Jan 042019

Windows uses multiple mechanisms to resolve local hostnames : local hosts file, DNS, netbios name service, LLMNR.
When a host does not exist in the local hosts file or DNS server, windows then broadcast/multicast the request using UDP protocol.
This means we can (1) capture these requests and (2) spoof a response over UDP.

xDNS Sniffer is demo, written in delphi7, using windows raw sockets (receiving and sending) to capture and spoof NBT-NS and LLMNR to abuse local name resolution.
Sending spoofed packets is possible because these protocols are using UDP.
This code is variant/built upon previous demo discussed here.

Code can be found on Github.

Binary can be downloaded here.

Command line is : snif localip name_to_spoof.
snif.exe WPAD (will abuse WPAD requests and send back local ip)
snif.exe * (will abuse all local requests and send back local ip)

Déc 292018

Following a previous article, I found out that windows 10 is filtering out incoming packets if the listening application is not explicitly allowed on the local firewall.

Therefore snif.exe now has a new parameter allowing one to introduce a temp local firewall exception for snif.exe.

The command line help is also more explicit.

snif [localip:x.x.x.x] [proto:udp|tcp|icmp] [port:1-65535] [catpure:0|1] [firewall:0|1]

Download here.

Edit [Feb 01,2019]
Note that « snif » is very similar to RawCap except that :
-rawcap does not take care of the firewall
-is depending on dotnet
-is not open source

Déc 292018

Following previous article, I did some more googling around windows raw sockets feature and found this interesting article.

And in particular this part when weighting the pros and cons of using windows raw sockets :

Since raw sockets are built into the kernel TCP/IP implementation, there is no need for additional kernel-mode code (such as NDIS filter drivers or WFP callout drivers). There are however a number of drawbacks compared to the first two techniques:

· No filtering in kernel-mode is possible – all packets are delivered to the user-mode application (which has performance implications).

· There is no visibility of how many packets are lost/dropped as a result of insufficient buffering.

· The packets are first time-stamped when processed by a user-mode application, which might be some time after they “could have been” time-stamped by filter/callout driver kernel-mode code running in a DPC (Deferred Procedure Call).

· There is no guarantee of the order in which the kernel adds packets to the raw socket. Monitoring the kernel activity with the “Microsoft-Windows-TCPIP” and “Microsoft-Windows-Winsock-AFD” providers indicates that the outbound response to an inbound packet is often copied to the raw socket before the inbound packet.

Déc 272018

Working in IT, I use Wireshark almost every day.
This software is just great : free, opensource and will probably take me a lifetime to master it all as there are so many things you can do with it.

However, there are times where you need a driverless and standalone software i.e a software which does not require any installation on your production server.
Indeed, I have seen cases where network may be interrupted for a short while or even worse, cases where the server would BSOD (on old winpcap versions thus).
Furthermore, in some situation you may wish to capture traffic over a VPN interface or over localhost : both actions which wireshark (or rather winpcap) can not perform.

That’s where the windows raw socket feature comes in handy : built in windows feature and can snif over VPN or localhost.
Read more about windows raw sockets here.

Raw sniffer is a command line tool meant to capture IP traffic built around windows raw sockets..
You can pipe out to a text file (and later parse it in excel) or generate a cap file which you can later open with wireshark.
Source code is on github.

It takes simple command line parameters : snif [localip] [proto] [port] [0:1]

Some possible usage :
-snif * * 1 : will capture all traffic on localhost to the console AND dump all traffic to a cap file
-snif tcp 80 1 : will filter on http traffic on localhost to the console AND dump all traffic to to a cap file
-snif * udp * 0 : will filter on udp traffic on selected interface to the console

note : if you dont see your incoming traffic, allow snif.exe on your windows firewall – this could do the trick.

Download here

Déc 152018

In a previous article, I released a GUI for libnfs library.

This time, I’ll release a command line tool allowing one to perform simple tasks against NFS exports.

nfsclient 0.1 by erwan2212@gmail.com
nfsclient 0.1 discover
nfsclient 0.1 read nfs://server/export/filename
nfsclient 0.1 write nfs://server/export/ local_filename
nfsclient 0.1 dir nfs://server/export/

Download here.
Discuss here.

Nov 022018

See previous article to understand why and what.

Previously we have created our master / parent disk.

Lets now create our differencing / child disks using our host (windows 8.1) virtual disk capabilities.

Lets do it in one batch.

rem list disks before
vmount disks
rem create child1 against parent iscsi.vhd
vmount createchild e:\_images\child1.vhd e:\_images\iscsi.vhd
rem create child2 against parent iscsi.vhd
vmount createchild e:\_images\child2.vhd e:\_images\iscsi.vhd
rem attach child1 without assigning any letter to it
vmount attach e:\_images\child1.vhd noletter
rem attach child2 without assigning any letter to it
vmount attach e:\_images\child2.vhd noletter
rem list disks
vmount disks
rem check attributes of disk2
vmount attributes 2
rem check attributes of disk3
vmount attributes 3
rem disk3 is most probably offline because of disk signature collision between disk2 and disk3
rem lets force it online : windows will generate a new signature
rem make sure to use a BCD using LOCATE and not using disk signature or else bootmgr will error
rem more about locate here http://www.mistyprojects.co.uk/documents/BCDEdit/files/device_locate.htm
vmount online 3

Notice how the second virtual disk now has a different signature (since we forced it online…).

 Posted by at 15 h 19 min
Déc 262017

Lately I decided to flash my Linksys wrt1200ac with dd-wrt as Linksys obviously dropped support for this nice hardware (no more firmware updates for a long time).
Not to mention that the vendor firmware is extremely basic (not to say limited…).

Once I had flashed the device with the proper firmware, next step for me was to monitor bandwidth from my domotic/monitoring box (jeedom).

The most obvious track was snmp (dd-wrt feature) – Helas, the snmp daemon does not implement counter64 snmp values so this is useless.
Next step was to use some curl/awk/grep script like curl -u root:password, etc but the web pages heavily rely on javascript so here again, curl was a dead end.

I finally resorted to remotely read values from the device nvram using a script around ssh : not the most elegant way, but the only one I could work out.

The below will retrieve the day/month/year value from my Linksys wrt1200ac based on dd-wrt.
Note, I had to use ssh-keygen & ssh-copy-id to be able to ssh without having to provide a password.
Or alternatively, copy the root id_rsa.pub public key to the wrt authorized keys (tip: use sudo su on rpi to switch to your root account).

read YYYY MM DD <<<$(date +'%Y %m %d')
#echo 'nvram get traff-'$MM'-'$YYYY
sudo ssh root@ -q 'nvram get traff-'$MM'-'$YYYY | awk '{print $'$DD'}' | awk -F ":" '{print $1}'
Oct 312017
modified : dns proxy will read entries from config.ini (section=hostname,ident=ip), no more from hosts file
added : right click open config.ini
added : right click open root_path
fixed : share folder will now add everyone read-only on share permissions
added : share is created with STYPE_TEMPORARY flag, i.e will not survive a reboot
added : TPS will answer to specific ‘discovery’ messages (see discover.zip)
fixed : wsMinimized=1 was preventing form_show and load_config
added : each daemon will report on which ip it is listening (useful to troubleshoot)
added : syslogd will read ip under [syslog] in config.ini if one wants to bind to a specific interface (instead of by default)
fixed : error handling in log_memo to avoid a possible date bug
fixed : httpd could not list files/folder in a non indexed folder
modified : ucimp.pas uses winsock, not wsck
modified : iphlpapi_helper.pas uses winsock, not wsck
modified : usnoop uses winsock, not wsck
modified : iptypes uses winsock, not wsck
modified : removed ipheader unit in main form
modified : TPS does not use wsck unit anymore

Discuss it here.
Download here.

 Posted by at 20 h 12 min