Déc 292018

Following a previous article, I found out that windows 10 is filtering out incoming packets if the listening application is not explicitly allowed on the local firewall.

Therefore snif.exe now has a new parameter allowing one to introduce a temp local firewall exception for snif.exe.

The command line help is also more explicit.

snif [localip:x.x.x.x] [proto:udp|tcp|icmp] [port:1-65535] [catpure:0|1] [firewall:0|1]

Download here.

Edit [Feb 01,2019]
Note that « snif » is very similar to RawCap except that :
-rawcap does not take care of the firewall
-is depending on dotnet
-is not open source

Déc 292018

Following previous article, I did some more googling around windows raw sockets feature and found this interesting article.

And in particular this part when weighting the pros and cons of using windows raw sockets :

Since raw sockets are built into the kernel TCP/IP implementation, there is no need for additional kernel-mode code (such as NDIS filter drivers or WFP callout drivers). There are however a number of drawbacks compared to the first two techniques:

· No filtering in kernel-mode is possible – all packets are delivered to the user-mode application (which has performance implications).

· There is no visibility of how many packets are lost/dropped as a result of insufficient buffering.

· The packets are first time-stamped when processed by a user-mode application, which might be some time after they “could have been” time-stamped by filter/callout driver kernel-mode code running in a DPC (Deferred Procedure Call).

· There is no guarantee of the order in which the kernel adds packets to the raw socket. Monitoring the kernel activity with the “Microsoft-Windows-TCPIP” and “Microsoft-Windows-Winsock-AFD” providers indicates that the outbound response to an inbound packet is often copied to the raw socket before the inbound packet.

Déc 282018

Since windows XP, windows has a built-in host-based firewall.
A decent firewall where one can allow or block traffic based on executable and/or source/destination/protocol.

Thus, you may not always have access to the MMC (wf.msc) and the console GUI is not always straightforward but rather wizard oriented.

Windows Firewall GUI is a « one window does it all » standalone executable running on windows 7 up to latest windows 10 version.

Probably more important, as the GUI is quite simple and possibly redundant with existing windows functionalities, source code is available (on my github) as well so others may build onto it.

One can :
-view all rules at once
-sort and export to HTML
-delete a rule
-add a rule
-enable/disable a rule
-enable/disable the firewall
-turn on/off logging (dropped packets)
-open and monitor the windows firewall log
-get current profile (domain/private/public)
-get default inbound/outbound action for current profile
-restore local windows firewall defaults

Download here.

Déc 272018

Working in IT, I use Wireshark almost every day.
This software is just great : free, opensource and will probably take me a lifetime to master it all as there are so many things you can do with it.

However, there are times where you need a driverless and standalone software i.e a software which does not require any installation on your production server.
Indeed, I have seen cases where network may be interrupted for a short while or even worse, cases where the server would BSOD (on old winpcap versions thus).
Furthermore, in some situation you may wish to capture traffic over a VPN interface or over localhost : both actions which wireshark (or rather winpcap) can not perform.

That’s where the windows raw socket feature comes in handy : built in windows feature and can snif over VPN or localhost.
Read more about windows raw sockets here.

Raw sniffer is a command line tool meant to capture IP traffic built around windows raw sockets..
You can pipe out to a text file (and later parse it in excel) or generate a cap file which you can later open with wireshark.
Source code is on github.

It takes simple command line parameters : snif [localip] [proto] [port] [0:1]

Some possible usage :
-snif * * 1 : will capture all traffic on localhost to the console AND dump all traffic to a cap file
-snif tcp 80 1 : will filter on http traffic on localhost to the console AND dump all traffic to to a cap file
-snif * udp * 0 : will filter on udp traffic on selected interface to the console

note : if you dont see your incoming traffic, allow snif.exe on your windows firewall – this could do the trick.

Download here

Déc 162018

In a previous article, I showed how to setup a « proxy » for ImDisk thru devio to mount an EWF file.

This time, lets do it with a VHDI file (using external libyal library).

The command lines for the proxy and ImDisk are below :

To launch the proxy : devio –dll=proxy.dll;dllopen shm:test_proxy c:\test.vhd.

To use the proxy from ImDisk : imdisk -a -t proxy -o shm -o ro -f test_proxy -m Z: .


Déc 152018

In a previous article, I released a GUI for libnfs library.

This time, I’ll release a command line tool allowing one to perform simple tasks against NFS exports.

nfsclient 0.1 by erwan2212@gmail.com
nfsclient 0.1 discover
nfsclient 0.1 read nfs://server/export/filename
nfsclient 0.1 write nfs://server/export/ local_filename
nfsclient 0.1 dir nfs://server/export/

Download here.
Discuss here.

Déc 152018

Lately I have discovered libnfs.
I quote « LIBNFS is a client library for accessing NFS shares over a network. ».

It is well documented and easy to use with Delphi (or freepascal).

I have decided to build a lightweight NFS client with simple features : discover, list directories, read & write files.

That could be handy at some point with either CloneDisk or TinyPXE Server.

Download here.
Discuss here.

Déc 022018

In previous article, we have seen how to flash an ESP8266 with ESPEasy.

Lets now see how easy it is to use a sensor such as a DHT11 temperature/humidity sensor.

Lets wire 3v3 and ground and data to our esp8266 gpio 0.

Now, simply add a device on port GPIO 0 and pick a type « Environment – DHT11/12/22 ».

And your ESPEasy should now report temperature and humidity.