Fév 032019
 

Still playing with Windivert (see original article here), I this time decided to code a transparent proxy.

Principle is the following : divert a destination port (say tcp:80) to a new destination_ip:port.

On the destination ip, i am running privoxy (but any proxy supporting transparent mode would do).
In privoxy config file, I am setting accept-intercepted-requests=1 .

This will be completely transparent for the source application.

Nothing really fancy in the code except may be me storing the orginal remote ip (which we will need to re apply on the traffic back) in an array dynamic_source_port=remote_ip.

Source code can be found here.
Binary is here.

Jan 272019
 

In a previous article, I did comment on a nice opensource library (Windivert) and shared a basic freepascal demo to use it.

This time I used this library to redirect (or reuse) a port used by another application or service.

It could be handy to fool firewalls or to hijack traffic going to a service.

One of the best example that come to my mind is to redirect port 445 to a an application/shell of your own listening on port 1337.
Something you could not achieve like netsh port redirect as the port is already in use and/or used by a kernel service (SMB in our case).

The command line would then be tcpredir 445 1337.

Download it here.
Source code here.

One possible application example:

-divert local port 445 to port 1337
-set up a smb server on port 1337

https://i.imgur.com/kSCrC9M.png

Jan 272019
 

Quoting the original web site (here) :

Windows Packet Divert (WinDivert) is a user-mode packet capture-and-divert package for Windows 2008, Windows 7, Windows 8, Windows 10 and Windows 2016.

WinDivert allows user-mode applications to capture/modify/drop network packets sent to/from the Windows network stack. In summary, WinDivert can:

capture network packets
filter/drop network packets
sniff network packets
(re)inject network packets
modify network packets
WinDivert can be used to implement user-mode packet filters, packet sniffers, firewalls, NAT, VPNs, tunneling applications, etc.

The main features of WinDivert include:

packet interception, sniffing, or dropping modes
supports loopback (localhost) traffic
full IPv6 support
network layer
simple yet powerful API
high-level filtering language
filter priorities
silent installation
freely available under the terms of the GNU Lesser General Public License (LGPL)

Similar to the raw socket sniffer (here), i have shared a demo (in freepascal) here.

Because windivert is a kernel driver, issues inherent to the windows raw sockets will not apply here.