In this article Duane Dunston gives a brief introduction to Netwox, a combination of over 130 network auditing tools. Also, Duane interviews Laurent Constantin, the creator of Netwox. Introduction:

Performing a security or network audit with a large number of security tools available can be quite overwhelming. Even basic network troubleshooting has a plethora of tools to chose from as well. Selecting the right one to get the job done fast can even cause a headache. Let's see, hackbot.pl, nmap, nessus, and sara just four tools that can be used to determine if a webserver is running. Even a quick telnet to port 80 would work:

telnet www. 80

All of these tools have their place for sure and should be included in a security or network auditing toolkit. However, netwox solves the problem of having multiple tools to choose from to perform specific tasks. Netwox ( ) removes the issue of having to go to a machine and compile multiple programs to start auditing a network. Netwox contains over 130 tools built into one program. Each tool is referenced by a particular number and is readily available and searchable. The coolest tool is the network sniffing program. This tool sniffs network packets and doesn't output it like you normally see with tcpdump or ethereal. No, it outputs the packets just like you learned it. In the cool graphical format. See the example here. You can run it with the command:

netwox 7

Watch each packet fly-by the way you learned. Check out the tcpdump format:

20:08:35.691525 12.150.157.4.3266 > 68.153.244.213.80: S 1614678159:1614678159(0) win 16384 (DF)

now the netwox format:

Netwox has other tools like base64, decimal, and hex converters, port scanner, mail client, syslog client, dns server, dns client, http server, ping, traceroute, etc.. It gives you the tools to do quick tests without having to use a suite of tools. The default output and way to run netwox is via the command-line though a gui interface exists for its use as well.

Interview:

We interviewed Laurent Constantin creator and developer of netwox, which was formerly the unpronounceable lcrzoex.

LinuxSecurity.com: Laurent, I hope that you have been doing well? I just got over a cold that came about on New Year's Eve.

It's the same for me. I got it during Christmas. Now, I'm ok :)

LinuxSecurity.com: What do you do when you are not programming and away from computers?

I also like electronics, which I discovered before computers. I'm not creating boards anymore, but I often have devices to repair.

LinuxSecurity.com: Netwox has over 130 tools in one program. First of all, THANK YOU!! Why did you write a program that does all this instead of helping to document existing programs that have the same functionality?

Before creating netwox, I was using a lot of other tools. Those tools are good, but I faced two problems.

The main one is you had to spend time to install and configure them all. It was aggravating to go to a computer which had a network problem, and to see that only some, or even none, tools were installed. You had to spend time installing what you need, before being able to spot and solve the problem. This was really annoying.

The second problem is that tools for Linux, Solaris, BSD and Windows do not have the same command line parameters.

Now, there is netwox on all computers I manage.

There is something important to remember about netwox : it contains the functionalities of a lot of tools, but it's not as powerful as them. They are specialized in their job, and they do it very well. Sometimes, when the problem is hard to solve, netwox permits to spot the problem, and then one of those specialized tools can be installed to solve it.

LinuxSecurity.com: How long did it take you to write netwox until it was ready for its first release?

Netwox was developed during 2 years for my private use. During this period, several people showed interest in it, so it was published. I'm not proud of the first versions : I was more interested in adding functionalities (I needed them!), than creating them well. Now there is a lot of tools available, I concentrate on the source code quality. It's more motivating, even if the update frequency is slower.

LinuxSecurity.com: Honestly, do you know the number of each tool by heart?

No. Some tools are only used once or twice a year. But, when there are needed, they are ready :)

LinuxSecurity.com: Tool number 7 shows the packets with the full packet diagram, just as we learned the different parts of the packet. How did you decide to have a feature like that? I ask because it is, to me, the coolest tool in this program for that reason.

Late 1999, for security tests, I had to spoof IP packets. To check them, it was important to see them. Tcpdump or snoop are good sniffers, but packets' fields can't be easily seen. Ethereal is excellent, but xfree is needed, which was not installed on production servers. So, I thought about a text mode display of packets. Naturally, formats described in the RFCs came to my mind. (See RFC 793, RFC 768, RFC 792, etc..)

LinuxSecurity.com: What do you plan to add to Netwox next? Any new features, anything you are going to change?

Currently, version 5.7.0 is in progress. It will support IPv6 packet creating, decoding and displaying. In previous versions, only IPv6 sockets and raw sniff/spoof were available. People having an IPv6 network will enjoy version 5.7.0 ;)

Then, I'd like to port netwox for MacOS, to add SNMP and SMB/CIFS tools, etc. That's for the beginning. Generally users require new functionalities, which become new priorities, so there is no definitive road map.

LinuxSecurity.com: Can this tool supplement an entire suite of auditing tools or distribution designed for network auditing?

Netwox can be seen as a collection of simple tools. People who use netwox are identified in two main groups: network administrators and security professionals.

Network administrators want to setup a new computer or to repair an existing architecture. They need to send an email to test an SMTP server or to TCP traceroute to see if a flow is allowed by a firewall. Those simple tools are not sufficient if the problem becomes too complicated.

Security professionals want to obtain malicious information or to prove a customer that its network is vulnerable. Nessus does a good job in notifying administrators about their vulnerable or outdated services. Then, netwox can be used to demonstrate the vulnerability found by Nessus.

To sum up, netwox cannot replace an entire suite. It has to be used before of after the specialized tools.

LinuxSecurity.com: How do you pronounce the original name "lcrzoex"? What does it mean? How did you get the new name, netwox?

Lcrzoex can be pronounced "L C RESO(lv) EX". What a bad idea I had! I wanted an unique name. So I searched on the web to find something unused. Lcrzoex was unused, but now I know why : it's impossible to pronounce :). Perhaps 40% of people sending me an email misspelled it. When I physically met people, it was worse because they were annoyed to not being able to say it in front of me.

Now netwox is much better.

LinuxSecurity.com: In what situations do you use netwox?

As soon as I encounter a network problem. I can't surf the web? Netwox will find if the problem belongs to DNS, local network, network path, remote host, etc. When I was a security auditor (now I work for a vulnerability survey), I could have used it for all IP audits.

LinuxSecurity.com: Any advice for network auditors out there on using many tools to audit, besides to use netwox?

Netwox is not perfect, so I don't think it can fully replace those tools. However, try it and you might be surprised. For people new to security, I would really recommend to start by using netwox, because it contains most of the tools needed for learning.

On your website there are two other programs mentioned, netwib and netwag. What are those programs?

Netwag is a graphical front end to netwox. It is highly recommended for new users.

Netwib is a network library which is needed for compiling netwox. Most people install it, and then ignore it.

LinuxSecurity.com: You have any seminars or speeches you are going to be giving about security, auditing, or netwox?

There is nothing planned. My current job does not permit me to easily move around the world, or even France. People are welcome to contact me by email or to meet me in the city of Rennes, where I live.

LinuxSecurity.com: On your website, you tend to note when you are going to be away from email for an extended period of time. Any more big vacation plans coming up?

Yes, 3 weeks in June :)


Duane Dunston is an Information Technology Specialist (Security) for the National Climatic Data Center. He was previously a contractor for STG Inc. for the same organization. He received his B.A. and M.S. degrees from Pfeiffer University and he has his GSEC certification from SANS. He revels in the arts in Asheville, NC, writes poetry. He hangs out at Anntony's, Early Girl Eatery (tell'em Duane sent you), The New French Bar, and still wakes up every morning ready to go to work.