TCPRedir

 network  No Responses »
Jan 272019
 

In a previous article, I did comment on a nice opensource library (Windivert) and shared a basic freepascal demo to use it.

This time I used this library to redirect (or reuse) a local port used by another application or service to another local port.

It could be handy to fool firewalls or to hijack traffic going to a service.

One of the best example that come to my mind is to redirect local port 445 to a an application/shell of your own listening on local port 1337.
Something you could not achieve like netsh port redirect as the port is already in use and/or used by a kernel service (SMB in our case).

The command line would then be tcpredir 445 1337.

Source code and binaries on Github.

One possible application example:

-divert local port 445 to port 1337
-set up a smb server on port 1337

https://i.imgur.com/kSCrC9M.png

Windivert : a user-mode packet capture-and-divert package for Windows

 network  4 Responses »
Jan 272019
 

Quoting the original web site (here) :

Windows Packet Divert (WinDivert) is a user-mode packet capture-and-divert package for Windows 2008, Windows 7, Windows 8, Windows 10 and Windows 2016.

WinDivert allows user-mode applications to capture/modify/drop network packets sent to/from the Windows network stack. In summary, WinDivert can:

capture network packets
filter/drop network packets
sniff network packets
(re)inject network packets
modify network packets
WinDivert can be used to implement user-mode packet filters, packet sniffers, firewalls, NAT, VPNs, tunneling applications, etc.

The main features of WinDivert include:

packet interception, sniffing, or dropping modes
supports loopback (localhost) traffic
full IPv6 support
network layer
simple yet powerful API
high-level filtering language
filter priorities
silent installation
freely available under the terms of the GNU Lesser General Public License (LGPL)

Similar to the raw socket sniffer (here), i have shared a demo (in freepascal) here.

Because windivert is a kernel driver, issues inherent to the windows raw sockets will not apply here.

CloneDisk : do a live backup of a volume

 clonedisk  1 Response »
Jan 212019
 

You have this volume you want to backup but this is a live volume : some apps are constantly writting to it and you need to backup a snapshot.

Lets use CloneDisk and VSCSC

On the command line :
-Lets create a volume shadow copy : vscsc.exe -wait f:
In CloneDisk :
-lets assign a x: logical drive letter to our shadow volume copy (step 1 below) -> this step is optional
-lets backup this x: logical drive, or dosdevice if you did not assign a letter, to a file (step 2 below)

You can now restore from this file but also open it in 7zip, mount it with imdisk, etc.

DNSPING v0.6

 network  No Responses »
Jan 062019
 

A slight update to previous version.

Syntax now is


dnsping 0.6 by erwan2212@gmail.com
usage: dnsping query nameserver query
usage: dnsping query nameserver query delay_seconds
usage: dnsping cache
usage: dnsping flush
usage: dnsping add nameserver hostname ip
usage: dnsping delete nameserver hostname ip

Additions are : cache & flush, add & delete (against a MS DNS server).

Download here.

Source code is here.

Capture and spoof NBT NS and LLMNR packets

 network  No Responses »
Jan 042019
 

Windows uses multiple mechanisms to resolve local hostnames : local hosts file, DNS, netbios name service, LLMNR.
When a host does not exist in the local hosts file or DNS server, windows then broadcast/multicast the request using UDP protocol.
This means we can (1) capture these requests and (2) spoof a response over UDP.

xDNS Sniffer is demo, written in delphi7, using windows raw sockets (receiving and sending) to capture and spoof NBT-NS and LLMNR to abuse local name resolution.
Sending spoofed packets is possible because these protocols are using UDP.
This code is variant/built upon previous demo discussed here.

Code can be found on Github.

Binary can be downloaded here.

Command line is : snif localip name_to_spoof.
Examples:
snif.exe 192.168.1.144 WPAD (will abuse WPAD requests and send back local ip)
snif.exe 192.168.1.144 * (will abuse all local requests and send back local ip)

snif : raw sockets sniffer update

 network  1 Response »
Déc 292018
 

Following a previous article, I found out that windows 10 is filtering out incoming packets if the listening application is not explicitly allowed on the local firewall.

Therefore snif.exe now has a new parameter allowing one to introduce a temp local firewall exception for snif.exe.

The command line help is also more explicit.

snif [localip:x.x.x.x] [proto:udp|tcp|icmp] [port:1-65535] [catpure:0|1] [firewall:0|1]

Download here.

Edit [Feb 01,2019]
Note that « snif » is very similar to RawCap except that :
-rawcap does not take care of the firewall
-is depending on dotnet
-is not open source

Windows raw sockets

 network  No Responses »
Déc 292018
 

Following previous article, I did some more googling around windows raw sockets feature and found this interesting article.

And in particular this part when weighting the pros and cons of using windows raw sockets :

Since raw sockets are built into the kernel TCP/IP implementation, there is no need for additional kernel-mode code (such as NDIS filter drivers or WFP callout drivers). There are however a number of drawbacks compared to the first two techniques:

· No filtering in kernel-mode is possible – all packets are delivered to the user-mode application (which has performance implications).

· There is no visibility of how many packets are lost/dropped as a result of insufficient buffering.

· The packets are first time-stamped when processed by a user-mode application, which might be some time after they “could have been” time-stamped by filter/callout driver kernel-mode code running in a DPC (Deferred Procedure Call).

· There is no guarantee of the order in which the kernel adds packets to the raw socket. Monitoring the kernel activity with the “Microsoft-Windows-TCPIP” and “Microsoft-Windows-Winsock-AFD” providers indicates that the outbound response to an inbound packet is often copied to the raw socket before the inbound packet.

Windows Firewall Rules GUI

 Uncategorized  No Responses »
Déc 282018
 

Since windows XP, windows has a built-in host-based firewall.
A decent firewall where one can allow or block traffic based on executable and/or source/destination/protocol.

Thus, you may not always have access to the MMC (wf.msc) and the console GUI is not always straightforward but rather wizard oriented.

Windows Firewall GUI is a « one window does it all » standalone executable running on windows 7 up to latest windows 10 version.

Probably more important, as the GUI is quite simple and possibly redundant with existing windows functionalities, source code is available (on my github) as well so others may build onto it.

One can :
-view all rules at once
-sort and export to HTML
-delete a rule
-add a rule
-enable/disable a rule
-enable/disable the firewall
-turn on/off logging (dropped packets)
-open and monitor the windows firewall log
-get current profile (domain/private/public)
-get default inbound/outbound action for current profile
-restore local windows firewall defaults

Download here.

 Older Entries  Newer Entries