Mai 082019
 

I have added a 2 extra formats in latest version : VHD/VHDX and LZ4.

VHD/VHDX is using MS virtual disk API and LZ4 is using opensource LZ4 library.

While at it, I also added extra WIM compression methods (LZX and LZMS).

 

LZ4 is quite interesting as in some cases it is faster to compress thru LZ4 compared to using a RAW format and this despite the CPU overhead.

LZ4 files generated by Clonedisk are compatible with LZ4.exe.

 

 

VH7E1Fe.png

Avr 242019
 

How to rebuild libvmdk (and possibly any VC project) so that it depends on msvcrt.dll and no longer on msvcrtxxx.dll.

Copy/paste from this post for archiving.

-first install VC2008 express (but should be OK with VC2010 express and possibly newer VS platforms)

-install WDK 7.1

-modify your VC2008 IDE settings search paths (include and libraries) by adding WDK 7.1 paths first in the list

XuK0hGN.png

seLkgHG.png

-add msvcrt « legacy translator » library (msvcrt_win2000.obj) to Linker -> Input -> Additional Dependencies for both DLL projects (zlib and libvmdk)

ExRxofS.png

-add specific preprocessor definitions to zlib project :

vsnprintf=_vsnprintf;snwprintf=_snwprintf;open=_open;read=_read;close=_close;write=_write

neDR5uv.png?1

And voila :)

You should end up with the below, i.e a dependency to a msvcrt.dll

lcahBQh.png

Avr 212019
 

Following some notes around netcat here and here.

Some extra commands to backup a disk over the network :

-listen on port 9000 and dump the raw file
nc -v -l -p 9000 > dump.img
(restore with nc -v -l -p 9000 < dump.img)

-same but compressed with lz4 via stdin
nc -v -l -p 9000 | lz4.exe -1 stdin -f dump.lz4
(restore with lz4 -l -c dump.lz4 | nc -v -l -p 9000
and not with nc -v -l -p 9000 -e « lz4.exe -c dump.lz4 »)

-the same but with 7zip
nc -v -l -p 9000 | 7z a dump.7z -si
(restore with 7z e dump.7z -so | nc -v -l -p 9000)

-the same but with bzip2
nc -v -l -p 9000 | bzip2 -z > dump.gz
(restore with bzip2 -cd < dump.gz | nc -v -l -p 9000)

 

lz4 can be downloaded here.
bzip2 can be downloaded here.
7-zip can be downloaded here.
netcat can be downloaded here.

Fév 242019
 

A few days ago, I have shared a, command line, layer 3 network sniffer based on windivert (netdump here).

The command line version offers a few options like capture or not, choose the network layer or the forward layer, etc …

Thus, sometimes it is also nice to have a simple(« start/stop ») GUI.
Now done.
Source code and binaries here on github as usual…
This version will automatically save the capture to a dated pcap file.

https://imgur.com/nLQJnRl.png

Fév 242019
 

An interesting article about how to perform a network capture when no tools are installed locally.

Here.

In short, example :

1-netsh trace start capture=yes Ethernet.Type=IPv4 IPv4.Address=157.59.136.1

2-netsh trace stop

3-get your capture in %userprofile%\AppData\Local\Temp\NetTraces\NetTrace.etl
-open with Microsoft’s Message Analyzer app
or
-convert it with

$s = New-PefTraceSession -Path “C:\output\path\spec\OutFile.Cap” -SaveOnStop
$s | Add-PefMessageProvider -Provider “C:\input\path\spec\Input.etl”
$s | Start-PefTraceSession

Fév 232019
 

Lets play with Winpcap.

Quoting the winpcap web site : « WinPcap consists of a driver that extends the operating system to provide low-level network access and a library that is used to easily access low-level network layers ».

Lets use it to perform a quick and easy man-in-the-middle-attack with arp spoofing.

Quoting wikipedia : « a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other ».

Source code and binaries are available here.

Usage is:
arpspoof 1.0 by erwan2212@gmail.com
arpspoof list-interfaces
arpspoof interface-index ip1 ip2

Example:
arpspoof.exe 0 192.168.1.125 192.168.1.250
arpspoof 1.0 by erwan2212@gmail.com
arpspoof list-interfaces
arpspoof interface-index ip1 ip2
ip1:192.168.1.125 mac1:001DE0-567737
ip2:192.168.1.250 mac2:C05627-B7FD32
spoofed mac:94DE80-C2A41E
sending packets…press a key to stop…

192.168.1.125 is victim (a computer on my network).
192.168.1.250 is my network gateway/router on my network.
94DE80-C2A41E is my mac address (i.e the attacker mac address).

192.168.1.125 will believe that mac address of the router (192.168.1.250) is mine i.e 94DE80-C2A41E.
192.168.1.250 will believe that mac address of the victim (192.168.1.125) is mine i.e 94DE80-C2A41E.
In effect all traffic between these 2 hosts will go thru my computer.

One important thing not to forget : enable forwarding on your computer or else all traffic between these 2 hosts will be dropped.
How? easy :
-check your interfaces : netsh interface ipv4 show interfaces
-enable forwarding on the desired interface : netsh interface ipv4 set interface x forwarding= »enabled »

Now you can perform an attack with intercept-dns from a previous article (dont forget to do a set layer=forward on the command line then).
Or simply sniff/capture the traffic with netdump.

Note that you could also use a GUI like Iptools to perform arpspoof.
See example screenshot here (C=client/victim, R=router).

Fév 222019
 

Still playing with Windivert (see original article here), this time we will intercept dns traffic and will modify the IP address in DNS replies containing A records.

The program will dynamically look for hostname to ip couples in a config.ini file.

Say that you want labalec.fr to resolve to 192.168.1.144, then you would create the below ini file and launch intercept-dns 53.


[labalec.fr]
ip=192.168.1.144

Additionally, if you set a dos environement variable like set layer=forward, then you can also use this program in a man-in-the-middle attack (which could lead to another article) to divert forwarded traffic.

The source and binary is available on my github.

The code still has some limitations :
-non existing dns a records replies are not handled
-only replies with one answer are handled

Fév 182019
 

Last article of a series of 4 articles.

This time, we will push it a bit further on the certificate side (using SAN field) as modern browsers like Chrome demand this field :

-divert dns traffic to a rogue local dns server : see here

-spoof a remote hostname with our local ip (using tool in step above) – these 2 steps could be skipped if you modify your local hosts file.

-setup a https server locally with a « self signed » certificate (see below)

First our root ca (dont forget to add in your ca store):
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

Lets add it to our root certificate authorities : certutil -enterprise -f -v -addstore « root » rootCA.pem

Second our CSR:
modify our openssl.cnf accordingly : add subjectAltName=DNS:fakedomain.com,DNS:*.fakedomain.com under section v3_req
set the path to your your cnf file with set OPENSSL_CONF=c:\_apps\OpenSSL\ssl\openssl.cnf
generate your csr
openssl genrsa -out device.key 2048
openssl req -new -key device.key -out fakedomain.csr

About the CN, enter « fakedomain.com »

Last, our CRT (the trick is is to point at your cnf or else the SAN field will not be taken care of)
openssl x509 -req -in fakedomain.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out fakedomain.crt -days 500 -sha256 -extfile c:\_apps\openssl\ssl\openssl.cnf

And tada, launch your chrome browser and browse https://www.fakedomain.com/ and chrome will be happy.