The Toolbox

These tools are not open source, only freeware, so please don't ask for the source code. All tools here are coded by me (Arne) with the exception of Snitch which is coded by me and Roger Lindgren together.

These tools are intented for white hat use only. Use them for security testing, for hacking in a lab environment, and so on. I certainly do not condone any illegal or immoral use, and in several cases I have (on purpose) made them easier to detect and/or harder to hide.

Unfortunately some antivirus vendors are not exactly scrupulous when it comes to including detection signatures in their software. They include as much as they can and don't hesitate for a second to call any random piece of software a virus or worm even if it is nothing of the kind. Every now and then I receive angry and/or threatful mails from persons who think the portscanner they downloaded is infected with a worm or virus. In reality the only problem is that some antivirus vendor can't tell the difference between a virus and a portscanner. Reporting it to them doesn't help either because they don't seem to care. Anyway, my tools contain nothing but what is written in the description for each of them. So when your antivirus software tells you that the port scanner is a virus, or the keylogger is a worm, then you will know for sure that the antivirus vendor is someone you shouldn't trust when it comes to security.

I have removed some old tools from this page, but they can be found on the archived tools page.

On my other site (vidstrom.net) you can find other tools coded by me. They are security tools for other operating systems than Windows as well as non-security tools for both Windows and other operating systems.


BrowseList retrieves the browse list on a Windows network.


CECrypt is a file encryption tool for Windows CE that can encrypt with either 3-DES or IDEA. Compatible with CryptF.


ClearLogs clears the event log (Security, System or Application) that you specify. You run it from the Command Prompt, and it can also clear logs on a remote computer.


A file encryption tool that can encrypt with either 3-DES or IDEA. Compatible with CECrypt.


DBProbe checks the directed broadcast ping amplification factor for a network.


DumpUsers is able to dump account names and information even though RestrictAnonymous has been set to 1.


EFSView lists the users who have ordinary decryption keys or recovery keys for an EFS encrypted file.


EtherChange can change the Ethernet address of the network adapters in Windows.


EtherFlood floods a switched network with ethernet frames with random hardware addresses. The effect on some switches is that they start sending all traffic out on all ports so you can sniff all traffic on the network.


FakeGINA intercepts the communication between Winlogon and the normal GINA, and while doing this it captures all successful logins (domain, username, password) and writes them to a text file.


FileHasher calculates the MD5 or SHA hash for a file.


GPList lists information about the applied Group Policies.


GrabItAll performs traffic redirection by sending spoofed ARP replies.

GSD - Get Service DACL

GSD (Get Service DACL) gives you the DACL (Discretionary Access Control List) of any service you specify as a command line option.


Shows which processes listen at which ports. Inzider was the first tool that could do this in Windows.


IPEye is a TCP port scanner that can do SYN, FIN, Null and Xmas scans.


IPSecScan is a tool that can scan either a single IP address or a range of IP addresses looking for systems that are IPSec enabled. The first IPSec scanner out there.


KerbCrack consists of two programs, kerbsniff and kerbcrack. The sniffer listens on the network and captures Windows 2000/XP Kerberos logins. The cracker can be used to find the passwords from the capture file using a brute force attack or a dictionary attack.


KLogger is a keystroke logger for the NT-series of Windows OS's.


ListDrivers lists the loaded kernel drivers.


ListModules lists the modules (EXE's and DLL's) that are loaded into a process.

LNS - List NTFS Streams

LNS is a tool that searches for NTFS streams (aka alternate data streams or multiple data streams).


MACMatch lets you search for files by their last write, last access or creation time without changing any of these times.


MemImager performs a memory dump using NtSystemDebugControl.


NSCopy works is a copy command with one big difference from others. If you have the "Back up files and directories" user right you will be able to copy files even if you don't have any explicit permission to read them. It doesn't take ownership of the file to do it.


PEriscope is a PE file inspection tool. It works on ordinary 32-bit files as well as 64-bit and .NET ones.


PMDump is a tool that lets you dump the memory contents of a process to a file without stopping the process.


PromiscDetect checks locally if your network adapter(s) is running in promiscuous mode, which may be a sign that you have a sniffer running on your computer. The first tool able to do this.


PStoreView lists the contents of the Protected Storage. It usually contains things like Internet Explorer username and password autocomplete, and Outlook account names and passwords.

RPAK - Routing Protocol Attack Kit

RPAK is a collection of tools that can be useful for doing attacks on routing protocols. It contains tools for RIP, RIP2, IGRP and OSPF.


Allows you to set file ownership to any account, as long as you have the "Restore files and directories" user right.


Snitch can sometimes turn back the asterisks in password fields to plaintext passwords.


SQLDict is a dictionary attack tool for SQL Server.


A simple and very small (3kb) remote shell server for Windows, coded in assembler.

Win32 SocketShell

Win32 SocketShell is shellcode for penetration testing. It binds to TCP port 7777 and returns the string "hacked!" when connected to.


Uses null sessions to remotely try to retrieve lists of and information about user accounts, workstation/interdomain/server trust accounts, shares (also hidden), sessions, logged in users, and password/lockout policy, from Windows NT/2000/XP. It also identifies the built-in Administrator and Guest accounts, even if their names have been changed.


WinRelay is a TCP/UDP forwarder/redirector that works with both IPv4 and IPv6. You can choose the port and IP it will listen on, the source port and IP that it will connect from, and the port and IP that it will connect to.


WinZapper is a tool that lets you erase event records selectively from the Security Log in Windows NT 4.0 and Windows 2000. The first tool able to do this.


WPSweep is a simple ping sweeper, that is, it pings a range of IP addresses and lists the ones that reply.

WUPS - Windows UDP Port Scanner

An UDP port scanner for Windows. All port scanners for Windows only scanned TCP ports before I wrote this one.

© Arne Vidstrom. All rights reserved.