network – Page 2 – Erwan's Blog

Capture and spoof NBT NS and LLMNR packets

Jan 042019

Windows uses multiple mechanisms to resolve local hostnames : local hosts file, DNS, netbios name service, LLMNR.
When a host does not exist in the local hosts file or DNS server, windows then broadcast/multicast the request using UDP protocol.
This means we can (1) capture these requests and (2) spoof a response over UDP.

xDNS Sniffer is demo, written in delphi7, using windows raw sockets (receiving and sending) to capture and spoof NBT-NS and LLMNR to abuse local name resolution.
Sending spoofed packets is possible because these protocols are using UDP.
This code is variant/built upon previous demo discussed here.

Code can be found on Github.

Binary can be downloaded here.

Command line is : snif localip name_to_spoof.
Examples:
snif.exe 192.168.1.144 WPAD (will abuse WPAD requests and send back local ip)
snif.exe 192.168.1.144 * (will abuse all local requests and send back local ip)

snif : raw sockets sniffer update

network 1 Response »

Déc 292018

Following a previous article, I found out that windows 10 is filtering out incoming packets if the listening application is not explicitly allowed on the local firewall.

Therefore snif.exe now has a new parameter allowing one to introduce a temp local firewall exception for snif.exe.

The command line help is also more explicit.

snif [localip:x.x.x.x] [proto:udp|tcp|icmp] [port:1-65535] [catpure:0|1] [firewall:0|1]

Download here.

Edit [Feb 01,2019]
Note that « snif » is very similar to RawCap except that :
-rawcap does not take care of the firewall
-is depending on dotnet
-is not open source

Windows raw sockets

network No Responses »

Déc 292018

Following previous article, I did some more googling around windows raw sockets feature and found this interesting article.

And in particular this part when weighting the pros and cons of using windows raw sockets :

Since raw sockets are built into the kernel TCP/IP implementation, there is no need for additional kernel-mode code (such as NDIS filter drivers or WFP callout drivers). There are however a number of drawbacks compared to the first two techniques:

· No filtering in kernel-mode is possible – all packets are delivered to the user-mode application (which has performance implications).

· There is no visibility of how many packets are lost/dropped as a result of insufficient buffering.

· The packets are first time-stamped when processed by a user-mode application, which might be some time after they “could have been” time-stamped by filter/callout driver kernel-mode code running in a DPC (Deferred Procedure Call).

· There is no guarantee of the order in which the kernel adds packets to the raw socket. Monitoring the kernel activity with the “Microsoft-Windows-TCPIP” and “Microsoft-Windows-Winsock-AFD” providers indicates that the outbound response to an inbound packet is often copied to the raw socket before the inbound packet.

Yet another raw sockets capture proggie

delphi, network 3 Responses »

Déc 272018

Working in IT, I use Wireshark almost every day.
This software is just great : free, opensource and will probably take me a lifetime to master it all as there are so many things you can do with it.

However, there are times where you need a driverless and standalone software i.e a software which does not require any installation on your production server.
Indeed, I have seen cases where network may be interrupted for a short while or even worse, cases where the server would BSOD (on old winpcap versions thus).
Furthermore, in some situation you may wish to capture traffic over a VPN interface or over localhost : both actions which wireshark (or rather winpcap) can not perform.

That’s where the windows raw socket feature comes in handy : built in windows feature and can snif over VPN or localhost.
Read more about windows raw sockets here.

Raw sniffer is a command line tool meant to capture IP traffic built around windows raw sockets..
You can pipe out to a text file (and later parse it in excel) or generate a cap file which you can later open with wireshark.
Source code is on github.

It takes simple command line parameters : snif [localip] [proto] [port] [0:1]

Some possible usage :
-snif 127.0.0.1 * * 1 : will capture all traffic on localhost to the console AND dump all traffic to a cap file
-snif 127.0.0.1 tcp 80 1 : will filter on http traffic on localhost to the console AND dump all traffic to to a cap file
-snif * udp * 0 : will filter on udp traffic on selected interface to the console

note : if you dont see your incoming traffic, allow snif.exe on your windows firewall – this could do the trick.

Download here

Yet another IP Subnet Calculator

network No Responses »

Déc 252018

There are many IP Subnet Calculators out there.

Some of them being online are great like this http://www.subnet-calculator.com/subnet.php?net_class=C.

Still, here comes another one, portable, not requiring any dependencies (like dotnet, java, C runtime, etc).

Download here

Libnfs part two

delphi, network No Responses »

Déc 152018

In a previous article, I released a GUI for libnfs library.

This time, I’ll release a command line tool allowing one to perform simple tasks against NFS exports.

nfsclient 0.1 by erwan2212@gmail.com nfsclient 0.1 discover nfsclient 0.1 read nfs://server/export/filename nfsclient 0.1 write nfs://server/export/ local_filename nfsclient 0.1 dir nfs://server/export/

Download here.
Discuss here.

Having fun with StarWind Virtual SAN Free and differencing virtual disks : article #2

Boot, iscsi, network, PXE 1 Response »

Nov 022018

See previous article to understand why and what.

Previously we have created our master / parent disk.

Lets now create our differencing / child disks using our host (windows 8.1) virtual disk capabilities.

Lets do it in one batch.

rem list disks before vmount disks rem create child1 against parent iscsi.vhd vmount createchild e:\_images\child1.vhd e:\_images\iscsi.vhd rem create child2 against parent iscsi.vhd vmount createchild e:\_images\child2.vhd e:\_images\iscsi.vhd rem attach child1 without assigning any letter to it vmount attach e:\_images\child1.vhd noletter rem attach child2 without assigning any letter to it vmount attach e:\_images\child2.vhd noletter rem list disks vmount disks rem check attributes of disk2 vmount attributes 2 rem check attributes of disk3 vmount attributes 3 rem disk3 is most probably offline because of disk signature collision between disk2 and disk3 rem lets force it online : windows will generate a new signature rem make sure to use a BCD using LOCATE and not using disk signature or else bootmgr will error rem more about locate here http://www.mistyprojects.co.uk/documents/BCDEdit/files/device_locate.htm vmount online 3

Notice how the second virtual disk now has a different signature (since we forced it online…).

Tiny PXE Server guide

network, PXE, TinyPXE Server 2 Responses »

Fév 032018

Comprehensive guide for Tiny PXE Server here.

Million thanks to Misty on reboot.pro.

DD-WRT and Linksys WRT1200ac

network No Responses »

Déc 262017

Lately I decided to flash my Linksys wrt1200ac with dd-wrt as Linksys obviously dropped support for this nice hardware (no more firmware updates for a long time).
Not to mention that the vendor firmware is extremely basic (not to say limited…).

Once I had flashed the device with the proper firmware, next step for me was to monitor bandwidth from my domotic/monitoring box (jeedom).

The most obvious track was snmp (dd-wrt feature) – Helas, the snmp daemon does not implement counter64 snmp values so this is useless.
Next step was to use some curl/awk/grep script like curl -u root:password http://192.168.1.250/Status_Internet.asp, etc but the web pages heavily rely on javascript so here again, curl was a dead end.

I finally resorted to remotely read values from the device nvram using a script around ssh : not the most elegant way, but the only one I could work out.

The below will retrieve the day/month/year value from my Linksys wrt1200ac based on dd-wrt.
Note, I had to use ssh-keygen & ssh-copy-id to be able to ssh without having to provide a password.
Or alternatively, copy the root id_rsa.pub public key to the wrt authorized keys (tip: use sudo su on rpi to switch to your root account).

#!/bin/bash
read YYYY MM DD <<<$(date +'%Y %m %d')
#echo 'nvram get traff-'$MM'-'$YYYY
sudo ssh root@192.168.1.250 -q 'nvram get traff-'$MM'-'$YYYY | awk '{print $'$DD'}' | awk -F ":" '{print $1}'

Tiny PXE Server 1.0.0.21 changelog

network, PXE, TinyPXE Server 6 Responses »

Oct 312017

1.0.0.21
modified : dns proxy will read entries from config.ini (section=hostname,ident=ip), no more from hosts file
added : right click open config.ini
added : right click open root_path
fixed : share folder will now add everyone read-only on share permissions
added : share is created with STYPE_TEMPORARY flag, i.e will not survive a reboot
added : TPS will answer to specific ‘discovery’ messages (see discover.zip)
fixed : wsMinimized=1 was preventing form_show and load_config
added : each daemon will report on which ip it is listening (useful to troubleshoot)
added : syslogd will read ip under [syslog] in config.ini if one wants to bind to a specific interface (instead of 0.0.0.0 by default)
fixed : error handling in log_memo to avoid a possible date bug
fixed : httpd could not list files/folder in a non indexed folder
modified : ucimp.pas uses winsock, not wsck
modified : iphlpapi_helper.pas uses winsock, not wsck
modified : usnoop uses winsock, not wsck
modified : iptypes uses winsock, not wsck
modified : removed ipheader unit in main form
modified : TPS does not use wsck unit anymore

Discuss it here.
Download here.

Older Entries Newer Entries