NetworkToolbox news

Beware of using eCards – instead have a Merry Christmas

Most of you may view eCards as harmless ways to spread Christmas cheer. You may think they are convenient or fast and easy and there’s no hassle queuing up at the post office and trying to beat the Christmas postal deadlines.

But most of them are anything but harmless. At least I don’t know a single service I would recommend.

eCard providers are well known as Email collectors. They sell the Email addresses you entered and even analyze the message you select or added to your seasonal greetings. They usually send a tracking code along with the mail and claim this is to generate a receipt for the sender but in addition, they keep the receivers IP address and will know where exactly he lives.

Last year, some even distributed viruses along with their greeting mail.

If you like to do yourself and especially your friends and loved ones a favor, don’t use eCards. Instead, write a regular letter or just call them (of course don’t Skype them).

And if you receive an eCard via Email, you better delete it. Maybe send the originator a link to this post and call him or her.

Don’t trust anything which is for free – don’t trust the evil.

New data update

Today, I sent out another data update with a new MAC Database and some other changes (Thanks Martin and Mike for your hints and help!).

A new app update is already under development which will cover a lot of suggestions and will offer some new features. I will need some more time to get it completed and tested but early next year I expect to be able to send it to Apple.

I really appreciate all your support and suggestions. Please continue to write if you have questions, suggestions or even find bugs (thanks Emile).

To you and your families, have a Merry Christmas and all the best for 2015!

And don’t forget: don’t trust the evil.

Best regards,

NetworkToolbox news

Your 10 Year Google History

Just a quick one:

Are you a google member (even because of YouTube or gmail) ? If so, login to your google account and select:

Then, head to “Things you search for”.

Isn’t it interesting to see what you searched for even 10 years ago. I believe Google also agrees.

If you don’t agree, you can delete all entries here and select “Pause” on the previous screen.

The same applies to “Places you have been”, “YouTube searches” and “Things you have watched on YouTube”.

Even here, you can delete and pause everything.

But no worries, be assured that Google will keep a backup – just in case.

By the way, Amazon does the same with all your purchases and all Items you ever searched for.

Don’t trust the evil.

NetworkToolbox news

UPDATE: Verizon spies you out! – Verizon test added to NetworkToolbox

Verizon spies out their customers and creates behavioral profiles by deep packet inspection. They then even sell your data to make even more money.

You don’t believe me? Read further and finally check for yourself by using my recently added test to NetworkToolbox.

What Verizon does is that they insert some data to every network stream that goes from your device through their Wireless Cell/G3/4G/LTE network whenever you access any website. They are adding a special X-UIDH header that works like a supercookie. Any website can easily track a user, regardless of cookie blocking and other privacy protections. There is even no relationship with Verizon required.

This supercookie acts like a super UUID which uniquely identifies you to the website. Any website can track your visits and re-visits and linked websites can even track your visits to different websites.

But even worse: Verizon sells your identity to websites and closes the link between you as an anonymous visitor of a website and your real personality. It is unknown yet to what extend Verizon sells your personal information but they do and they are making lots of money with it. They call it “PrecisionID”.

Apple was blamed about the existence of the unique device ID and recently they even removed the MAC Address (as you, as a NetworkToolbox user will know). But such IDs can never be as dangerous as a unique ID inserted by your provider to any network stream between you and a website.


After hearing about that, I quickly created a scan for this type of information. To run this test, just perform a data update in your NetworkToolbox (if you don’t already did). Then, head to the “Security Check” Icon and select “Verizon Supercookie Test“.

Verizon offers the following website to switch off this supercookie: (This link needs to be copied and opened in Safari. Read below “funny side-storry” why)

I strongly suggest to use that service and once Verizon claims they switched it off, use the test to double-check if they really did.

Even if you are not a Verizon customer, just run this test and see if there is anything else your provider adds to your data stream. If so, please let contact me. Maybe we can reveal another spying provider. Would be interesting.

Funny side-story: If you visit the aforementioned link of Verizon, you will visit a website with a wrong certificate. Normally you should never bypass such a warning of your browser (even though not all browsers will generate a warning). You can use NetworkToolbox to see what’s going on here. Just use the “Certificates” tool of NetworkToolbox and enter and port 443 (which is HTTPS). Now in the first line you can see where the issue is. It says “” but must say This is, why you get the warning.

So much to their technical expertise. Do you still trust them? I don’t.

Don’t trust the evil!

P.S. I am receiving a lot of mails from users per day. Some of you have new ideas but mostly questions. That’s fine and I really appreciate any mail. Please be patient if you don’t receive an immediate answer. I will either be busy on app improvements (like these days) or with answering mails.

However, based on the amount of mails, I assume there are a lot of people using my app even on a daily basis. On the other hand, there are just a few app reviews yet. If you are unhappy with my app, please let me know. My goal is to keep (or make) NetworkToolbox the best Network utility on the AppStore.

If you are happy, please write an app review (there is a button for that inside the app). App reviews are so important for app developers. Think about yourself: when will you purchase an app ? Yes, when there are many reviews saying that this app is great.

Thank you!

NetworkToolbox news

Do you know flurry? It spies you out!

If you hear about “flurry” and think of a sort of ice cream, you are wrong, the opposite might describe it much better.

I recently started again analyzing the traffic that is passed between the Internet and some well-known apps we may use on a daily basis. Unfortunately, such analysis is not possible with my app NetworkToolbox as Apple restricts raw-socket access so I had to use my Linux PC for this.

The situation is still quite scary. Many apps are sending detailed information about your app usage, device and personal information to third party companies. This is not new but seems to get even worse. Yelp for instance uses three services in total such as (see, (see, (see and of course google analytics. Other well-known candidates are

The worst thing I have seen was however (see Apps using the flurry service connect to and loads of information regarding my device type, name, several IDs, app usage, settings etc. will be submitted to flurry. Even worse, most apps even don’t even encrypt this information when it’s being sent.

This screwball data collection nightmare even slows down the apps and uses up my bandwidth.

This is ridiculous!

You may think, what can we do against this ?

There is a quite simple solution at least for your home network so when you are connected via WiFi from your device.

The solution is to use the child protection mechanism of your router, if available.

In my favorite AVM Fritz router, I can maintain a blacklist of websites or IP addresses that should not be available from inside my network. This is basically to prevent kids from visiting certain websites. However, this also works perfectly to protect against these evil flurry scammers. Most routers have a similar blacklist available. Sometimes it’s quite hidden and cumbersome to maintain and enable but it’s worth to spent some time in this research.

So just add (or even to that blacklist and you are fine.

You can also add the following for some of the other scammers:

and you may also want to consider:

and if you finally want to get rid of most of the adware even in apps, just add:

So once this is done, you will even experience that some of your apps will run faster, as some of those scammers didn’t even invest in fast servers. Flurry has a extreme high latency, at least in Europe and it even takes quite some time to submit all the device information and app usage to flurry.

(By the way, did you name your device something like “Mike’s iPhone”. Don’t do that otherwise they will even know your name).

As always, don’t trust the evil.

Best regards,

P.S. if you are interested reading more articles, just head to my website The app only shows the last fifteen articles due to traffic reason.

NetworkToolbox news

Shellshock – update #2: Yahoo and hacked

(see updates at the end of this article)

You may have heard already about the newest security issue Shelshock which already claims to be the worst ever computer bug. I partly agree to that statement.

In short: Shellshock is a bug of a program called “bash”, which is installed on non-Windows systems such as Linux and even Mac computers. The bug allows hackers to send commands to a computer without having admin status, letting them install malicious software within systems.

We all can be affected in two ways by Shellshock:

1.) If you run a computer/server (or device) that can be accessed from outside

2.) If you access a website on a server that has already been compromised

Regarding 2.) there are already servers, known for being compromised by malware which has been installed by using the Shelshock bug. Without being too pessimistic, I think it is not unlikely that will see soon such malware that captures sensitive user information on website visitors or access databases with sensitive information. This is possible as the malware, injected by Shelshock has full system access. Let’s hope that admins of those website will update their systems quick and carefully watch their server log-files.

Regarding 1.) If you run a linux computer your own (all Mac users do) or run a webserver with linux you may be affected if the bash version on that machine has not been updated recently.
You can test for the issue by entering the following command:

env x='() { :;}; echo vulnerable' bash -c "echo no problem"

If you see two warning messages and the message “no problem” you are safe. If you see vulnerable you are in trouble if this system is accessible from the internet.
Depending on your linux distribution, you should update your system by “yum update bash” or “apt-get update” followed by “apt-get upgrade” or possibly other package managers you are using.
All current Mac computers are also affected. Yet, there is no update from Apple but updating bash (and sh) is not too complicated. A good explanation can be found here:

Thus, securing your own systems is quite easy and you should hurry to do so.

However, what about all the devices, running linux like routers etc. ? “bash” is a quite heavyweight software which is not ideal for small devices. For instance OpenWRT/DD-WRT doesn’t use it. However, some routers and other devices such as streaming clients have bash installed and definitely need to be updated in order to get secured against Shellshock.

From my personal experience, I expect several new vulnerables and attacks for such devices in the near future. So you better should check for updates on all your devices.

UPDATE #1: Several of my webservers are already under attack, mainly from China. The biggest server is which currently searches for insecure servers and executes a script from I would strongly recommend to any webmaster to scan their logfiles for strings like ‘:;}’.

UPDATE #2: Yahoo and were not as quick as us. They have been hacked already. If you have a account or are registered at I urge you to change your passwords. Don’t wait. You will find more information here:

Don’t trust the evil



NetworkToolbox news

Anatomy of a scam attack

Today, I received again one of those scam mails which informed me about an issue with my PayPal account and asked me to re-enter my account details.

You all know about these funny mails. It is still interesting that people still fall into this trap. Anyway, I trust you do what I usually do: Just delete such mails.

However, this time I spent some time analyzing this scam a bit:

1.) Mail header

By looking into the source of the mail. I found this:

Received: from unknown (HELO (

This means, the mail was sent from a server called By visiting the website, I found that this is a regular computer company. Most likely, their mail server is insecure and allows relaying and so, the scammers did misuse their server to submit this mail. But that’s not really surprising and helpful. Maybe somebody should inform about this issue on their server.

2.) Mail attachment

As most of these type of scam mails, this mail also contained an attachment. This time just an HTML script which contains the form I should fill out in order to get my account re-activated.

By browsing through this script I found they did use some images and links directly from PayPal and some others from can be used to upload images. Maybe somebody want to contact and ask who uploaded the image 3wpnm7loj/STRADA.png for instance.

Anyway, the interesting part is, to whom the form will be sent after it’s filled out and here we are:

form class='safeSubmit multiplesubmitform' method='post' id='signup_form' name='signup_form' action='' onSubmit='return sTest();'

The form is being sent to Entering this IP address into the Domain Tool of NetworkToolbox reveals that this is a server in Russia, hosted by which is known as a very liberal web hoster.

3.) and so…

Nothing really. This was a real simple one. Even the script was coded badly and the text contains some dreadful spelling mistakes which makes it quite easy to identify this mail as scam. It should now even be easy to identify those guys but I doubt that somebody in Russia will care.

However, even though it would only help for this specific type of scam, I would recommend (again) to block direct IP access in your firewall / router (the parental controls offered by some routers are doing a great job for this) and you may want to block the address ranges of which is ( – because most likely, you won’t visit a website hosted at Blocking direct IP access will redirect you to an error page of the firewall/router whenever a link will be opened that only contains an IP address rather than a fully qualified domain name. Yes, of course, those guys could have registered a domain name in addition but then, they would have left another trace and just recently, the ICANN has started an initiative which makes it harder to register a domain anonymously.

So… Don’t trust the evil!



NetworkToolbox news

Starting other Apps from Network toolbox and vice-versa by URL Scheme

With the latest release of NetworkToolbox I introduced the possibility to use external apps as well as the opposite to use NetworkToolbox from other apps.

Some people contacted me and asked, what the heck does this mean and what is the purpose.

1.) External apps for NetworkToolbox

You all know the nice and useful selection-list that appears for instance, if you hit the […] button on an entry of a result list (e.g. a Network scan or Morpheus search).

This list offers you to use any other Tool of NetworkToolbox on the selected entry in the list. For instance, you can run a port scan on each entry of a Network scan or you can open the Browser tool after the port scan reveals an open port 80 etc.

For your convenience, the list highlights all entries that would make sense for a selected entry and even scrolls to those entries. For instance, if you selected a port 80 address, the HTTP tools will be highlighted.

Besides the Copy, Bookmark and E-Mail options in this selection-list the other entries range from Domain Infos until Trace route.

You can extend this list further by adding external apps in the settings section of the app.

This is useful, for instance, if you want to use your favorite remote access app from within NetworkToolbox.

To understand, how external apps can be started, you need to understand the term URL Scheme. This is basically the first part of a web address such as http://. In this case, http:// is the URL Scheme of Safari on your device. Other apps must not but can provide their own URL Schemes which will start a particular app when it’s being called. For instance, most popular VNC viewers are using the URL Scheme vnc://. To try this out, just open safari and instead of just type vnc:// and see what happens. Maybe your VNC app will start. Of course, the URL Scheme and the parameters that need to be used after the URL Scheme highly depend on the app itself.

To learn how to integrate your favourite apps into NetworkToolbox, just open the “External Apps” section in the settings and press the (i) Info button.

2.) NetworkToolbox as external app

Also NetworkToolbox offers URL Schemes to other apps which is nettb://. You can use this to open and perform tests with almost any tool offered by NetworkToolbox (Further down you will find a list of parameters, offered by NetworkToolbox).

So how can this be useful ? I will give you an example:

If you want to perform certain tests on a regular basis let’s say a website crawl for a few websites let’s say to, and For this, just open the built-in Notes app on your device and enter the following line by line:


Now, press done and re-open the note. You will see that those lines have been converted to links. Once you tap on a link, NetworkToolbox will be opened to perform a web crawl on the given website.

Of course, the same way you can call NetworkToolbox from any app that offers the possibility to call external apps by URL Schemes.

List of URL Scheme nettb:// parameters:


NetworkToolbox news

Greetings from Def Con 22 – Improve your router security

As I covered this subject quite a few times here, Craig Young had a few good suggestions to improve your router security:

  1. Don’t enable remote management over the Internet
  2. Don’t use the default IP ranges. Predictable addresses make attacks easier. Rather than, consider or something else which is not commonly used. This is a simple but effective technique for decreasing the likelihood of a successful attack.
  3. Don’t forget to log out after configuring the router. Not logging out can result in a situation where the web browser used to configure the router remains authenticated, which opens the door for attacks.
  4. Turn on AES backed on WPA2 encryption and turn WPS off. Regardless of the complexity of your WPA2 password, don’t forget to switch off WPS!
  5. Passwords matter: Default passwords are often the same for an entire product line or are generated from a common algorithm making a device easy prey for an attacker. It is imperative that you and other users change passwords rather than using defaults.
  6. Keep the router firmware up-to-date.

If you follow these six points, you are still on risk if your router vendor included some back-doors or ‘forgot’ to fix security issues with updates. However, it’s the minimum you should do yourself in order to increase your router security.

If you use Morpheus or Shodan from within my app, you will know that millions of users don’t.

Don’t trust the evil.

NetworkToolbox news

New release 7 available!

Fortunately, after several months of development, the new release 7 of NetworkToolbox is now available on the AppStore.

It took quite some time to implement all of my ideas and suggestions I had on my To-Do list but it’s now done.

I even used the opportunity and made the app already compatible to iOS 8 but the main intention of the new release was to improve the usability and add some cool new features.

See what’s new about NetworkToolbox release 7:

■ Improved user interface
The user interface has been improved significantly to increase the usability, convenience, and effectiveness of NetworkToolbox.
It is now even easier than before to switch from the scan results of one tool to another for further analysis.

New tools:
There are now 24 tools in total.

■ Bonjour
Bonjour, which is Apples zero configuration protocol, can now be scanned and analyzed by NetworkToolbox. You will be surprised how many devices talk Bonjour in your network.

■ Certificates
Another new tool can be used to analyse and display server certificates in a readable form. Such certificates will be used to secure websites such as banking sites. Recently, some certificate authorities have been compromised and issued insecure certificates e.g. even for google. NetworkToolbox can now reveal such certificates.

■ Bluetooth LE
As Apple recently introduced iBeacons in their stores which are basically Bluetooth LE (low energy) tokens, NetworkToolbox now offers a new tool that can be used to scan for and analyze such iBeacons or any other Bluetooth LE device easily.

■ More and better device information
The Device Information tool now provides much more information about your iPhone/iPad such as Cell, Cell-Carrier, Hardware, Memory, CPU, Sensor and sensitive device ID information.

■ External app integration
NetworkToolbox now integrates also with external apps. External apps like your favourite remote access app can now be used from inside NetworkToolbox and the other way around. NetworkToolbox can now be started from inside other apps e.g. even by safari.

■ Shodan improvements
Shodan’s new API has now been integrated and you can even use your own Shodan API key.

■ Socket / Telnet improvements
The Socket tool now supports sending of special characters like ^C, TAB etc. It also includes new settings for echo and line wrapping and can even show non-printable characters in HEX.

There are much more new features that can’t be listed here.

Please note: Don’t forget to install the latest data update.

For those changes, major parts of the app have been re-coded but even though the app has been tested by several beta testers and on many different devices and iOS versions, there may be some bugs left that have not been found.

As always, please let me know about any bug, change request or suggestion, ideally using the support button inside the app and I promise to fix any bug real quick.

Again, many thanks for your feedback.

Please don’t forget to rate the app or update your review. Unfortunately, with every update I sent out, your previous reviews disappear. But you just need to slightly update your previous review to let it appear again. Many thanks for this.

Kind regards,


NetworkToolbox news

New update 6.07.01 available

Among some minor changes “under the hood”, this update contains:

■ Again, improved Morpheus
The Morpheus search engine has been improved further and is now better integrated into the app.

■ Custom Port ranges for the Port scanner
It is now either possible to select individual port ranges for all HTTP Services, Mail Services or upper/lower ranges or even enter individual ranges for scanning manually.

■ Custom Password list
In addition to the built-in default password list, it is now possible to maintain and use a custom password list for the HTTP, Socket, FTP, SFTP Tools. This way, you can pre-enter the know credentials of your servers and devices if you like.

■ Collect discovered password
Once you discover a username/password combination, you can now even store your findings along with the host information for later reference in the custom password list. So now, there is no need to write it down anymore. An explanation of these new features can be found in the updates info (i) texts.

■ Reverse DNS lookup
The Domain tool now also supports revers DNS lookups. So for instance, if you just enter an IP address, this tool may also show the domain name if there is a domain name registered for that IP address.

PLEASE NOTE: This app update also requires the installation of the newest data update. So please also use the “Check for data update” button in the settings screen of the app. The installation order (app or data update) does not matter.

The next app update will be a new major version I am currently working on.

Please remember to write or update your app review. This keeps NetworkToolbox going.

Thank you and kind regards,

NetworkToolbox news

Router back-door test added

In order to test for the recently revealed router back-door (please read my previous post), I have added the affected port to the port scan tool.

Please install the latest data update for NetworkToolbox in order to download this update.

To test for this back-door on your router, start the port scan tool and enter the (local!) IP address of your network router. If the result list contains the entry named ‘Possible Router Back-door’, your router might be affected. If you don’t see this entry, you are most likely safe.

Kind regards,


NetworkToolbox news

Happy New Year

I hope you have all made it through the holiday season secure and are ready to take on the New Year!

Unfortunately, this year starts with another scary router story I have to tell.

Eloi Vanderbeken from France spent his days over the holidays to explore his router. What he found may not really surprise you as a reader of my NetworkToolbox news. He found a back-door in his router.

This time (again) several Netgear, Cisco/Linksys routers are affected. The following routers models are reported to contain the back-door:
[su_list style=”arrow”]

  • Linksys/Cisco: WAG200G, WAG320N, WAG54G2, WAG120N, WAG160N, WAP4410N, WRVS4400N
  • Netgear: DM111Pv2, DGN1000, DG834G, DGN3500, DG834, DG934, WPNT834, WG602, WGR614
  • Diamond DSL642WLG and LevelOne WBR3460B


The scary part of the story:

  • The back-door is quite easy to use.
  • It is quite easy to read out the whole configuration, including passwords out of these routers
  • According my own investigation by using my Morpheus engine, some of these routers (such as the DG834) also exposes this back-door to the Internet.

Due to the “ease of use” of this back-door and the fact that the whole configuration can be read out remotely over the Internet, the owners of the effected routers are under great danger.

My recommendation, if you own one of these routers, switch them off as quick as you can and throw them away and buy something else but Linksys/Cisco or Netgear (and D-Link as mentioned earlier). Even though other routers may (or will most likely) also have back-doors and may be vulnerable but not as easy as those candidates.

Anyway, back to NetworkToolbox.

During the holidays, I received several very good suggestions and ideas. Many thanks. I already started working on most of them so there will be another App update with new features and improvements in a few weeks (hopefully).

I was able to implement one request (Thanks Tim!) immediate which is already available to you. If you now use the domain tool to search for information about an IP address, this tool now also does a reverse DNS search so you can see the domain name of the IP.

Again all the best to you and have a secure 2014!

Kind regards,


NetworkToolbox news

Beware, your TV is watching you

In the past, we were watching TV, nowadays our TV is watching us.

You don’t believe me? Then continue reading…

You may already own one of those so called smart TVs that add Internet access, cloud functions, apps, Facebook, Skype etc. to your living room. So now, we must have everything we need and will love to use all those fancy new functions from our couch by using our remote control, don’t we?

Have you ever had a look to those strange and hidden settings and disclaimers on your TV? If not, maybe it’s time to do now. You will be surprised. Toshiba TVs for instance offers a disclaimer (down the menu after two other trivial disclaimers) which tells you what kind of data Toshiba collects from your TV. The list of what they collect fills a couple of pages and contains information like when and what kind of channel you are watching etc. Of course, this all is enabled and you have to actively disagree to this disclaimer.

Ok, let’s just disagree and we are done. Really ?

LG for instance has a setting called “Collection of watching info” which can be enabled and disabled. But too bad – even if you disable this setting, LG TVs will continue collection everything. So they just don’t care and ignore your decision.

Ok, so they know what I am watching. Who cares ? I personally would, to be honest.

Recently it was found that LG for instance is also interested in knowing what’s on you USB device you connect to the TV. It reads out filenames and sends them home. But because everything we are watching via USB is legal and everybody can know what we are watching, yes, maybe we don’t need to care.

Wait a minute, everybody ?

Yes, potentially everybody with access to your network as this information is not encrypted at all.
I personally don’t like my TV watching me so I just have most of the TVs at home not connected to the internet at all – at least not via WLan. But as the LG case shows, there is not much we can do against it if we connect it to the internet. At least we should not trust our TV.

So again, like I used to say, don’t trust the evil.

Have a nice post-Thanksgiving weekend,

kind regards,

NetworkToolbox news

European Parliament hacked

You may have already read about the recent successful attempt of a hacker breaking into mail accounts of European Parliament members. I don’t want to repeat the story here which can be found on numerous locations on the web.

Just in short: The EU Parliament uses an old Microsoft Exchange mail system along with a synchronization component called Active Sync on mobile phones. Both components have many and well known security flaws which were not fixed (or have not been replaced I would say). It was quite easy for the hacker to perform some kind of MITM (man-in-the-middle) attack while he was just sitting close to the parliament and waits for somebody to connect to the exchange server via WiFi.

So what is the lessen we can learn here. First of all, the IT department of the European Parliament did a really bad job. That’s quite obvious and there is no excuse for that. They even allow Windows XP computers inside their network which is like if they would roll out a big poster on the Parliament which reads “Hackers Welcome!” – unbelievable.

So thats not really a lessen we can learn so what else went wrong? As with this and other MITM attacks, there are often indications that something is not right. For instance, if somebody has compromised your network you may see “wrong certificate” messages in your browser or Email system or https: connections switch over to http: connections and things like that. In this case, users did receive an error message which they just confirmed and thus the hacker got access to the mail account. Of course users, especially users of Microsoft software may already got used to error messages but again, such messages should never be just ignored. So if your own network setup produces regular error messages, I can strongly recommend to find and solve the reason for that. Once it is solved (or even when not) see those messages at least as a reminder to change your passwords – which should happen on a regular basis anyway.

What else? The hacker did use WiFi for his attack. It is so easy to fake a public WiFi hotspot or to listen to communication that goes through a public WiFi hotspot that doesn’t use extra encryption. This attack could have been prevented if the Parliament members would have used a Cell/3G/4G/LTE connection instead of WiFi. You may wonder why they did use WiFi. If you look at the names of the people who have been compromised you will notice that all seem to be from other EU countries but France. In Europe, unfortunately, if you cross a border, you got pushed back to stone-age in terms of communication. In Europe there is almost no global data roaming available which means you have either to use GPRS at speeds of 171kbs or accept ridiculous communication costs. I doubt that the Parliament members had the costs in mind but they rather found that Internet is just not working on their devices without WiFi when being in Strasbourg.

Even though I think you as a user of NetworkToolbox are aware about the insecurity of WiFi but just in case: Try to prevent to use public WiFi hotspots wherever and whenever possible. Always give cell/3G/4G/LTE communication precedence if available, even if slower. Although these Networks are not 100% secure and by no means against NSA, GCHQ but way way more secure than any WiFi connection. It seem to get a common hobby for kids sitting with their laptops or phones on public places or transports and to setup their own “Free and secure Internet connection” to grab other peoples Email accounts and Facebook credentials. Moreover, I have seen so many wrong and insecure configured public WiFi networks that let anybody who is logged in to the network browse any computer connected to that network at the same time. You can try it out yourself with NetworkToolbox. You will be surprised.

Of course, sometimes there are no alternatives to WiFi and if you have to use it, ensure that your device is secured enough and try to prevent to send credentials at all or at least unsecured over the WiFi network. You can ensure this by using just https: connections when connecting to facebook etc. Even if you don’t plan to check your mails over WiFi and even if you just like to quickly browse a certain website, keep in mind that your mail client most likely will check for new mails in the background once you are connected. So ensure that you mail client has been setup using SSL/TLS etc. In addition, I change my passwords every time when I come back from vacation or business trip as even the aforementioned measures can not 100% protect you.

Next week I will write about security issues with TV Sets from LG and others that are known to spy out your privacy.

So as always, don’t trust the evil.

Have a great and secure weekend,



NetworkToolbox news

D-Link router back-door

As you may have already heard, the following D-Link routers have a back-door built in:

DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240

and there are even some more from other vendors. D-Link can now line up with HP (see my post here) and many others.

There is still no excuse and reason for Vendors for building in back-doors in their products. However, keep in mind that the recent findings of back-doors only revealed very silly and odd implementations. There may be much more, not so easy to find back-doors that may allow NSA (or even worse) to access your equipment.

I said “silly” as this back-door again contains the name of the originator. The way how this back-door is working is just by using the following string as HTTP Agent “xmlset_roodkcableoj28840ybtide” and if you read this the other way round, you will know the name. Silly isn’t it. This will probably speak for itself about the code quality of this guy.

However, as I still had one of those D-Link routers in my basement, I created another Demo-Video that demonstrates how to test your own router for this back-door using my NetworkToolbox app.

Quite easy to do. So I would recommend to apply this test on your router, if you own a D-Link one.

Stay tuned,



NetworkToolbox news

Find Medion NAS-Servers on the web

Thanks to SHODAN (please also visit Johns website at and don’t forget to contribute his work) it is quite easy to locate MEDION NAS-Servers on the web.

This is also a very good example on how to use NetworkToolbox in combination with SHODAN.

  • Step 1. (spy your device)

First, given that you own such a MEDION-NAS Server (but any oder device with Web-Interface can be used as well), just open the Socket tool in NetworkToolbox, type in the IP of this box, select port 80 and tap on connect.

  • Step 2. (locate uncommon and unique strings)

Next, tap on the HEAD command on the command-bar at the top, then press OK to confirm the host (the NAS accepts any host)
Then, you will see what the NAS Server returns such as:

HTTP/1.0 301 Moved Permanently
Date: Sun, 01 Sep 2013 07:16:42 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8o mod_wsgi/2.4 Python/2.6.2
Location: http ://XXX.XXX.XXX.XXX/cmd,/ck6fup6/register_main/redirectHome

The interesting thing here is the ck6fup6/register part which is quite uncommon.

  • Step 3. (search by using SHODAN)

Now, you can enter this part or pattern as search term in the SHODAN tool. SHODAN will find many MEDION-NAS Servers mostly in Europe of course. Not sure if some of them still use the default credentials which can be found in the manual, which is available on the web. It’s admin and 1234.

Today’s data update will add the aforementioned pattern as SHODAN search term (the list that appears when tapping the ? button) and also, this information has been added to the “How to” section in the Resources tab.

Stay tuned,


P.S. I am already working on some improvements for NetworkToolbox. Especially the Network- and Portscan deserves some improvements.

NetworkToolbox news

Lavabit died

Unfortunately, one of the best (maybe only) secure mail service closed their doors.

Ladar Levison, the Owner and Operator of Lavabit was put under pressure by US Government to disclose users data. He decided against it and closes his service. He deserves our greatest respect although the end of lavabit is sad.

You can still read his clear statement on his website at

He leaves no doubt about the security of data residing on US servers and networks.

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States, Ladar said.

So, don’t trust the evil, like I used to say.

Stay tuned,


NetworkToolbox news


This is a warning for a severe security issue with many Asus Routers.

Almost all RT-Axx and RT-Nxx routers and probably more have a directory traversal issue.

By just adding the parameter /tmp/lighttpd/permissions to the IP address or url of the router, the password file can be downloaded which contains all usernames and passwords of all users, including the administrator.

Even more worse, it is possible to execute any executable on the router or even upload or modify additional executable or files.

Asus is aware about this since June. There is no update available yet and even not a warning on their website.

This issue is so severe because those routers are quite easy to find e.g. by using the included shodan tool and by searching for which is the suffix of the dynamic domain which will be created by Asus AiCloud service.

More worse and even another implementation flaw of Asus, by searching for this term, hackers will automatically know the first part of the dynamic dns entry (the part in front of which means that all routers that are being found by shodan can still be compromised even if the IP address has been changed meanwhile.

As there is no security update available yet, ALL those routers and ALL FILES in Asus AiCloud can be accessed as if there would be no password protection at all.
A single Search for such routers in Chicago returned 171 AiCloud devices and Berlin 130.



– Ideally, replace all Asus devices

If that’s not feasible :

– Switch off all AiCloud services (there are actually three) on your router
– Disable all UPnP services (which is even good for all other situations)
– Disable remote access
– Change all username and passwords

Stay tuned,


NetworkToolbox news

Be carefull if you use a Ruckus device

If you are using a Ruckus Wireless router, doublecheck if you really have changed your default password as this router can be maintained from the internet and that can’t be switched off.

A quick search for Ruckus with the shodan tool reveals that many of those routers are installed worldwide and very likely, most of them will use the default username super and password sp-admin.

Affected devices are:

ZoneFlex 7731 802.11n Wireless Bridge
ZoneFlex 2942 802.11g Access Point
ZoneFlex 2741 802.11g Outdoor Access Point
ZoneFlex 7942 802.11n Access Point
ZoneFlex 7962 Dual Band 802.11n Access Point
ZoneFlex 7762 Dual Band 802.11n Outdoor Access Point
ZoneFlex 7762-S Dual Band 802.11n Outdoor Sector Access Point
ZoneFlex 7343 2.4GHz 802.11n Smart Wi-Fi Access Point
ZoneFlex 7363 Dual Band 802.11n Smart Wi-Fi Access Point

which all use the same pre defined username and password.

Moreover, the following devices even have an empty username and password:

ZoneDirector 1000
ZoneDirector 1100
ZoneDirector 3000

The default username and password will be added to the default password list of this app with the next data update.

Kind regards,


NetworkToolbox news

Unbelievable but true! Backdoor in HP’s Backup solution

Not only that we users have to live with poor quality soft- and hardware that makes it easy for hackers to break into our systems. On top of that, soft- and hardware vendors implement their own backdoors to our systems.

It’s hard to believe but often true. Just recently a backdoor in HP’s storage system StoreOnce was revealed. It will probably remain HP’s secret why they spent resources in implementing such backdoors rather than increasing usability and security.

Maybe it was kind of preemptive obedience for those guys from NSA or GCHQ or just a brain fart of the head of HPs development department, who knows. Definitely it was not to the advantage of us users. If you ask HP to recover a lost admin password, they claim there is no way for doing so and just suggests a re-install. HP seems to be resistant to learning as they can look back to a long history of revealed backdoors in their systems.

So what can we do? Again, don’t trust the evil. Take into account that such backdoors exist. Think twice what kind of data you like to store (or I should better say share) on your systems.
Even if there is an update, backdoors may still exist. For HP StoreOnce storage system there even is no update available more than one month after the backdoor was exposed.

If you own a StoreOnce system, try to use the SSH client included in my app and connect to the IP of your StoreOnce system. The backdoor credentials are:

Username: HPSupport
Password: badg3r5

Yes, the password is ‘ badg3r5’. Unbelievable, isn’t it?