Jan 272019
 

In a previous article, I did comment on a nice opensource library (Windivert) and shared a basic freepascal demo to use it.

This time I used this library to redirect (or reuse) a local port used by another application or service to another local port.

It could be handy to fool firewalls or to hijack traffic going to a service.

One of the best example that come to my mind is to redirect local port 445 to a an application/shell of your own listening on local port 1337.
Something you could not achieve like netsh port redirect as the port is already in use and/or used by a kernel service (SMB in our case).

The command line would then be tcpredir 445 1337.

Source code and binaries on Github.

One possible application example:

-divert local port 445 to port 1337
-set up a smb server on port 1337

https://i.imgur.com/kSCrC9M.png

Jan 272019
 

Quoting the original web site (here) :

Windows Packet Divert (WinDivert) is a user-mode packet capture-and-divert package for Windows 2008, Windows 7, Windows 8, Windows 10 and Windows 2016.

WinDivert allows user-mode applications to capture/modify/drop network packets sent to/from the Windows network stack. In summary, WinDivert can:

capture network packets
filter/drop network packets
sniff network packets
(re)inject network packets
modify network packets
WinDivert can be used to implement user-mode packet filters, packet sniffers, firewalls, NAT, VPNs, tunneling applications, etc.

The main features of WinDivert include:

packet interception, sniffing, or dropping modes
supports loopback (localhost) traffic
full IPv6 support
network layer
simple yet powerful API
high-level filtering language
filter priorities
silent installation
freely available under the terms of the GNU Lesser General Public License (LGPL)

Similar to the raw socket sniffer (here), i have shared a demo (in freepascal) here.

Because windivert is a kernel driver, issues inherent to the windows raw sockets will not apply here.

Jan 212019
 

You have this volume you want to backup but this is a live volume : some apps are constantly writting to it and you need to backup a snapshot.

Lets use CloneDisk and VSCSC

On the command line :
-Lets create a shadow volume copy : vscsc.exe -wait f:
In CloneDisk :
-lets assign a x: logical drive letter to our shadow volume copy (step 1 below) -> this step is optional
-lets backup this x: logical drive, or dosdevice if you did not assign a letter, to a file (step 2 below)

You can now restore from this file but also open it in 7zip, mount it with imdisk, etc.

Jan 062019
 

A slight update to previous version.

Syntax now is


dnsping 0.6 by erwan2212@gmail.com
usage: dnsping query nameserver query
usage: dnsping query nameserver query delay_seconds
usage: dnsping cache
usage: dnsping flush
usage: dnsping add nameserver hostname ip
usage: dnsping delete nameserver hostname ip

Additions are : cache & flush, add & delete (against a MS DNS server).

Download here.

Source code is here.

Jan 042019
 

Windows uses multiple mechanisms to resolve local hostnames : local hosts file, DNS, netbios name service, LLMNR.
When a host does not exist in the local hosts file or DNS server, windows then broadcast/multicast the request using UDP protocol.
This means we can (1) capture these requests and (2) spoof a response over UDP.

xDNS Sniffer is demo, written in delphi7, using windows raw sockets (receiving and sending) to capture and spoof NBT-NS and LLMNR to abuse local name resolution.
Sending spoofed packets is possible because these protocols are using UDP.
This code is variant/built upon previous demo discussed here.

Code can be found on Github.

Binary can be downloaded here.

Command line is : snif localip name_to_spoof.
Examples:
snif.exe 192.168.1.144 WPAD (will abuse WPAD requests and send back local ip)
snif.exe 192.168.1.144 * (will abuse all local requests and send back local ip)