Uncategorized – Erwan's Blog

Wireguard vs OpenVPN

Uncategorized No Responses »

Déc 142024

I have been using NordVPN for years now.

Thus I never wanted to install the NordVPN client (too heavy, too many features I dont need).

Hence I have been using OpenVPN (config files can be downloaded from NordVPN web site).

Lately I have read that Wireguard was quicker and that NordVPN was also supporting this protocol.

Below the procedure I have been using to create a Wireguard config (not as friendly as OpenVPN…).

go to https://my.nordaccount.com/dashboard/nordvpn/manual-configuration/ and create an access token
get your private key

curl -s -u token:<ACCESS_TOKEN> https://api.nordvpn.com/v1/users/services/credentials | jq -r .nordlynx_private_key

get server info

curl -s "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1" | jq -r ".[]|.hostname, .station, (.locations|.[]|.country|.city.name), (.locations|.[]|.country|.name), (.technologies|.[].metadata|.[].value), .load"

create wireguard config:

[Interface]
PrivateKey = <PRIVATE_KEY> # from step 2
Address = 10.5.0.2/32 # this IP is always the same
DNS = 9.9.9.9 # your favorite DNS server

[Peer]
PublicKey = <PUBLIC_KEY> # from step 3
AllowedIPs = 0.0.0.0/0, ::/0 # route everything
Endpoint = <ENDPOINT>:51820 # endpoint or IP from step 3, the port is always the same

And indeed, whereas I am getting circa 100 mb/s with OpenVPN on speedtest.net over a theoritical 1gb/s line, I am now able to reach 500mb/s with Wireguard 🙂

PS : i was able to run this procedure on both Linux and Windows (you need curl and jq on installed on your system).

SSH or SFTP with a private key

Uncategorized No Responses »

Oct 292023

Get your binaries from here.

1.On your source host, generate a ssh key pair (private and public) : ssh-keygen

2.Copy your public key on your target host

3.Add your public key to authorized keys on your target host : cat id_rsa.pub >> .ssh/authorized_keys

And you should be done (sftp and ssh examples below).

SFTP from your source to target host using your private key : sftp –ip=192.168.1.126 –username=jeedom –privatekey=%homepath%\.ssh\id_rsa –local_filename=readme.md –command=put –debug=true

SSH from your source to target host using your private key : ssh –ip=192.168.1.126 –username=jeedom –privatekey=%homepath%\.ssh\id_rsa –debug=true

Note1 : libssh2 will accept private keys in both format (RSA PRIVATE KEY or OPENSSH PRIVATE KEY)

Note2 : libssh2 will accept public keys in OpenSSH format only (but will manage to derive the public key from the private key if you dont provide the public key)

Note3 : on linux, you can convert a public key generated by OpenSSL (in PEM format) to OpenSSH

ssh-keygen -i -m PKCS8 -f public.pem > public.pub

Note4:

You can push your public key like below:

ssh –ip=192.168.1.126 –username=jeedom –password=Mjeedom96 –put –filename=id_rsa.pub

ssh –ip=192.168.1.126 –username=jeedom –password=Mjeedom96 –delay=250 –command= »cat id_rsa.pub >> .ssh/authorized_keys »

or (pipe in)

echo « cat id_rsa.pub >> .ssh/authorized_keys » | ssh –ip=192.168.1.126 –username=jeedom –password=Mjeedom96

Note5: don’t forget to chmod 700 * in .ssh folder (and check cat /var/log/auth.log in case you get access denied)

Note6 : if still not working, check your /etc/ssh/sshd_config for the below enabled parameters

PubkeyAuthentication yes
RSAAuthentication yes
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
HostbasedAcceptedKeyTypes +ssh-rsa
AuthorizedKeysFile .ssh/authorized_keys

Lets play with GPG

Uncategorized No Responses »

Oct 282023

On both hosts:

Install GPG (download from here)

Generate a key pair : gpg –gen-key

List your public keys : gpg –list-keys (optional)

List your secret/private keys : gpg –list-secret-keys (optional)

On the host encrypting (aka the source):

Import your target key (i.e from the host that will decrypt) : gpg –import target.key

Ensure that you have the public key of the target in your trust store : gpg –list-keys

Encrypt your file with the target public key : gpg -e -r target message.txt (or gpg –always-trust -e -r target message.txt if you dont want to be bothered by the public key not being trusted)

note : more details here about user interaction.

On the host decrypting (aka the target):

Export your public key : gpg –export > target.key (to be shared with the source host encrypting)

Decrypt the file with the secret/private key : gpg message.txt.gpg

nthash and dpapi secrets : bonus #2

Uncategorized No Responses »

Jan 172020

In previous articles we have seen how to decrypt dpapi blobs.

Dpapi blobs are not always stored in file blobs.
They can be stored in different places like registry, config file, etc and in various formats such as hexadecimal string, but also base64 strings, etc.

Lets have a look at how Windows stores wifi passwords.

These are stored in xml files in C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces.
You can easily be found with : dir %programdata% /s /a /b | findstr /i interfaces.

When logged as the user, you can decrypt it with the below command :

NTHASH-win64 /wlansvc /binary:C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{2799BE4D-A2D4-417D-A774-481DBE1FF7FC}\{98B3A77A-3A5A-44A1-81AE-DDB88A168B24}.xml /system

Good news is that we can also decrypt it these offline.

Run the above command.
NTHASH will tell you that it failed to decrypt it BUT it will dump the blob to data.blob.

From there (and using the same steps as in this article):
-use /decodeblob to identify the masterkey guid
-use /decodemk to decrypt the masterkey (locate it with dir %systemroot%\System32\Microsoft\Protect /s /a /b | findstr /i myguid) using the dpapi system key.
-use /decodeblob again but this time supplying the SHA1 key obtained in previous step
-done 🙂

Decrypt firefox passwords

Uncategorized No Responses »

Oct 282019

Another source code to decrypt firefox passwords.

Source code is available on github here.

Will decrypt firefox passwords on old and new versions in both x86/x64 bits whether using txt, json or sqlite databases.

dokan-delphi

Uncategorized No Responses »

Juil 252019

Create your own filesystem and mount it as either a logical drive or folder. Dokan (https://github.com/dokan-dev/dokany)

Below a simple command line to mount a zip archive on X:
mount.exe /r test.zip /l x /x proxy_7zip.dll

Mount.exe is a generic code/binary independant of the filesystem you wish to create.
The filesystem is implemented in a proxy/dll.

Source code and binaries is available here.

7zip proxy example is here.

NFS proxy example is here.

VirtualBox image (VDI) proxy for ImDisk

Uncategorized No Responses »

Juil 252019

I had done a few proxies for ImDisk in the past based on the libyal libraries (vmdk, qcow, vhd, ewf).

This time, as the VDI image format is quite simple, I made my own proxy for VDI images.

Imdisk + Discutils could achieve the same except that discutils requires .Net 4.0 which is not always available.

As always the command line :

« server » -> devio –dll=proxy.dll;dllopen shm:test_proxy c:\temp\freedos.vdi

« client » -> imdisk -a -t proxy -o shm -o ro -f test_proxy -m x:

Use the start command in front of devio if you want to stuff it all in one batch.

Download/Discuss here.

RunPE

Uncategorized No Responses »

Juil 222019

A demo to run a encrypted xored encrypted PE within the memory of another PE (and therefore possibly bypass anti virus softwares)

See https://github.com/erwan2212/XOR-freepascal about xoring / encrypting a file.

Code is currently set to use cmd.exe (x86/x64) as target host.

host32.exe/host64.exe are also provided in the zip if you wish the modify the code to use a « neutral » host.

Source code and binaries can be found here.

Remove VS projects msvcrtxxx.dll dependency

Uncategorized No Responses »

Avr 242019

How to rebuild libvmdk (and possibly any VC project) so that it depends on msvcrt.dll and no longer on msvcrtxxx.dll.

Copy/paste from this post for archiving.

-first install VC2008 express (but should be OK with VC2010 express and possibly newer VS platforms)

-install WDK 7.1

-modify your VC2008 IDE settings search paths (include and libraries) by adding WDK 7.1 paths first in the list

-add msvcrt « legacy translator » library (msvcrt_win2000.obj) to Linker -> Input -> Additional Dependencies for both DLL projects (zlib and libvmdk)

-add specific preprocessor definitions to zlib project :

vsnprintf=_vsnprintf;snwprintf=_snwprintf;open=_open;read=_read;close=_close;write=_write

neDR5uv.png?1

And voila

You should end up with the below, i.e a dependency to a msvcrt.dll

intercept-dns

Uncategorized 2 Responses »

Fév 222019

Still playing with Windivert (see original article here), this time we will intercept inbound dns traffic and will modify the IP address in DNS replies containing A records.

The program will dynamically look for hostname to ip couples in a config.ini file.

Say that you want labalec.fr to resolve to 192.168.1.144, then you would create the below ini file and launch intercept-dns 53.

[labalec.fr] ip=192.168.1.144

Additionally, if you set a dos environement variable like set layer=forward, then you can also use this program in a man-in-the-middle attack (which could lead to another article) to divert forwarded traffic.

The source and binary is available on my github.

The code still has some limitations :
-non existing dns a records replies are not handled
-only replies with one answer are handled

Older Entries