Jan 212019

You have this volume you want to backup but this is a live volume : some apps are constantly writting to it and you need to backup a snapshot.

Lets use CloneDisk and VSCSC

On the command line :
-Lets create a shadow volume copy : vscsc.exe -wait f:
In CloneDisk :
-lets assign a x: logical drive letter to our shadow volume copy (step 1 below) -> this step is optional
-lets backup this x: logical drive, or dosdevice if you did not assign a letter, to a file (step 2 below)

You can now restore from this file but also open it in 7zip, mount it with imdisk, etc.

Jan 062019

A slight update to previous version.

Syntax now is

dnsping 0.6 by erwan2212@gmail.com
usage: dnsping query nameserver query
usage: dnsping query nameserver query delay_seconds
usage: dnsping cache
usage: dnsping flush
usage: dnsping add nameserver hostname ip
usage: dnsping delete nameserver hostname ip

Additions are : cache & flush, add & delete (against a MS DNS server).

Download here.

Source code is here.

Jan 042019

Windows uses multiple mechanisms to resolve local hostnames : local hosts file, DNS, netbios name service, LLMNR.
When a host does not exist in the local hosts file or DNS server, windows then broadcast/multicast the request using UDP protocol.
This means we can (1) capture these requests and (2) spoof a response over UDP.

xDNS Sniffer is demo, written in delphi7, using windows raw sockets (receiving and sending) to capture and spoof NBT-NS and LLMNR to abuse local name resolution.
Sending spoofed packets is possible because these protocols are using UDP.
This code is variant/built upon previous demo discussed here.

Code can be found on Github.

Binary can be downloaded here.

Command line is : snif localip name_to_spoof.
snif.exe WPAD (will abuse WPAD requests and send back local ip)
snif.exe * (will abuse all local requests and send back local ip)