Archive for May, 2013

New DNS Sniffer utility

Friday, May 24th, 2013

DNSQuerySniffer is a new network sniffer utility that shows the DNS queries sent on your system. For every DNS query, the following information is displayed: Host Name, Port Number, Query ID, Request Type (A, AAAA, NS, MX, and so on), Request Time, Response Time, Duration, Response Code, Number of records, and the content of the returned DNS records.
You can easily export the DNS queries information to csv/tab-delimited/xml/html file, or copy the DNS queries to the clipboard, and then paste them into Excel or other spreadsheet application.

DNSQuerySniffer works on any version of Windows, starting from Windows 2000, and up to Windows 8. Both 32-bit and 64-bit systems are supported.

DNSQuerySniffer

DNSQuerySniffer

You can download this new utility from this Web page.

WebBrowserPassView now extracts the passwords from Internet Explorer 10.0

Saturday, May 4th, 2013

The new version of WebBrowserPassView utility (v1.40) has the ability to extract the passwords stored by Internet Explorer 10.0
You might think that I added only one feature for this new release, but I actually added 2 features: one for supporting Internet Explorer 10.0 on Windows 8 and the other to support Internet Explorer 10.0 on Windows 7.

That's because IE10 stores the passwords in completely 2 different ways. On Windows 7, it still stores the passwords like the previous versions of IE, under the following Registry key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
The passwords under this Registry key are encrypted with the URL string and thus  WebBrowserPassView needs to scan the browsing history of IE to decrypt these passwords. Due to the changes on IE10, WebBrowserPassView failed to read the IE history and thus it also failed to get the passwords. The new version of WebBrowserPassView reads the history of IE10 properly and thus the password decryption process also works properly.

On IE10 under Windows 8 it's a completely different story: The passwords are now stored inside the 'Windows Vault', located in the file system under C:\Users\[User Name]\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
WebBrowserPassView extracts these passwords by using the undocumented Credential Vault Client Library  (vaultcli.dll)

The support for IE10 passwords is also added to the Password Security Scanner tool, and soon it'll also be added to the IE PassView utility.

Improved solution for reading the history of Internet Explorer 10

Thursday, May 2nd, 2013

A few months ago, I released a new version of BrowsingHistoryView that extracted the history of Internet Explorer 10 from the locked WebCacheV01.dat (or WebCacheV24.dat) database file by using the 'Volume Shadow Copy' service.
The previous solution was not very successful, because it required full admin rights, it was very slow, and it also tend to fail on some systems.

The new version of BrowsingHistoryView (v1.30) provides much better solution to read the locked database of IE10. It locates the process that maintains the opened file, duplicates the file handle, and then uses the duplicated handle to copy the content of the locked database to into a temporary file. BrowsingHistoryView reads the history from the created temporary file and then deletes the temporary file.

So far, in all my tests, this method works very smoothly and it doesn't require to run BrowsingHistoryView as admin.

If you have Internet Explorer 10, you are welcomed to download and test the new version of BrowsingHistoryView from this Web page.