Monday, October 01, 2007

A networking Swiss Army knife

We love Swiss Army knife-style tool kits, those suites of services and functions that are managed through a common interface. We reviewed an e-mail tool kit (www.nww.com, DocFinder: 2129) in this category a few weeks ago, and today we have a networking Swiss Army knife-style tool kit: NetScanTools Pro 10 from Northwest Performance Software.

NetScanTools Pro (NSTP) is remarkable. In one interface you get network setup and configuration exploration functions, security testing services, information-gathering tools, and network and service diagnostics. Northwest positions the software for general network diagnosis and exploration, as well as for forensic use.
The features of NSTP are divided into a Welcome section, which provides introductory help, bug reporting, Northwest contact information and the ability to check for a new version.

The next section leads you through a sequence of steps to gather information about a remote machine. The first step asks what kind of contact you want with the remote computer (no contact, some contact or maximum contact). The idea is that for certain types of analysis, such as tracking down a hacker, you might want to restrict which tools are used to those that don't connect directly to a target machine: This will avoid setting off alarms. If you are a little braver, you can opt for "minimal" testing that uses nonaggressive techniques, such as connecting to one or two ports to determine the existence of services or attempting to "fingerprint" the host's operating system.
The next step asks for basic information about the target system - the name, IP address, e-mail address or URL. The third step, research, runs the NSTP tools and creates a report that is opened as a Web page in your default Web browser.

A no-contact report simply lists the IP address associated with the target, the DNS servers responsible for the domain and DNS data, geolocation (IP to country mapping), the major spam real-time blacklists the target is on, and the Whois data for the domain.

With a most-contact version, not only do you get all the no-contact data, you also get a list of host names found within the domain, a traceroute to the target with geolocations for each hop and a list of open TCP ports.

There also is a fourth step in this section, which allows you to view or delete any of the past reports.

The next section, Tools, provides access to the individual functions of NSTP. This is a big list, offering some 46 tools.

A number of tools, such as OS Fingerprinting, which attempts to determine the operating system in use on the target, warn you that using them may be detected by the target and interpreted as a threat, so require you to accept the disclaimer and agree that you are on your own.

The Online section provides links to Northwest news, support and bug-reporting Web pages and an update checker. Finally, the Program Info section includes an About option, an End User License viewer, and access to the Set Preferences window where you set global preferences that affect all tools.

Of particular interest in forensics and diagnostics are the URL Cache Viewer, which lets you view the Internet Explorer cache, and the Protected Storage Viewer, which lets you view auto-complete information, password-protected site logon, and usernames and passwords for Microsoft e-mail applications.

We had only two issues with NSTP: First, some tools can't be interrupted - with these, NSTP stops responding until the service completes or times out, but there's no indication that NSTP is still working. The second issue is that, with the exception of a couple of tools that launch separate programs, you can't work with multiple tools simultaneously.