NetworkToolbox news

Ins0mnia and NetworkToolbox

You may have heard about about Ins0mnia which is a security vulnerability that allows an iOS App to continue to run in the background, even if the App was terminated by the user and not visible in the task switcher. Security researchers argue that Apps that are using this Ins0mnia vulnerability may even be able access the microphone or camera without your knowing.

As an App developer I can tell you that camera access is not possible in the background and both microphone and camera access will only be possible if a user acknowledged the request to access those peripherals. Without a user confirmation, even an App using the Ins0mnia vulnerability can not access microphone and camera.

But anyways, the Ins0mnia flaw is not good but it’s good that Apple fixed this security issue with iOS 8.4.1 (so hurry, if you didn’t already update).

So what about Ins0mnia and NetworkToolbox ? Can NetworkToolbox detect Ins0mnia ? I would be scared if that could be the case to be honest. Because that would mean that Apps would have access to other Apps out of it’s own Sandbox. This is only possible on Jailbroken devices and that’s why Jailbroken devices are quite insecure.

But NetworkToolbox can indeed help. With the recently introduced Connections Tool you can find out, if one of your Apps “calls home” which means if it sends data from your device to another server on the Internet. As already mentioned, I created a small tutorial which explains how to do that.

But it’s even easier with Ins0mnia because the nature of Ins0mnia is, that it continues to run in the background and also communicates over the network while in the background.

So here is, what you can do (not only to detect Ins0mnia) :

First, you should close all Apps on your device (double tap the home button and swipe all Apps to the top one after the other).

Then, start NetworkToolbox and open the Connections tool. Normally you will see about 10 to 15 connections. If you wait a while and press the refresh button, this number should go down to about five or even three. If you take a look at these few connections, you should only see Apples IP Addresses (those starting with 17), maybe the IP Address of the mail provider you are using and maybe some akamai domains. That should really be all you see after a few minutes. If you see more and different addresses, it’s worth to inspect them because that’s unusual and can be caused by an App using the Ins0mnia vulnerability.

Don’t trust the evil!

Best Regards,


NetworkToolbox news

New Version 8.2.1 now available

The next version 8.2.1 of NetworkToolbox is now available.

I hope you will be excited about the new features.

Please note: Don’t forget to check for a Data Update also.

So here is what’s new:

[su_list icon=”icon: check”]

  • Introduction of Public / Private keys

The SSH and SFTP Tools now supports Public Private keys for a more secure connection. As key maintenance is usually not so easy, I also added a separate Tool for maintaining your keys. Finally, you can even generate all kind of keys from inside NetworkToolbox. To encourage more people to use Public/Private keys, I wrote an easy to follow tutorial which can already be found here.

  • A Connections Tool was added

This tool can be used to not only but mainly to identify Apps on your device that are “calling home” or establishing undesired connections. There is also a tutorial called Identify hidden App Communication.

  • Completely renewed HTTP Tool

So far, I was not quite happy with the HTTP Tool. On one hand, it was able to reveal a lot of Website internals but on the other hand it often failed to display websites correctly. This has been resolved now. The HTTP Tool was completely re-written and now feels much more like Safari but still allows to perform the parameter traversal and standard password tests.

  • Improved Traceroute

Traceroute now resolves addresses much more reliable and faster than before.

  • Improved Certificates Tool

The domain names that belongs to a certificate are now listed separately one after the other so you can now easily inspect (e.g. visit) each individual website the certificate belongs to. This is especially useful along with the Connections Tool as described in the tutorial.

  • Other bug fixes and improvements

Unfortunately, in the past, some features did not regard timeout values which caused the App to crash in some situations. Also, an iOS bug caused some Tools to crash when one of the Tool Buttons (e.g. in the FTP Tool) were hit while the keyboard was hidden. All that has been solved now as well as some other minor bugs and improvements as usual.


NetworkToolbox news

ALDI / MAGINON / Rollei WebCam findings – Update

This is indeed a scary story.

Today, I went to my favorite discount grocery Store (ALDI) for buying some items. To my surprise, they offered PTZ WiFi WebCams for less than 40EUR (about 45 bucks) so at the checkout I asked for a couple of those cameras.

Once back home, I did some quick researching and can’t believe what I found. The camera came with default credentials (guess what: admin as username and blank password) so I started using my NetworkToolbox to explore the HTTP-Head information of the Camera internal web server. The results were:

Content-Type: text/html
Server: mcdhttpd/1.0
Connection: close

This revealed a very ‘good’ string (mcdhttpd) to search for on Morpheus or Shodan with my NetworkToolbox. Quick searches confirmed that the ALDI Camera was in fact the renamed Rollei SafetyCam. (You will agree that this Camera uses a quite misleading name after read further. ALDI must have known the issues as they call it different 😉 )

Both, Morpheus and Shodan found hundreds of such cameras even around the world. Most of them in Germany, Austria, Hungary and Switzerland where ALDI is locaded and seemed to sell this WebCam. Of course, I didn’t try but I am pretty sure that there are lots of cameras using the same default credentials.

UPDATE: Thank you for your reports, confirming that several of those entries are indeed still using the default credentials.

Until now, you might think, “Ok, so I can look into somebody else’s Garden or nursery room or listen to what the say – so what?”

But it gets worse.

The funny WebCam offers WiFi and direct DynDNS support and so it also includes configuration pages for maintaining those credentials. The good thing is, the Camera supports WPA2 PSK AES and TKIP WiFi encryption, the worse is, the PSK Key will be displayed (and likely stored) in plain text. So once you find such a camera, you know how to access the WiFi network of the owner.

Even better, almost the same applies to the DDNS settings. Here, the Password is a secured text field, but the password can easily be read out. So by this, you even know how to connect to that WebCam (and the network!) in the future.

Can this get worse. Yes, it can:

The same security issues apply to the setting for the Mail that the device can send in case of alarms. Mailserver, mail username and password are plain-text or easy to be read out. So we all can be lucky to get more spam in the future, sent from those WebCam mail accounts. Thank you!

So what is my Point?
[su_list icon=”icon: thumbs-o-down”]

  • I complain that this camera uses default credentials. This is by all means NOT NECESSARY. There are many good alternatives. The simplest would be to request a password change along with the first login. And even if Maginon/Rollei would not be able to fix this security flaw, they should have a big warning in their manual saying “THE FIRST THING YOU SHOULD DO IS TO CHANGE THE DEFAULT PASSWORD“.
  • I complain (even though this is unfortunately common to many devices) that they respond with a unique, easy to identify string on a HTTP HEAD request (mcdhttpd). This fact alone is responsible that thousands of ALDI customers that are on risk now as their devices can easily be found.
  • I complain that they display the WiFi credentials in plain text and don’t encrypt other passwords (DDNS, SMTP Server, FTP, Additional users) so that they can easily be read out with a web browser. This is again simply NOT NECESSARY and INSECURE. I also bet they store them unencrypted (why to encrypt something that is displayed anyways)

I contacted Maginon, informed them about these security issues and asked for a statement but got no response yet.

Some screen shots in the Manual contains dates of the year 2012. Likely this was the year when the Camera was developed. Looks as the security standard is even older and it has never been updated.

Very likely, this piece of hardware contains more internal vulnerabilities and security issues.

This is again an example of how a single device can jeopardize your whole network security when added to your network.

Don’t trust the evil.

Have a great weekend.


NetworkToolbox news


Just to keep you updated.

I have just finished the work for the next Update of NetworkToolbox.

Besides some bug fixes (sorry for the bugs in the current version) and many other improvements, the new version contains two nice features.

First, I will introduce PKI (Private-Key-Infrastructure) features with the next version. This includes possibilities and explanations on how to generate encrypted Public and Private keys and to use them as a replacement for login username and passwords for a more secure SSH or SFTP access. I have also added a PKI Key manager which can be used to generate, import and store keys which can be used from inside the SSH or SFTP tools.

Second, I added an interesting feature that shows all current connections to and from your device. This is quite useful if you want to identify other Apps on your device which calls home or opens hidden advertisements to make money. Such connections will be displayed in the new tool.

Normally and as already mentioned in other blog posts, I use a network sniffer on my Linux computer to find undesired network connections from Apps that are installed on my device. This was quite time consuming and complicated.

By the new connections tool of NetworkToolbox, I was already able to identify a couple of new bad connections within a few seconds. It was even helpful that I was able to combine this with other built-in tools such as the certificate tool which helped me to quickly identify each connection as either normal (like Apple or mail connections) or undesirable sites like or which ended up quickly on my firewall.

Just two examples of what is coming next.

I can’t wait to release this update to you.

So please stay tuned and … don’t trust the evil!



NetworkToolbox news

You better remove PHP FileManager

If you are running a website and are using PHP FileManager you can be quite certain that your webserver has been compromised. The reason is, PHP FileManager, sold from Revivedwire, has a backdoor since 2010 along with several other critical security vulnerabilities. Revivedwire has been informed long time ago but since recently still sold PHP FileManager along with the Backdoor and vulnerabilities. Can that be right?

I said “quite certain” because PHP FileManager installations can easily be found using Google (you even don’t need Morpheus or Shodan). As already disclosed,the backdoor username is simply ****__DO_NOT_REMOVE_THIS_ENTRY__**** and the md5 hash for this username is da26c70fc120d803e24bff0c5e5f6bdd. A quick Google search for this hash reveals that the equivalent password for this hash is travan44 .

Using these credentials, additional users can be created with full admin rights, files can be uploaded and executed remotely so one can not only download sensitive files but also get full access to a webserver within seconds.

There are ways to remove this backdoor from an existing installation but because PHP FileManager contains so many additional critical and easy to use security vulnerabilities, the only recommendation I can give is to completely get rid of it.

Don’t trust the evil!



P.S. I am already working on the next version so stay tuned.

NetworkToolbox news

Again about Piwik

I thought this update deserves a separate post so here is the latest update to “Scary piwik findings“.

It seems my post regarding Piwik caused a lot of rumors and discussions.

Piwik contacted me yesterday with the following mail:

…Unfortunately, not all of the points mentioned are correct and we kindly ask you to issue a public correction, especially because your blog is a valued source of knowledge for many IT professionals. Below we present a short clarification of the two points raised in your article.

Firstly, all Piwik users have the possibility to make their analytics report data publicly accessible by anyone, but this is by no means a default setting. By default, all reports are protected and nobody can view the collected and analysed data without first signing in with a valid user account. It is, however, possible to make reports available to anyone – this feature was developed on purpose and is well-documented in Piwik’s FAQ. Some organisations, such as the Pirate Party mentioned in your publication, decide to make their analytics data open to anyone on purpose. This is mainly because their Piwik data may be of use to their communities.

Secondly, it’s true that some of the Piwik servers’ URLs can be discovered in search engines using allinurl: “piwik/index.php”. We would like to emphasise that this poses no security risk as Piwik, by default, protects all user data behind a login screen and there is no possibility of a data leak. Furthermore, an improvement will be developed by our community to tackle this issue (details:

And here is what I responded:

many thanks for your mail. I mainly agree to almost everything but not with all you wrote.

First of all, let me assure you that it was also not my intention to blame Piwik as I found it to be one of the (if not the) best statistics tools available, especially due to it’s possibility to generate stats without storing IP address information – as already mentioned in my blog.

I am usually referring to Piwik as “the opposite to Google Analytics” which I hope is a compliment.

I am aware and can confirm that the default settings of Piwik don’t allow unauthorized access to the stats per se.

However, my findings did indeed reveal security issues along with Piwik installations as follows:

When using these inurl: queries, you will find a lot of half-done or broken Piwik installations. The diagnostic messages that can be found are very helpful for the webmaster to fix the Piwik installation issues. However it is also very helpful for hackers as these diagnostic messages reveal the physical server directory structures, database names and I even saw DB user names entered by the webmaster. One example, why this is dangerous is the recent ProFTPD exploit for which a hacker will just need to know the physical directory structure in order to copy files to other location which can either be accessed from outside or files that contain information that, once overwritten, will no longer protect files or directories.

Second, even if the default settings of Piwik don’t allow anonymous access, it is scary to see so many installations where it is indeed possible. In most cases it is quite obvious that those installations are not intended to be open for the public and as mentioned in my blog, even if anonymous access has not been configured, in some cases it was possible to download the stats via the Piwik API. This at least sounds as there are webmasters who have issues with a correct configuration of Piwik.

Finally, the huge amount of wrong, mis-configured and unintentionally open Piwik installations surprises me. I can’t remember similar findings in similar cases like some years ago with phpBB.

Regarding the Pirate Party, they seem to have a communication issue as they are talking about different Piwik installations and they claim they are using Piwik since May 18. 2015 but their Stats start in 2011 and they forgot (still!) to update their disclaimers on the two mentioned websites. But that’s no security issue and not really worth to follow up. Just for clarification.

My suggestions to you are as follows:

[su_list icon=”icon: check”]

  • It seems some Piwik installations used to be ok some time ago but for some reasons (maybe changes/updates on a server) seem to get broken. In such situations, I would suggest to not reveal server information on the Piwik Admin website.
  • In general, I would rather suggest storing such information in log-files instead of displaying them so that they can only be accessed with appropriate privileges.
  • I would suggest to split/separate the API URL from the Admisistration and Statistics URL. That would also support the use of .htaccess protection to the Admin and/or Statistics part of Piwik.
  • I would definitely recommend to add the noindex, nofollow metatags as mentioned in your blog but I would also suggest to place an initial robots.txt file on the webserver root if it doesn’t exist or add lines to it if it exists. Both at least hides Piwik from search engines (even though not all engines regard those but Google does and was the main source of my findings)
  • If one or all of the above would be too difficult or not yet possible, at least place some big warnings in your setup documentation or setup UI (like you already do for other purposes)


I really appreciate your efforts to improve security and privacy in Piwik.

This helps to create a better, more secure world.

Thanks again,

best regards,


NetworkToolbox news

Why is McAffee, Avast, Symantec free ? They collect and sell your data! (updated)

Did you ever wonder why companies like Oracle or Adobe always wants to install unwanted software such as McAffee along with their free Java or Acrobat Reader ?

Or why so called “Best Antivirus Software” such as Avast or Symantec comes for free from your provider or pre-installed on your PC ?

Are those companies so generous? Do they only want your best?

You guessed it : No, of course not. They want money. Not just your money.

They get paid for every single installation of this unwanted piece of software!

So why is that ?

Because the unwanted software gets paid because it collects your data and they sell it.

Ok, you don’t believe me right ?

So here is an example:

Avast recently confirmed that they collect your data while running on your PC and scanning for viruses (see here if you don’t believe me)

Jumpshot is selling your data for just as much as US$ 500 per month! per account (see their pricing on

Avast claims that they don’t make money out of that but do you believe this ?

Do you believe McAffee, Ask with their Ask Toolbox and others don’t make money with collecting your data?

I personally don’t.


It’s a funny coincident that Tim Cook yesterday talked about the very same subject. His speech at the Electronic Privacy Information Center (EPIC) is really worth reading and most of what he said speaks my mind. You can find his speech on the verge .

He said for instance:

“You might like these so-called free services, but we don’t think they’re worth having your email or your search history or now even your family photos data-mined and sold off for God knows what advertising purpose,” … “And we think someday, customers will see this for what it is.”

Don’t trust the evil!



NetworkToolbox news

Scary piwik findings – Update 3

Maybe not all of you know what Piwik is. It is very nice tool for website statistics. I like this tool especially because it offers features to hide and even don’t record visitors IP addresses and private information but still generates nice and good website statistics. So I would call it basically the opposite of Google Analytics.

Since Piwik is getting increasingly popular, many websites started using Piwik but like so often, even Piwik requires some basic understanding of PHP, Linux and Server security. Some website Admins seem to be blinded by the easy user interface and assume it is as easy to configure.

Obviously that’s not the case. There are several open (and more worse: half-done) Piwik Installations out there which can be accessed by anyone easily. Such installations are quite dangerous for the webadmin because they reveal a lot of important insight information about the server configuration and it will not take much to use such an installation to hijack a complete server.

You may wonder how such servers can be found. This is also quite easy and in that case Google is our friend (in other cases I would reject this statement vehemently). As mentioned some posts before, Google can be used to search for URLs with specific parameters if you prefix your search term with


so in case of Piwik you can enter

allinurl: "piwik/index.php"

Which will give you a list of websites where piwik is installed. It is funny alone to browse through these findings which often contains error backtraces and error logs.

I was even (not) more surprised that some installations even allowed anonymous access with admin privileges. To check for this, one just needs to add either either this:


or this


to the Google result list url right after


So for instance




There seems to be an issue with Piwik that it is possible to download statistics even if there is no view access. If you add


You will get a nice Excel or CSV file with the website details of Site=1 (change to any other number for additional websites).


I did contact the German “Piraten Partei” before I wrote this blog post. So far: no answer. Meanwhile they responded to the press that they intentionally left the Statistics open to the public. This is fair enough as there is nothing to hide.

However, two questions remain:

  1. why don’t they tell us that they are collecting our information (especially search queries, website referrals and exit sites) ? In their website disclaimer (even on Andrea Bogners website) they say “Eine Speicherung von Verbindungsdaten … erfolgt nicht” which means “we don’t store connection data” which is obviously wrong.
  2. If they intentionally left their Piwik stats accessible, why don’t they officially link to these stats. Is there just an elitist circle who had or has access to these stats ?


Please read this separate post for a further update.

Best Regards,


NetworkToolbox news

Warning when using ProFTPD

This is a security alert, if you are running an FTP server that is using ProFTPD and are using the mod_copy setting.

A serious security issue was found in ProFTPD which allows copying of files such as /etc/passwd or wp-config.php even without authentication. This is a serious issue. Some Servers have already been reported as compromised.

This Vulnerability has been assigned the code CVE-2015-3306.

To check if your FTP Server is vulnerable, I have just added a new Security Check module called “ProFTPD mod_copy exploit (CVE-2015-3306)“.

Just perform a Data Update from the Settings Screen and perform a Data update. After the Update you can select that new test in the Security Check Tool. To run the test, you need to enter the IP address of the server you like to check. The port can be left blank and is optional.

If your server is vulnerable you should either remove the line

LoadModule mod_copy.c



or completely stop the ProFTPD service on your server. As per today, there is only a quick patch available for ProFTPD which requires to compile ProFTPD on your server. I would not recommend to use FTP anyway. Instead use SSH/SFTP.

Don’t trust the evil!

Good luck!


NetworkToolbox news

New version 8 of NetworkToolbox available

Finally, Version 8.1.3 of NetworkToolbox has been released by Apple.

Below is a summary of changes to the previous version. This is quite a long list. There are three new tools (27 in total now) and several parts have been completely re-coded. But this time, once I finished implementing one feature, I can’t wait to implement the next on my list. Maybe next time, I will create smaller updates.

Please support my work on this app by writing an app review. This really keeps this app going so you will also benefit.

If you already wrote an app review, you need to update it as otherwise it will get lost as every review only applies to a certain version.

Many thanks!

List of changes:

■ New Network and Port Scan engines

Network and Port Scanning is now blazing fast and even more accurate than before.

Now, hundreds of addresses and ports will be scanned simultaneously as fast as possible but still with the best possible accuracy. Since scanning is now way faster, all scans are repeated automatically a few times.

Scanning is also now random so that Firewalls and Intrusion detection systems will not immediately identify each scan easily.

■ Bookmarks is now Logbook

A new Logbook functionality has been introduced and the formerly available Bookmarks functionality has been integrated in this new Logbook function.
Logbooks can collect the following type of information

  • Schodan and Morpheus Scan results
  • Network Scan results
  • Port Scan results
  • Links
  • Hosts (= former Bookmarks)

Best of all, Network- and Port- scans can now be compared to each other. This way, you can quickly find out what has been changed in your network between two scans.

Logs can of course also be exported or printed.

■ Custom Device Names

You can now (optionally) assign individual names for your devices on your network. This makes it easier than ever to identify each particular device in the various scans.

These names are tied together with the MAC address. Such a maintained device name will be displayed instead of the network name in a different color.
Custom Device Names can be maintained in three different ways

  • In the Network Scan results. Just open the details of an entry and here you can directly enter an individual name
  • You can export a complete list of a network scan to the list of individual names
  • You can maintain the complete list of individual names from inside the settings screen

■ Improved DNS tool

The DNS Tool has been improved in several ways.

It still provides information about a certain domain with its IP Address, Provider, country and location.

Now, this tool also performs a reverse-DNS lookup with more than one record, if available.
Second, it now provides DNS Server information such as MX, NS, SOA and TXT Records.

■ Devices tool improvements

Now, all available interfaces (not just WiFi, Cell) will be displayed with much more detailed information. This way, you can even investigate your virtual VPN devices.

Proxy information now is also included.

Sensors such as Gyroscope, Accelerometer etc. will now be displayed graphically.

■ HTTP browser

The http tool now contains an improved browser. The browser also now records all requests a website initiate (even requests initiated by scripts) so you can easily inspect scriptfiles, images that are being loaded or even the sources of Ad banners.

The password test also has been improved and can now fill out many more types for login forms.

■ New Security Check tool

This is another new tool which required most of the development time. This tool contains several individual security checks for various exploits or issues. So far, it contains only a few checks but there are more to come over time.

The challenge was to implement a tool that I can use to quickly provide certain tests to you, without the necessity to send out a new app update. This is now possible with this new Security Check tool.
The idea was born when I added the Verizon Supercookie test but that was a quite simple test. Now even more sophisticated tests are possible and I can add all those tests via Data updates.

To use the test, you can either select the test inside the tool from the list or, like with most other tools, when working on results of any tool and using the […] button
I will announce new tests in the news section of the app but not on my website as this is too closely related to this app.

■ New Web-Service Tool

This new Tool allows to explore or debug SOAP and REST Web-Services. All API parameters such as URL Parameters, Header information and Request Body can easily be maintained and even stored under an individual name. The API requests can be executed via a HTTP-GET, -PUT or -POST methods.
JSON and XML results are being displayed in a hierarchical tree browser.

There are a few predefined Web-Service samples included such as the Google Geo API.

■ New Mail Server Tool

This tool checks for POP3, IMAP and SMTP mail services and provides useful information either for your Mail-Client settings and possible improvements for the Mail-Server settings.

■ Resources section has been completely re-coded

The resources section of the app contains a lot of information but wasn’t easy to find and use. It now has a similar user interface like the main app screen. It now also allows me to add more information via Data updates.

■ Various other changes and bug fixes

  • Several design changes throughout the whole app
  • The MAC address bug has been fixed which showed a wrong last byte of the MAC
  • The local IP address has not always been displayed correctly (e.g. was shown as “error”)
  • The MAC address is now displayed in the Network Scan report and no longer only in the details screen
  • IP Calculator improvements
  • Improvements for iPhone 6 and 6+
  • 64-Bit support
  • iOS 8.3 support

Please don’t forget to check for a data-update after the installation.

Please let me know should you find a bug or if you have additional ideas or requests.

Kind regards,


NetworkToolbox news

☛ WiFi scanning

I received quite a few questions regarding the possibility to add WiFi scanning to NetworkToolbox that displays the SSID (WiFi name) and RSSI (signal strength) of WiFi networks around you.

Unfortunately (or I would call it fortunately) Apple removed the possibility for developers to access the WiFi network device from inside an app (at least for non-Apple apps).

For this reason, there is no app available on the AppStore that can do these kind of things. There used to be a few apps in the past which were able to provide this on a very limited basis but they don’t run anymore on iOS 8 and can’t be updated by the developer as it would then not pass the App Store review process. Such apps have been submitted to Apple by the time when it was still possible to access the network device.

However, what a “regular” developer can’t do seem to be possible by apps developed by Apple.

See how you can still scan WiFi networks

There is still a way to scan your WiFi network although it’s a bit tricky to enable it.

The solution is, to use Apples AirPort Utility app and to enable a hidden feature for it. This works, even if you don’t have an Apple WiFi router.

Here is, how to enable WiFi Scanning:

  1. Install the Apple AirPort Utility app from the App Store
  2. Start the app one time and then close it
  3. Go to Settings (of your iPhone/iPad) on the main screen, scroll down until you see the AirPort app and select it
  4. Enable “Wi-Fi-Sanning”
  5. Start the AirPort Utility app again
  6. Tap on “Wi-Fi Scan”
  7. Tap on “Scan”


After a while, you can see all WiFi networks around you even with Channel information, BSSID (Mac address of the device) and RSSI (signal strength). If you tap on an entry you can even see the more information like the signal strength history.

I think that’s a not-too-bad workaround.

Stay tuned!

Best regards,


App Internal

New version coming soon – update

Development of the next version of NetworkToolbox is complete. I am happy that I was able to implement almost everything I had on my list and just had to postpone a few things to the next update.

I trust you will be excited from the freshen-up design and the new features and tools.

Now, some more testing will take place and soon I will send that update to Apple.

I will keep you updated so stay tuned…



UPDATE: I am still waiting for Apple to release the new version. The new version has been sent to Apple several weeks ago. I think it’s currently no good time for updates if it doesn’t connect with Apple Watch. Though: Any idea how to connect NetworkToolbox to the AppleWatch ?

Will keep you updated, so please stay tuned.

NetworkToolbox news

Victory against Verizon for violating privacy

Maybe you remember my post Verizon spies you out.

Today, Verizon gave up and decided to allow the customers to opt out of its UIDH Supercookie tracking program (see hold Verizon accountable for violating its users privacy for details).

So this is a victory against Verizon and now you may want check here: Verizon to learn how to opt out. But you may also want to check here: CPNI just in case you also want to opt out for Verizons CPNI.

This sounds like good news but why does every single user has to take action ? This is incredible and an ignorance of the customers expectations of privacy. If you read my post you know why.

“Verizion Test” in NetworkToolbox still available

At this point, I would like to remind you on the Verizon test I added to my app NetworkToolbox so you can check yourself if your iPhone or iPad still submits the UIDH. You can even check if you are not a Verizon customer.

Verizion is lying

Furthermore, Verizon is still lying. Yes, there is no other word which would adequately describe their following statement on the aforementioned website:

[su_quote cite=”Verizon wrote”]It is important to note that the UIDH is a temporary, anonymous identifier included with unencrypted web traffic. We change the UIDH on a regular basis to protect the privacy of our customers. We do not use the UIDH to collect web browsing information and it does not broadcast individuals’ web browsing activity out to advertisers or others.[/su_quote]

This is rubbish! See why:

Some users were so kind to send me their results of the Verizon Test of my NetworkToolbox app so I was able to find out the following (some information have been X-ed out here of course):

One user reported the following at one day:


And a few weeks later this:


So the IP address was different but the UIDH the same.

Another user reported this:

IP: 70.210.131.XXX  UIDH: XXX3NDI5Njg2NQCCGgKg3Pg0AeRF49zrPVGQJ6mMku1+YV1PbkqWhmUNKw==

And just two days later this:

IP: 70.210.132.XXX  UIDH: XXX3NDI5Njg2NQCTU6e+AvPSyJUuozY84f5P/wH856jPnSIDHuYAIJYbSw==

So here, the IP address obviously changes but also the UIDH did change.

Verizon said the UIDH is encrypted. Really ? Not really!

The UIDH is simply BAS64 encoded which is just another way of representing and packing a number. I wouldn’t really call it encrypted. So I BASE64-decoded both different UIDHs and voila: Both UIDHs contain one and the same number XXX4296865.

So is Verizon lying? Yes! The outcome of my investigation reveals that the UIDH is NOT temporary, not encrypted and in fact DOES broadcast individuals’ web browsing activity out to advertisers.

It is even easy to use by all websites not just of those of Verizon’s advertising customers.

In fact, Verizon is jeopardizing their customers privacy!

Don’t trust the evil!

NetworkToolbox news

Tired of ads? – Happy New Year!

Happy New Year to you!

I hope you all had a good and secure start in the new year.

As so often, things you almost forgot and believed to be solved forever might come back after a new year break in a new incarnation and reminds you that there is no such thing like the “ultimate solution”. However, let’s see it as a challenge to at least get closer to the “ultimate solution”.

In this case, I am talking about ads which – all of a sudden – reappeared on my iPad, PCs and Macs even though I (at least thought) found a good solution by (ab)using my routers blacklist (see my flurry post from last year.).

So what happened ? After a bit of investigation, I found that some ad’s have changed from http:// to https://. This for me looked a bit surprising as ads usually (should) have nothing to hide so there should be no need to encrypt the web communication especially because of the extra effort for the ad-server to maintain certificates etc..

By that time, I was under the assumption that https:// addresses will be filtered by my router blacklist in the same way a normal http:// connection is. Not just because https just means that the content is transfered over port 443 instead of port 80 and even if traffic uses port 443 and is SSL/TLS encrypted, the domain needs to be resolved and if it’s blocked it can’t be resolved.

But further tests showed that my router indeed is just filtering http domains and not https. How come ? Further researches led me to the finding that (at least in the investigated cases) the issue was caused by websites which are also using https that include add banners with another https address. In such a case, the data (content) of the original website is SSL/TLS encrypted and maybe that’s why the containing https link is not filtered. I also found that my favorite AVM router is not the only one not being able to block https domains. Many other also can’t and even some popular firewalls have the same limitation.

I really don’t like ads do you? I am tired of ads!

I really got used to the ad-free websites and apps and I was also quite happy not to rely on such dubious Ad blockers like AdBlock Plus which even doesn’t really help to get rid of ads on my iOS devices. So I started thinking of a better solution. Especially because the router solution I was using so far only works with a few routers.

openDNS an alternative ? not really!

One solution I tried was openDNS . openDNS is a service on the web which offers two IP addresses that can be entered as DNS servers in your router. So openDNS replaces the DNS server of your ISP. All DNS queries will be sent to openDNS and they respond based on filter rules with the correct IP address or a dummy address. The good news is: it’s working. The bad news are, it costs about $20 per year (as the free service doesn’t offer enough custom filter settings) and much extra effort is necessary to handle dynamic IP address changes if you (as I) run your own DynDNS solution. They offer a in combination with their own service which can be used to chain additional DynDNS services but that doesn’t seem to work quite well. Finally (as I don’t trust the evil as you know) it is quite clear that they are collecting my DNS requests and sell it as this is quite interesting information for the ad industry.

So I discontinued my openDNS activities and thought about another solution.

running my own DNS Server!

And here is my (new) “ultimate solution” :

A Raspberry Pi connected to my favorite AVM router.

It was really simple to use an out-of-the-box $30 Raspberry Pi, setup my own “openDNS” by using dnsmasq on it. The Raspberry gets powered by the USB port of my router and is connected to it with a short network cable. No additional configuration on the clients was necessary and I just had to enter the Raspberry Pis IP address as DNS server address in the router settings.

My blacklist now resides on the Raspberry Pi and my router is no longer misused to blacklist ad servers.

even more advantages!

I now even have three more advantages:

  • HTTPS domains are also filtered. So no big ad at the top of the site. Hurray!
  • DNS requests are noticeable faster as they are now cached inside my network
  • Optionally, I can easily monitor all the DNS requests of my whole network

The last advantage is very comfortable in order to find additional servers that want to be blocked, especially when using an iOS device. In the past I always had to setup a proxy for this.

So I am happy again!

If you are interested in this solution, please drop me a line (or maybe additionally leave an app review which I would greatly appreciate;-) ) and if there is enough demand, I will create a small installation summary and post it on my website. I can even share my blacklist if you are interested.

Again, have a good, secure (and ad-free) start into 2015!

…and don’t trust the evil!

Best regards,

NetworkToolbox news

Beware of using eCards – instead have a Merry Christmas

Most of you may view eCards as harmless ways to spread Christmas cheer. You may think they are convenient or fast and easy and there’s no hassle queuing up at the post office and trying to beat the Christmas postal deadlines.

But most of them are anything but harmless. At least I don’t know a single service I would recommend.

eCard providers are well known as Email collectors. They sell the Email addresses you entered and even analyze the message you select or added to your seasonal greetings. They usually send a tracking code along with the mail and claim this is to generate a receipt for the sender but in addition, they keep the receivers IP address and will know where exactly he lives.

Last year, some even distributed viruses along with their greeting mail.

If you like to do yourself and especially your friends and loved ones a favor, don’t use eCards. Instead, write a regular letter or just call them (of course don’t Skype them).

And if you receive an eCard via Email, you better delete it. Maybe send the originator a link to this post and call him or her.

Don’t trust anything which is for free – don’t trust the evil.

New data update

Today, I sent out another data update with a new MAC Database and some other changes (Thanks Martin and Mike for your hints and help!).

A new app update is already under development which will cover a lot of suggestions and will offer some new features. I will need some more time to get it completed and tested but early next year I expect to be able to send it to Apple.

I really appreciate all your support and suggestions. Please continue to write if you have questions, suggestions or even find bugs (thanks Emile).

To you and your families, have a Merry Christmas and all the best for 2015!

And don’t forget: don’t trust the evil.

Best regards,

NetworkToolbox news

Your 10 Year Google History

Just a quick one:

Are you a google member (even because of YouTube or gmail) ? If so, login to your google account and select:

Then, head to “Things you search for”.

Isn’t it interesting to see what you searched for even 10 years ago. I believe Google also agrees.

If you don’t agree, you can delete all entries here and select “Pause” on the previous screen.

The same applies to “Places you have been”, “YouTube searches” and “Things you have watched on YouTube”.

Even here, you can delete and pause everything.

But no worries, be assured that Google will keep a backup – just in case.

By the way, Amazon does the same with all your purchases and all Items you ever searched for.

Don’t trust the evil.

NetworkToolbox news

UPDATE: Verizon spies you out! – Verizon test added to NetworkToolbox

Verizon spies out their customers and creates behavioral profiles by deep packet inspection. They then even sell your data to make even more money.

You don’t believe me? Read further and finally check for yourself by using my recently added test to NetworkToolbox.

What Verizon does is that they insert some data to every network stream that goes from your device through their Wireless Cell/G3/4G/LTE network whenever you access any website. They are adding a special X-UIDH header that works like a supercookie. Any website can easily track a user, regardless of cookie blocking and other privacy protections. There is even no relationship with Verizon required.

This supercookie acts like a super UUID which uniquely identifies you to the website. Any website can track your visits and re-visits and linked websites can even track your visits to different websites.

But even worse: Verizon sells your identity to websites and closes the link between you as an anonymous visitor of a website and your real personality. It is unknown yet to what extend Verizon sells your personal information but they do and they are making lots of money with it. They call it “PrecisionID”.

Apple was blamed about the existence of the unique device ID and recently they even removed the MAC Address (as you, as a NetworkToolbox user will know). But such IDs can never be as dangerous as a unique ID inserted by your provider to any network stream between you and a website.


After hearing about that, I quickly created a scan for this type of information. To run this test, just perform a data update in your NetworkToolbox (if you don’t already did). Then, head to the “Security Check” Icon and select “Verizon Supercookie Test“.

Verizon offers the following website to switch off this supercookie: (This link needs to be copied and opened in Safari. Read below “funny side-storry” why)

I strongly suggest to use that service and once Verizon claims they switched it off, use the test to double-check if they really did.

Even if you are not a Verizon customer, just run this test and see if there is anything else your provider adds to your data stream. If so, please let contact me. Maybe we can reveal another spying provider. Would be interesting.

Funny side-story: If you visit the aforementioned link of Verizon, you will visit a website with a wrong certificate. Normally you should never bypass such a warning of your browser (even though not all browsers will generate a warning). You can use NetworkToolbox to see what’s going on here. Just use the “Certificates” tool of NetworkToolbox and enter and port 443 (which is HTTPS). Now in the first line you can see where the issue is. It says “” but must say This is, why you get the warning.

So much to their technical expertise. Do you still trust them? I don’t.

Don’t trust the evil!

P.S. I am receiving a lot of mails from users per day. Some of you have new ideas but mostly questions. That’s fine and I really appreciate any mail. Please be patient if you don’t receive an immediate answer. I will either be busy on app improvements (like these days) or with answering mails.

However, based on the amount of mails, I assume there are a lot of people using my app even on a daily basis. On the other hand, there are just a few app reviews yet. If you are unhappy with my app, please let me know. My goal is to keep (or make) NetworkToolbox the best Network utility on the AppStore.

If you are happy, please write an app review (there is a button for that inside the app). App reviews are so important for app developers. Think about yourself: when will you purchase an app ? Yes, when there are many reviews saying that this app is great.

Thank you!

NetworkToolbox news

Do you know flurry? It spies you out!

If you hear about “flurry” and think of a sort of ice cream, you are wrong, the opposite might describe it much better.

I recently started again analyzing the traffic that is passed between the Internet and some well-known apps we may use on a daily basis. Unfortunately, such analysis is not possible with my app NetworkToolbox as Apple restricts raw-socket access so I had to use my Linux PC for this.

The situation is still quite scary. Many apps are sending detailed information about your app usage, device and personal information to third party companies. This is not new but seems to get even worse. Yelp for instance uses three services in total such as (see, (see, (see and of course google analytics. Other well-known candidates are

The worst thing I have seen was however (see Apps using the flurry service connect to and loads of information regarding my device type, name, several IDs, app usage, settings etc. will be submitted to flurry. Even worse, most apps even don’t even encrypt this information when it’s being sent.

This screwball data collection nightmare even slows down the apps and uses up my bandwidth.

This is ridiculous!

You may think, what can we do against this ?

There is a quite simple solution at least for your home network so when you are connected via WiFi from your device.

The solution is to use the child protection mechanism of your router, if available.

In my favorite AVM Fritz router, I can maintain a blacklist of websites or IP addresses that should not be available from inside my network. This is basically to prevent kids from visiting certain websites. However, this also works perfectly to protect against these evil flurry scammers. Most routers have a similar blacklist available. Sometimes it’s quite hidden and cumbersome to maintain and enable but it’s worth to spent some time in this research.

So just add (or even to that blacklist and you are fine.

You can also add the following for some of the other scammers:

and you may also want to consider:

and if you finally want to get rid of most of the adware even in apps, just add:

So once this is done, you will even experience that some of your apps will run faster, as some of those scammers didn’t even invest in fast servers. Flurry has a extreme high latency, at least in Europe and it even takes quite some time to submit all the device information and app usage to flurry.

(By the way, did you name your device something like “Mike’s iPhone”. Don’t do that otherwise they will even know your name).

As always, don’t trust the evil.

Best regards,

P.S. if you are interested reading more articles, just head to my website The app only shows the last fifteen articles due to traffic reason.

NetworkToolbox news

Shellshock – update #2: Yahoo and hacked

(see updates at the end of this article)

You may have heard already about the newest security issue Shelshock which already claims to be the worst ever computer bug. I partly agree to that statement.

In short: Shellshock is a bug of a program called “bash”, which is installed on non-Windows systems such as Linux and even Mac computers. The bug allows hackers to send commands to a computer without having admin status, letting them install malicious software within systems.

We all can be affected in two ways by Shellshock:

1.) If you run a computer/server (or device) that can be accessed from outside

2.) If you access a website on a server that has already been compromised

Regarding 2.) there are already servers, known for being compromised by malware which has been installed by using the Shelshock bug. Without being too pessimistic, I think it is not unlikely that will see soon such malware that captures sensitive user information on website visitors or access databases with sensitive information. This is possible as the malware, injected by Shelshock has full system access. Let’s hope that admins of those website will update their systems quick and carefully watch their server log-files.

Regarding 1.) If you run a linux computer your own (all Mac users do) or run a webserver with linux you may be affected if the bash version on that machine has not been updated recently.
You can test for the issue by entering the following command:

env x='() { :;}; echo vulnerable' bash -c "echo no problem"

If you see two warning messages and the message “no problem” you are safe. If you see vulnerable you are in trouble if this system is accessible from the internet.
Depending on your linux distribution, you should update your system by “yum update bash” or “apt-get update” followed by “apt-get upgrade” or possibly other package managers you are using.
All current Mac computers are also affected. Yet, there is no update from Apple but updating bash (and sh) is not too complicated. A good explanation can be found here:

Thus, securing your own systems is quite easy and you should hurry to do so.

However, what about all the devices, running linux like routers etc. ? “bash” is a quite heavyweight software which is not ideal for small devices. For instance OpenWRT/DD-WRT doesn’t use it. However, some routers and other devices such as streaming clients have bash installed and definitely need to be updated in order to get secured against Shellshock.

From my personal experience, I expect several new vulnerables and attacks for such devices in the near future. So you better should check for updates on all your devices.

UPDATE #1: Several of my webservers are already under attack, mainly from China. The biggest server is which currently searches for insecure servers and executes a script from I would strongly recommend to any webmaster to scan their logfiles for strings like ‘:;}’.

UPDATE #2: Yahoo and were not as quick as us. They have been hacked already. If you have a account or are registered at I urge you to change your passwords. Don’t wait. You will find more information here:

Don’t trust the evil



NetworkToolbox news

Anatomy of a scam attack

Today, I received again one of those scam mails which informed me about an issue with my PayPal account and asked me to re-enter my account details.

You all know about these funny mails. It is still interesting that people still fall into this trap. Anyway, I trust you do what I usually do: Just delete such mails.

However, this time I spent some time analyzing this scam a bit:

1.) Mail header

By looking into the source of the mail. I found this:

Received: from unknown (HELO (

This means, the mail was sent from a server called By visiting the website, I found that this is a regular computer company. Most likely, their mail server is insecure and allows relaying and so, the scammers did misuse their server to submit this mail. But that’s not really surprising and helpful. Maybe somebody should inform about this issue on their server.

2.) Mail attachment

As most of these type of scam mails, this mail also contained an attachment. This time just an HTML script which contains the form I should fill out in order to get my account re-activated.

By browsing through this script I found they did use some images and links directly from PayPal and some others from can be used to upload images. Maybe somebody want to contact and ask who uploaded the image 3wpnm7loj/STRADA.png for instance.

Anyway, the interesting part is, to whom the form will be sent after it’s filled out and here we are:

form class='safeSubmit multiplesubmitform' method='post' id='signup_form' name='signup_form' action='' onSubmit='return sTest();'

The form is being sent to Entering this IP address into the Domain Tool of NetworkToolbox reveals that this is a server in Russia, hosted by which is known as a very liberal web hoster.

3.) and so…

Nothing really. This was a real simple one. Even the script was coded badly and the text contains some dreadful spelling mistakes which makes it quite easy to identify this mail as scam. It should now even be easy to identify those guys but I doubt that somebody in Russia will care.

However, even though it would only help for this specific type of scam, I would recommend (again) to block direct IP access in your firewall / router (the parental controls offered by some routers are doing a great job for this) and you may want to block the address ranges of which is ( – because most likely, you won’t visit a website hosted at Blocking direct IP access will redirect you to an error page of the firewall/router whenever a link will be opened that only contains an IP address rather than a fully qualified domain name. Yes, of course, those guys could have registered a domain name in addition but then, they would have left another trace and just recently, the ICANN has started an initiative which makes it harder to register a domain anonymously.

So… Don’t trust the evil!



NetworkToolbox news

Starting other Apps from Network toolbox and vice-versa by URL Scheme

With the latest release of NetworkToolbox I introduced the possibility to use external apps as well as the opposite to use NetworkToolbox from other apps.

Some people contacted me and asked, what the heck does this mean and what is the purpose.

1.) External apps for NetworkToolbox

You all know the nice and useful selection-list that appears for instance, if you hit the […] button on an entry of a result list (e.g. a Network scan or Morpheus search).

This list offers you to use any other Tool of NetworkToolbox on the selected entry in the list. For instance, you can run a port scan on each entry of a Network scan or you can open the Browser tool after the port scan reveals an open port 80 etc.

For your convenience, the list highlights all entries that would make sense for a selected entry and even scrolls to those entries. For instance, if you selected a port 80 address, the HTTP tools will be highlighted.

Besides the Copy, Bookmark and E-Mail options in this selection-list the other entries range from Domain Infos until Trace route.

You can extend this list further by adding external apps in the settings section of the app.

This is useful, for instance, if you want to use your favorite remote access app from within NetworkToolbox.

To understand, how external apps can be started, you need to understand the term URL Scheme. This is basically the first part of a web address such as http://. In this case, http:// is the URL Scheme of Safari on your device. Other apps must not but can provide their own URL Schemes which will start a particular app when it’s being called. For instance, most popular VNC viewers are using the URL Scheme vnc://. To try this out, just open safari and instead of just type vnc:// and see what happens. Maybe your VNC app will start. Of course, the URL Scheme and the parameters that need to be used after the URL Scheme highly depend on the app itself.

To learn how to integrate your favourite apps into NetworkToolbox, just open the “External Apps” section in the settings and press the (i) Info button.

2.) NetworkToolbox as external app

Also NetworkToolbox offers URL Schemes to other apps which is nettb://. You can use this to open and perform tests with almost any tool offered by NetworkToolbox (Further down you will find a list of parameters, offered by NetworkToolbox).

So how can this be useful ? I will give you an example:

If you want to perform certain tests on a regular basis let’s say a website crawl for a few websites let’s say to, and For this, just open the built-in Notes app on your device and enter the following line by line:


Now, press done and re-open the note. You will see that those lines have been converted to links. Once you tap on a link, NetworkToolbox will be opened to perform a web crawl on the given website.

Of course, the same way you can call NetworkToolbox from any app that offers the possibility to call external apps by URL Schemes.

List of URL Scheme nettb:// parameters:


NetworkToolbox news

Greetings from Def Con 22 – Improve your router security

As I covered this subject quite a few times here, Craig Young had a few good suggestions to improve your router security:

  1. Don’t enable remote management over the Internet
  2. Don’t use the default IP ranges. Predictable addresses make attacks easier. Rather than, consider or something else which is not commonly used. This is a simple but effective technique for decreasing the likelihood of a successful attack.
  3. Don’t forget to log out after configuring the router. Not logging out can result in a situation where the web browser used to configure the router remains authenticated, which opens the door for attacks.
  4. Turn on AES backed on WPA2 encryption and turn WPS off. Regardless of the complexity of your WPA2 password, don’t forget to switch off WPS!
  5. Passwords matter: Default passwords are often the same for an entire product line or are generated from a common algorithm making a device easy prey for an attacker. It is imperative that you and other users change passwords rather than using defaults.
  6. Keep the router firmware up-to-date.

If you follow these six points, you are still on risk if your router vendor included some back-doors or ‘forgot’ to fix security issues with updates. However, it’s the minimum you should do yourself in order to increase your router security.

If you use Morpheus or Shodan from within my app, you will know that millions of users don’t.

Don’t trust the evil.

NetworkToolbox news

New release 7 available!

Fortunately, after several months of development, the new release 7 of NetworkToolbox is now available on the AppStore.

It took quite some time to implement all of my ideas and suggestions I had on my To-Do list but it’s now done.

I even used the opportunity and made the app already compatible to iOS 8 but the main intention of the new release was to improve the usability and add some cool new features.

See what’s new about NetworkToolbox release 7:

■ Improved user interface
The user interface has been improved significantly to increase the usability, convenience, and effectiveness of NetworkToolbox.
It is now even easier than before to switch from the scan results of one tool to another for further analysis.

New tools:
There are now 24 tools in total.

■ Bonjour
Bonjour, which is Apples zero configuration protocol, can now be scanned and analyzed by NetworkToolbox. You will be surprised how many devices talk Bonjour in your network.

■ Certificates
Another new tool can be used to analyse and display server certificates in a readable form. Such certificates will be used to secure websites such as banking sites. Recently, some certificate authorities have been compromised and issued insecure certificates e.g. even for google. NetworkToolbox can now reveal such certificates.

■ Bluetooth LE
As Apple recently introduced iBeacons in their stores which are basically Bluetooth LE (low energy) tokens, NetworkToolbox now offers a new tool that can be used to scan for and analyze such iBeacons or any other Bluetooth LE device easily.

■ More and better device information
The Device Information tool now provides much more information about your iPhone/iPad such as Cell, Cell-Carrier, Hardware, Memory, CPU, Sensor and sensitive device ID information.

■ External app integration
NetworkToolbox now integrates also with external apps. External apps like your favourite remote access app can now be used from inside NetworkToolbox and the other way around. NetworkToolbox can now be started from inside other apps e.g. even by safari.

■ Shodan improvements
Shodan’s new API has now been integrated and you can even use your own Shodan API key.

■ Socket / Telnet improvements
The Socket tool now supports sending of special characters like ^C, TAB etc. It also includes new settings for echo and line wrapping and can even show non-printable characters in HEX.

There are much more new features that can’t be listed here.

Please note: Don’t forget to install the latest data update.

For those changes, major parts of the app have been re-coded but even though the app has been tested by several beta testers and on many different devices and iOS versions, there may be some bugs left that have not been found.

As always, please let me know about any bug, change request or suggestion, ideally using the support button inside the app and I promise to fix any bug real quick.

Again, many thanks for your feedback.

Please don’t forget to rate the app or update your review. Unfortunately, with every update I sent out, your previous reviews disappear. But you just need to slightly update your previous review to let it appear again. Many thanks for this.

Kind regards,


NetworkToolbox news

New update 6.07.01 available

Among some minor changes “under the hood”, this update contains:

■ Again, improved Morpheus
The Morpheus search engine has been improved further and is now better integrated into the app.

■ Custom Port ranges for the Port scanner
It is now either possible to select individual port ranges for all HTTP Services, Mail Services or upper/lower ranges or even enter individual ranges for scanning manually.

■ Custom Password list
In addition to the built-in default password list, it is now possible to maintain and use a custom password list for the HTTP, Socket, FTP, SFTP Tools. This way, you can pre-enter the know credentials of your servers and devices if you like.

■ Collect discovered password
Once you discover a username/password combination, you can now even store your findings along with the host information for later reference in the custom password list. So now, there is no need to write it down anymore. An explanation of these new features can be found in the updates info (i) texts.

■ Reverse DNS lookup
The Domain tool now also supports revers DNS lookups. So for instance, if you just enter an IP address, this tool may also show the domain name if there is a domain name registered for that IP address.

PLEASE NOTE: This app update also requires the installation of the newest data update. So please also use the “Check for data update” button in the settings screen of the app. The installation order (app or data update) does not matter.

The next app update will be a new major version I am currently working on.

Please remember to write or update your app review. This keeps NetworkToolbox going.

Thank you and kind regards,

NetworkToolbox news

Router back-door test added

In order to test for the recently revealed router back-door (please read my previous post), I have added the affected port to the port scan tool.

Please install the latest data update for NetworkToolbox in order to download this update.

To test for this back-door on your router, start the port scan tool and enter the (local!) IP address of your network router. If the result list contains the entry named ‘Possible Router Back-door’, your router might be affected. If you don’t see this entry, you are most likely safe.

Kind regards,


NetworkToolbox news

Happy New Year

I hope you have all made it through the holiday season secure and are ready to take on the New Year!

Unfortunately, this year starts with another scary router story I have to tell.

Eloi Vanderbeken from France spent his days over the holidays to explore his router. What he found may not really surprise you as a reader of my NetworkToolbox news. He found a back-door in his router.

This time (again) several Netgear, Cisco/Linksys routers are affected. The following routers models are reported to contain the back-door:
[su_list style=”arrow”]

  • Linksys/Cisco: WAG200G, WAG320N, WAG54G2, WAG120N, WAG160N, WAP4410N, WRVS4400N
  • Netgear: DM111Pv2, DGN1000, DG834G, DGN3500, DG834, DG934, WPNT834, WG602, WGR614
  • Diamond DSL642WLG and LevelOne WBR3460B


The scary part of the story:

  • The back-door is quite easy to use.
  • It is quite easy to read out the whole configuration, including passwords out of these routers
  • According my own investigation by using my Morpheus engine, some of these routers (such as the DG834) also exposes this back-door to the Internet.

Due to the “ease of use” of this back-door and the fact that the whole configuration can be read out remotely over the Internet, the owners of the effected routers are under great danger.

My recommendation, if you own one of these routers, switch them off as quick as you can and throw them away and buy something else but Linksys/Cisco or Netgear (and D-Link as mentioned earlier). Even though other routers may (or will most likely) also have back-doors and may be vulnerable but not as easy as those candidates.

Anyway, back to NetworkToolbox.

During the holidays, I received several very good suggestions and ideas. Many thanks. I already started working on most of them so there will be another App update with new features and improvements in a few weeks (hopefully).

I was able to implement one request (Thanks Tim!) immediate which is already available to you. If you now use the domain tool to search for information about an IP address, this tool now also does a reverse DNS search so you can see the domain name of the IP.

Again all the best to you and have a secure 2014!

Kind regards,