Clonedisk update : new formats supported

I have added a 2 extra formats in latest version : VHD/VHDX and LZ4.

VHD/VHDX is using MS virtual disk API and LZ4 is using opensource LZ4 library.

While at it, I also added extra WIM compression methods (LZX and LZMS).

LZ4 is quite interesting as in some cases it is faster to compress thru LZ4 compared to using a RAW format and this despite the CPU overhead.

LZ4 files generated by Clonedisk are compatible with LZ4.exe.

VH7E1Fe.png

netcat, compression and backuping disks over the network

Following some notes around netcat here and here.

Some extra commands to backup a disk over the network :

-listen on port 9000 and dump the raw file
nc -v -l -p 9000 > dump.img
(restore with nc -v -l -p 9000 < dump.img)

-same but compressed with lz4 via stdin
nc -v -l -p 9000 | lz4.exe -1 stdin -f dump.lz4
(restore with lz4 -l -c dump.lz4 | nc -v -l -p 9000
and not with nc -v -l -p 9000 -e « lz4.exe -c dump.lz4 »)

-the same but with 7zip
nc -v -l -p 9000 | 7z a dump.7z -si
(restore with 7z e dump.7z -so | nc -v -l -p 9000)

-the same but with bzip2
nc -v -l -p 9000 | bzip2 -z > dump.gz
(restore with bzip2 -cd < dump.gz | nc -v -l -p 9000)

lz4 can be downloaded here.
bzip2 can be downloaded here.
7-zip can be downloaded here.
netcat can be downloaded here.

No Wireshark? No TCPDump? No Problem!

An interesting article about how to perform a network capture when no tools are installed locally.

Here.

In short, example :

1-netsh trace start capture=yes Ethernet.Type=IPv4 IPv4.Address=157.59.136.1

2-netsh trace stop

3-get your capture in %userprofile%\AppData\Local\Temp\NetTraces\NetTrace.etl
-open with Microsoft’s Message Analyzer app
or
-convert it with

$s = New-PefTraceSession -Path “C:\output\path\spec\OutFile.Cap” -SaveOnStop
$s | Add-PefMessageProvider -Provider “C:\input\path\spec\Input.etl”
$s | Start-PefTraceSession

intercept-dns

Still playing with Windivert (see original article here), this time we will intercept dns traffic and will modify the IP address in DNS replies containing A records.

The program will dynamically look for hostname to ip couples in a config.ini file.

Say that you want labalec.fr to resolve to 192.168.1.144, then you would create the below ini file and launch intercept-dns 53.


[labalec.fr]
ip=192.168.1.144

Additionally, if you set a dos environement variable like set layer=forward, then you can also use this program in a man-in-the-middle attack (which could lead to another article).

The source and binary is available on my github.

The code still has some limitations :
-non existing dns a records replies are not handled
-only replies with one answer are handled