Juil 252019
 

I had done a few proxies for ImDisk in the past based on the libyal libraries (vmdkqcowvhdewf).

This time, as the VDI image format is quite simple, I made my own proxy for VDI images.

Imdisk + Discutils could achieve the same except that discutils requires .Net 4.0 which is not always available.

As always the command line :

« server » -> devio –dll=proxy.dll;dllopen shm:test_proxy c:\temp\freedos.vdi
« client » -> imdisk -a -t proxy -o shm -o ro -f test_proxy -m x:
Use the start command in front of devio if you want to stuff it all in one batch.

Download/Discuss here.

Juil 222019
 

A demo to run a encrypted xored encrypted PE within the memory of another PE (and therefore possibly bypass anti virus softwares)

See https://github.com/erwan2212/XOR-freepascal about xoring / encrypting a file.

Code is currently set to use cmd.exe (x86/x64) as target host.

host32.exe/host64.exe are also provided in the zip if you wish the modify the code to use a « neutral » host.

Source code and binaries can be found here.

Mai 082019
 

I have added a 2 extra formats in latest version : VHD/VHDX and LZ4.

VHD/VHDX is using MS virtual disk API and LZ4 is using opensource LZ4 library.

While at it, I also added extra WIM compression methods (LZX and LZMS).

 

LZ4 is quite interesting as in some cases it is faster to compress thru LZ4 compared to using a RAW format and this despite the CPU overhead.

LZ4 files generated by Clonedisk are compatible with LZ4.exe.

 

 

VH7E1Fe.png

Avr 242019
 

How to rebuild libvmdk (and possibly any VC project) so that it depends on msvcrt.dll and no longer on msvcrtxxx.dll.

Copy/paste from this post for archiving.

-first install VC2008 express (but should be OK with VC2010 express and possibly newer VS platforms)

-install WDK 7.1

-modify your VC2008 IDE settings search paths (include and libraries) by adding WDK 7.1 paths first in the list

XuK0hGN.png

seLkgHG.png

-add msvcrt « legacy translator » library (msvcrt_win2000.obj) to Linker -> Input -> Additional Dependencies for both DLL projects (zlib and libvmdk)

ExRxofS.png

-add specific preprocessor definitions to zlib project :

vsnprintf=_vsnprintf;snwprintf=_snwprintf;open=_open;read=_read;close=_close;write=_write

neDR5uv.png?1

And voila :)

You should end up with the below, i.e a dependency to a msvcrt.dll

lcahBQh.png

Avr 212019
 

Following some notes around netcat here and here.

Some extra commands to backup a disk over the network :

-listen on port 9000 and dump the raw file
nc -v -l -p 9000 > dump.img
(restore with nc -v -l -p 9000 < dump.img)

-same but compressed with lz4 via stdin
nc -v -l -p 9000 | lz4.exe -1 stdin -f dump.lz4
(restore with lz4 -l -c dump.lz4 | nc -v -l -p 9000
and not with nc -v -l -p 9000 -e « lz4.exe -c dump.lz4 »)

-the same but with 7zip
nc -v -l -p 9000 | 7z a dump.7z -si
(restore with 7z e dump.7z -so | nc -v -l -p 9000)

-the same but with bzip2
nc -v -l -p 9000 | bzip2 -z > dump.gz
(restore with bzip2 -cd < dump.gz | nc -v -l -p 9000)

 

lz4 can be downloaded here.
bzip2 can be downloaded here.
7-zip can be downloaded here.
netcat can be downloaded here.

Fév 242019
 

A few days ago, I have shared a, command line, layer 3 network sniffer based on windivert (netdump here).

The command line version offers a few options like capture or not, choose the network layer or the forward layer, etc …

Thus, sometimes it is also nice to have a simple(« start/stop ») GUI.
Now done.
Source code and binaries here on github as usual…
This version will automatically save the capture to a dated pcap file.

https://imgur.com/nLQJnRl.png

Fév 242019
 

An interesting article about how to perform a network capture when no tools are installed locally.

Here.

In short, example :

1-netsh trace start capture=yes Ethernet.Type=IPv4 IPv4.Address=157.59.136.1

2-netsh trace stop

3-get your capture in %userprofile%\AppData\Local\Temp\NetTraces\NetTrace.etl
-open with Microsoft’s Message Analyzer app
or
-convert it with

$s = New-PefTraceSession -Path “C:\output\path\spec\OutFile.Cap” -SaveOnStop
$s | Add-PefMessageProvider -Provider “C:\input\path\spec\Input.etl”
$s | Start-PefTraceSession

Fév 232019
 

Lets play with Winpcap.

Quoting the winpcap web site : « WinPcap consists of a driver that extends the operating system to provide low-level network access and a library that is used to easily access low-level network layers ».

Lets use it to perform a quick and easy man-in-the-middle-attack with arp spoofing.

Quoting wikipedia : « a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other ».

Source code and binaries are available here.

Usage is:
arpspoof 1.0 by erwan2212@gmail.com
arpspoof list-interfaces
arpspoof interface-index ip1 ip2

Example:
arpspoof.exe 0 192.168.1.125 192.168.1.250
arpspoof 1.0 by erwan2212@gmail.com
arpspoof list-interfaces
arpspoof interface-index ip1 ip2
ip1:192.168.1.125 mac1:001DE0-567737
ip2:192.168.1.250 mac2:C05627-B7FD32
spoofed mac:94DE80-C2A41E
sending packets…press a key to stop…

192.168.1.125 is victim (a computer on my network).
192.168.1.250 is my network gateway/router on my network.
94DE80-C2A41E is my mac address (i.e the attacker mac address).

192.168.1.125 will believe that mac address of the router (192.168.1.250) is mine i.e 94DE80-C2A41E.
192.168.1.250 will believe that mac address of the victim (192.168.1.125) is mine i.e 94DE80-C2A41E.
In effect all traffic between these 2 hosts will go thru my computer.

One important thing not to forget : enable forwarding on your computer or else all traffic between these 2 hosts will be dropped.
How? easy :
-check your interfaces : netsh interface ipv4 show interfaces
-enable forwarding on the desired interface : netsh interface ipv4 set interface x forwarding= »enabled »

Now you can perform an attack with intercept-dns from a previous article (dont forget to do a set layer=forward on the command line then).
Or simply sniff/capture the traffic with netdump.

Note that you could also use a GUI like Iptools to perform arpspoof.
See example screenshot here (C=client/victim, R=router).