A slight update to previous version.
Syntax now is
dnsping 0.6 by erwan2212@gmail.com
usage: dnsping query nameserver query
usage: dnsping query nameserver query delay_seconds
usage: dnsping cache
usage: dnsping flush
usage: dnsping add nameserver hostname ip
usage: dnsping delete nameserver hostname ip
Additions are : cache & flush, add & delete (against a MS DNS server).
Download here.
Source code is here.
Windows uses multiple mechanisms to resolve local hostnames : local hosts file, DNS, netbios name service, LLMNR.
When a host does not exist in the local hosts file or DNS server, windows then broadcast/multicast the request using UDP protocol.
This means we can (1) capture these requests and (2) spoof a response over UDP.
xDNS Sniffer is demo, written in delphi7, using windows raw sockets (receiving and sending) to capture and spoof NBT-NS and LLMNR to abuse local name resolution.
Sending spoofed packets is possible because these protocols are using UDP.
This code is variant/built upon previous demo discussed here.
Code can be found on Github.
Binary can be downloaded here.
Command line is : snif localip name_to_spoof.
Examples:
snif.exe 192.168.1.144 WPAD (will abuse WPAD requests and send back local ip)
snif.exe 192.168.1.144 * (will abuse all local requests and send back local ip)
Following a previous article, I found out that windows 10 is filtering out incoming packets if the listening application is not explicitly allowed on the local firewall.
Therefore snif.exe now has a new parameter allowing one to introduce a temp local firewall exception for snif.exe.
The command line help is also more explicit.
snif [localip:x.x.x.x] [proto:udp|tcp|icmp] [port:1-65535] [catpure:0|1] [firewall:0|1]
Download here.
Edit [Feb 01,2019]
Note that « snif » is very similar to RawCap except that :
-rawcap does not take care of the firewall
-is depending on dotnet
-is not open source
Following previous article, I did some more googling around windows raw sockets feature and found this interesting article.
And in particular this part when weighting the pros and cons of using windows raw sockets :
Since raw sockets are built into the kernel TCP/IP implementation, there is no need for additional kernel-mode code (such as NDIS filter drivers or WFP callout drivers). There are however a number of drawbacks compared to the first two techniques:
· No filtering in kernel-mode is possible – all packets are delivered to the user-mode application (which has performance implications).
· There is no visibility of how many packets are lost/dropped as a result of insufficient buffering.
· The packets are first time-stamped when processed by a user-mode application, which might be some time after they “could have been” time-stamped by filter/callout driver kernel-mode code running in a DPC (Deferred Procedure Call).
· There is no guarantee of the order in which the kernel adds packets to the raw socket. Monitoring the kernel activity with the “Microsoft-Windows-TCPIP” and “Microsoft-Windows-Winsock-AFD” providers indicates that the outbound response to an inbound packet is often copied to the raw socket before the inbound packet.
Since windows XP, windows has a built-in host-based firewall.
A decent firewall where one can allow or block traffic based on executable and/or source/destination/protocol.
Thus, you may not always have access to the MMC (wf.msc) and the console GUI is not always straightforward but rather wizard oriented.
Windows Firewall GUI is a « one window does it all » standalone executable running on windows 7 up to latest windows 10 version.
Probably more important, as the GUI is quite simple and possibly redundant with existing windows functionalities, source code is available (on my github) as well so others may build onto it.
One can :
-view all rules at once
-sort and export to HTML
-delete a rule
-add a rule
-enable/disable a rule
-enable/disable the firewall
-turn on/off logging (dropped packets)
-open and monitor the windows firewall log
-get current profile (domain/private/public)
-get default inbound/outbound action for current profile
-restore local windows firewall defaults
Download here.
Working in IT, I use Wireshark almost every day.
This software is just great : free, opensource and will probably take me a lifetime to master it all as there are so many things you can do with it.
However, there are times where you need a driverless and standalone software i.e a software which does not require any installation on your production server.
Indeed, I have seen cases where network may be interrupted for a short while or even worse, cases where the server would BSOD (on old winpcap versions thus).
Furthermore, in some situation you may wish to capture traffic over a VPN interface or over localhost : both actions which wireshark (or rather winpcap) can not perform.
That’s where the windows raw socket feature comes in handy : built in windows feature and can snif over VPN or localhost.
Read more about windows raw sockets here.
Raw sniffer is a command line tool meant to capture IP traffic built around windows raw sockets..
You can pipe out to a text file (and later parse it in excel) or generate a cap file which you can later open with wireshark.
Source code is on github.
It takes simple command line parameters : snif [localip] [proto] [port] [0:1]
Some possible usage :
-snif 127.0.0.1 * * 1 : will capture all traffic on localhost to the console AND dump all traffic to a cap file
-snif 127.0.0.1 tcp 80 1 : will filter on http traffic on localhost to the console AND dump all traffic to to a cap file
-snif * udp * 0 : will filter on udp traffic on selected interface to the console
note : if you dont see your incoming traffic, allow snif.exe on your windows firewall – this could do the trick.
Download here
There are many IP Subnet Calculators out there.
Some of them being online are great like this http://www.subnet-calculator.com/subnet.php?net_class=C.
Still, here comes another one, portable, not requiring any dependencies (like dotnet, java, C runtime, etc).
Download here
In a previous article, I showed how to setup a « proxy » for ImDisk thru devio to mount an EWF file.
This time, lets do it with a VHDI file (using external libyal library).
The command lines for the proxy and ImDisk are below :
To launch the proxy : devio –dll=proxy.dll;dllopen shm:test_proxy c:\test.vhd.
To use the proxy from ImDisk : imdisk -a -t proxy -o shm -o ro -f test_proxy -m Z: .
In a previous article, I released a GUI for libnfs library.
This time, I’ll release a command line tool allowing one to perform simple tasks against NFS exports.
nfsclient 0.1 by erwan2212@gmail.com
nfsclient 0.1 discover
nfsclient 0.1 read nfs://server/export/filename
nfsclient 0.1 write nfs://server/export/ local_filename
nfsclient 0.1 dir nfs://server/export/