modules available for Bluetooth 1.0, 2.0 and even 4.0 (LE) so you will have to discover all three standards. Bluetooth 1.0 and 2.0 devices can simply be discovered by going to the Settings screen of your iPhone, select Bluetooth, switch Bluetooth on if it’s off and wait if your iPhone discovers new Bluetooth devices around you. If you see “Free2Move” when standing close to the ATM you may better want to look for another ATM.

For Bluetooth 4.0 or Bluetooth LE (Low-Energy) you can use the Bluetooth Scanner which is included in NetworkToolbox (Please note: you need to have at least an iPhone 4s for this). Just run a Scan and check the names of the discovered devices and look for “Free2Move” or anything else that doesn’t look obvious.

Of course, the Criminals can change the name but so far, the Skimmers found by Brian Krebs can be discovered this way. At least I will try it whenever I am using an ATM and will let you know once I find a Skimmer or once I got suspected as criminal when standing in front of the ATM and do my scanning ;-).

Don’t trust the evil,

have a secure day,






WordPress WPML Multilingual plugin – better switch if you still use it

This story is not really related but I had to write it. Simply skip if you don’t use WordPress.

I am using WordPress for most of my Websites and some time ago I purchased the WPML plugin for easier handling of multi-language pages. This plugin wasn’t cheap (about 200 Bucks) but I thought it’s worth it. Little later, after using WPML for a while and after almost getting used to the cumbersome UI and weired bugs, I heard rumors about security issues with WPML. So I looked for updates and headed to their support forum. After reading that they are not really able to fix these issues soon because of issues with their update procedure, I took a look into their PHP code. After this, I knew I have to disable WPML immediate and switch to another solution.

It took me quite some time to find and migrate to another solution but thanks God I did. Later I forgot about WPML.

A few minutes ago, I received the following mail:

wpml-300x169 Wordpress WPML Multilingual plugin - better switch if you still use it

So in that mail WPML claims that they updated my password to a strong and secure one (I always thought I am using strong passwords by the way). Further down, they sent me the new password in plain text and EVEN added the Login name (for my convenience I guess) to that mail.

But it got worse. When inspecting the included link they added to the login page (probable even for my convenience) I found it contains the address of a redirect PHP on a completely different server.

At that point, I was pretty sure that this must be one of those usual phishing mails and just in case, I sent a mail to WPML (using the contact form) to inform about this.

Seconds later, they confirmed that this mail was real.

Isn’t that unbelievable ?

I think this finally proves that WPML definitely has no clue about security. So everybody who is still using WPML (probably not too many still) now know that they better switch to something else.

As a site note: WPML can be found on which is ok. But is available for sale. Imagine what happens if a bad guy would acquire But it’s not cheap I must admit.

Anyways, don’t trust the evil.

Best Regards,


Should we uninstall anti-virus software such as Sophos, ESET, FireEye and Kaspersky ?

Regular readers of my blog know that I am no fan of anti-virus software.

Now, here is another argument against them. Tavis Ormandy recently exploited successfully Kaspersky in a way that users could find their systems easily compromised. Just recently he did the same for Sophos and ESET and even this Sunday, Kristian Erik Hermansen disclosed a zero-day vulnerability in another Malware protection solution from FireEye, which if exploited, results in unauthorized file access.

My personal opinion is that the good old days for those companies are over. Instead of continuing to invest in good security engineers and software developers, they spent their money rather for advertising, fighting against their competitors and seeking for additional ways to make money.

I guess all of you had once your own issues with your preferred virus-scanner or security suite (how they are nowadays called). Dramatical slow-downs, unreachable websites, odd browser behavior, undelivered mails or completely messed up firewall rules. All issues that suddenly disappeared once you switched off or uninstalled the virus scanner. Don’t you ? And for us network admins, isn’t it always scary when the preferred scan engine on the server gets updated because you still remember the server outage due to such an scanner update.

But you thought that this is the price we have to pay for increased security. Now we have learned that we even loose security when using Anti-Virus software.

My suggestion: Don’t use them! Stick with the built-in security measures of Windows, Mac or Linux. Use a good router, use NAT, use Firefox (or if you don’t like Firefox use Chrome for God’s sake) but always keep everything updated. This is all you need for regular browsing and working. The built in Windows defender for instance is not too bad at all. Even though those brave computer magazines regular tests show it never #1 in scanning accuracy. A few pages later you can learn why when reading the big advertisings of these Anti Virus companies.

In addition: if you have to visit suspicious websites or servers or need to access dubious systems or have to do some downloads and to unzip and install files from insecure sources: Never ever do this on your production system. At least setup a virtual machine or better use a separate computer running on a separate IP address space. This is easy to do, easy to recover in case of issues and the best protection you can get.

Don’t trust the evil,

Best regards,










Babies and families at risk!

Maybe this is another bad coincidence. Shortly after my findings regarding the quite insecure ALDI / MAGINON web cameras, Rapid7 informs about IoT security issues, especially about 10 New Vulnerabilities for Several Video Baby Monitors.

ibaby-256x300 Babies and families at risk!

There is nothing to add to this scary report except that this is just again another example of incompetent developers, IT and quality assurance departments of ‘well known’ companies. I hope all of them get fired but maybe they deserve something worse. For instance, that their family or kids get stalked. No – This is something we should not wish to anybody. This would be wrong. But they didn’t seem to care about your family and privacy.

To check your own devices, I just updated the default password database of NetworkToolbox accordingly.

Don’t trust the evil!


P.S. NetworkToolbox now has it’s own dedicated Facebook page.

Ins0mnia and NetworkToolbox

You may have heard about about Ins0mnia which is a security vulnerability that allows an iOS App to continue to run in the background, even if the App was terminated by the user and not visible in the task switcher. Security researchers argue that Apps that are using this Ins0mnia vulnerability may even be able access the microphone or camera without your knowing.

As an App developer I can tell you that camera access is not possible in the background and both microphone and camera access will only be possible if a user acknowledged the request to access those peripherals. Without a user confirmation, even an App using the Ins0mnia vulnerability can not access microphone and camera.

But anyways, the Ins0mnia flaw is not good but it’s good that Apple fixed this security issue with iOS 8.4.1 (so hurry, if you didn’t already update).

So what about Ins0mnia and NetworkToolbox ? Can NetworkToolbox detect Ins0mnia ? I would be scared if that could be the case to be honest. Because that would mean that Apps would have access to other Apps out of it’s own Sandbox. This is only possible on Jailbroken devices and that’s why Jailbroken devices are quite insecure.

But NetworkToolbox can indeed help. With the recently introduced Connections Tool you can find out, if one of your Apps “calls home” which means if it sends data from your device to another server on the Internet. As already mentioned, I created a small tutorial which explains how to do that.

But it’s even easier with Ins0mnia because the nature of Ins0mnia is, that it continues to run in the background and also communicates over the network while in the background.

So here is, what you can do (not only to detect Ins0mnia) :

First, you should close all Apps on your device (double tap the home button and swipe all Apps to the top one after the other).

Then, start NetworkToolbox and open the Connections tool. Normally you will see about 10 to 15 connections. If you wait a while and press the refresh button, this number should go down to about five or even three. If you take a look at these few connections, you should only see Apples IP Addresses (those starting with 17), maybe the IP Address of the mail provider you are using and maybe some akamai domains. That should really be all you see after a few minutes. If you see more and different addresses, it’s worth to inspect them because that’s unusual and can be caused by an App using the Ins0mnia vulnerability.

Don’t trust the evil!

Best Regards,


New Version 8.2.1 now available

The next version 8.2.1 of NetworkToolbox is now available.

I hope you will be excited about the new features.

Please note: Don’t forget to check for a Data Update also.

iPhone-1-169x300 New Version 8.2.1 now available
So here is what’s new:

ALDI / MAGINON / Rollei WebCam findings – Update

This is indeed a scary story.

Today, I went to my favorite discount grocery Store (ALDI) for buying some items. To my surprise, they offered PTZ WiFi WebCams for less than 40EUR (about 45 bucks) so at the checkout I asked for a couple of those cameras.

Once back home, I did some quick researching and can’t believe what I found. The camera came with default credentials (guess what: admin as username and blank password) so I started using my NetworkToolbox to explore the HTTP-Head information of the Camera internal web server. The results were:

Content-Type: text/html
Server: mcdhttpd/1.0
Connection: close

This revealed a very ‘good’ string (mcdhttpd) to search for on Morpheus or Shodan with my NetworkToolbox. Quick searches confirmed that the ALDI Camera was in fact the renamed Rollei SafetyCam. (You will agree that this Camera uses a quite misleading name after read further. ALDI must have known the issues as they call it different 😉 )

Both, Morpheus and Shodan found hundreds of such cameras even around the world. Most of them in Germany, Austria, Hungary and Switzerland where ALDI is locaded and seemed to sell this WebCam. Of course, I didn’t try but I am pretty sure that there are lots of cameras using the same default credentials.

UPDATE: Thank you for your reports, confirming that several of those entries are indeed still using the default credentials.

Until now, you might think, “Ok, so I can look into somebody else’s Garden or nursery room or listen to what the say – so what?”

But it gets worse.

The funny WebCam offers WiFi and direct DynDNS support and so it also includes configuration pages for maintaining those credentials. The good thing is, the Camera supports WPA2 PSK AES and TKIP WiFi encryption, the worse is, the PSK Key will be displayed (and likely stored) in plain text. So once you find such a camera, you know how to access the WiFi network of the owner.

Even better, almost the same applies to the DDNS settings. Here, the Password is a secured text field, but the password can easily be read out. So by this, you even know how to connect to that WebCam (and the network!) in the future.

Can this get worse. Yes, it can:

The same security issues apply to the setting for the Mail that the device can send in case of alarms. Mailserver, mail username and password are plain-text or easy to be read out. So we all can be lucky to get more spam in the future, sent from those WebCam mail accounts. Thank you!

So what is my Point?

I contacted Maginon, informed them about these security issues and asked for a statement but got no response yet.

Some screen shots in the Manual contains dates of the year 2012. Likely this was the year when the Camera was developed. Looks as the security standard is even older and it has never been updated.

Very likely, this piece of hardware contains more internal vulnerabilities and security issues.

This is again an example of how a single device can jeopardize your whole network security when added to your network.

Don’t trust the evil.

Have a great weekend.



Just to keep you updated.

I have just finished the work for the next Update of NetworkToolbox.

Besides some bug fixes (sorry for the bugs in the current version) and many other improvements, the new version contains two nice features.

First, I will introduce PKI (Private-Key-Infrastructure) features with the next version. This includes possibilities and explanations on how to generate encrypted Public and Private keys and to use them as a replacement for login username and passwords for a more secure SSH or SFTP access. I have also added a PKI Key manager which can be used to generate, import and store keys which can be used from inside the SSH or SFTP tools.

Second, I added an interesting feature that shows all current connections to and from your device. This is quite useful if you want to identify other Apps on your device which calls home or opens hidden advertisements to make money. Such connections will be displayed in the new tool.

Normally and as already mentioned in other blog posts, I use a network sniffer on my Linux computer to find undesired network connections from Apps that are installed on my device. This was quite time consuming and complicated.

By the new connections tool of NetworkToolbox, I was already able to identify a couple of new bad connections within a few seconds. It was even helpful that I was able to combine this with other built-in tools such as the certificate tool which helped me to quickly identify each connection as either normal (like Apple or mail connections) or undesirable sites like or which ended up quickly on my firewall.

Just two examples of what is coming next.

I can’t wait to release this update to you.

So please stay tuned and … don’t trust the evil!



You better remove PHP FileManager

If you are running a website and are using PHP FileManager you can be quite certain that your webserver has been compromised. The reason is, PHP FileManager, sold from Revivedwire, has a backdoor since 2010 along with several other critical security vulnerabilities. Revivedwire has been informed long time ago but since recently still sold PHP FileManager along with the Backdoor and vulnerabilities. Can that be right?

I said “quite certain” because PHP FileManager installations can easily be found using Google (you even don’t need Morpheus or Shodan). As already disclosed,the backdoor username is simply ****__DO_NOT_REMOVE_THIS_ENTRY__**** and the md5 hash for this username is da26c70fc120d803e24bff0c5e5f6bdd. A quick Google search for this hash reveals that the equivalent password for this hash is travan44 .

Using these credentials, additional users can be created with full admin rights, files can be uploaded and executed remotely so one can not only download sensitive files but also get full access to a webserver within seconds.

There are ways to remove this backdoor from an existing installation but because PHP FileManager contains so many additional critical and easy to use security vulnerabilities, the only recommendation I can give is to completely get rid of it.

Don’t trust the evil!



P.S. I am already working on the next version so stay tuned.