iptraf-ng: A Lightweight Yet Powerful Alternative to TCPDump and Wireshark

Iptraf-ng stands out as an excellent alternative to Wireshark and tcpdump, offering a robust set of features for comprehensive network traffic analysis. This versatile tool gathers a wide range of information, including TCP connection details, interface statistics, and TCP/UDP traffic breakdowns.

Its key features make it a compelling choice:

  1. IP Traffic Monitoring:
    • Provides real-time insights into IP traffic across your network.
  2. Detailed Interface Statistics:
    • Displays comprehensive statistics on IP, TCP, UDP, ICMP, non-IP packets, and more.
  3. TCP and UDP Service Monitoring:
    • Monitors incoming and outgoing packets for commonly used TCP and UDP application ports.
  4. LAN Statistics Module:
    • Identifies active hosts on the LAN, offering data activity statistics.
  5. Protocol Display Filters:
    • Enables users to customize displays for specific protocols like TCP, UDP, and others.
  6. Logging Capabilities:
    • Allows for the logging of network activity, facilitating detailed analysis.

As a user-friendly and efficient network monitoring tool, iptraf-ng presents itself as a valuable alternative to Wireshark and tcpdump. Its capabilities make it particularly well-suited for those seeking a reliable solution for network analysis and troubleshooting. The example screenshot of the IP traffic monitor underscores its user-friendly interface and robust functionality, positioning iptraf-ng as a commendable choice in the realm of network monitoring tools.

Install and Configure OpenSSH Windows Server 2019 and 2022 and configure key-based authentication

OpenSSH is a free and open-source software that allows secure communication between computers over an unsecured network. It is widely used on Linux and Unix systems, but it is also available for Windows systems. In this article, we will show you how to install and configure OpenSSH on a Windows 2022 server.

Step 1: Install OpenSSH

The first step is to install OpenSSH on your Windows server. To do this, follow these steps:

# Install the OpenSSH Server
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
# Start the sshd service
Start-Service sshd

# OPTIONAL but recommended:
Set-Service -Name sshd -StartupType 'Automatic'

# Confirm the Firewall rule is configured. It should be created automatically by setup. Run the following to verify
if (!(Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -ErrorAction SilentlyContinue | Select-Object Name, Enabled)) {
    Write-Output "Firewall Rule 'OpenSSH-Server-In-TCP' does not exist, creating it..."
    New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
} else {
    Write-Output "Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists."
}

Step 2: Configure OpenSSH

Once OpenSSH is installed on your server, you need to configure it to allow secure communication. Follow these steps to configure OpenSSH:

  • Open notepad
  • Open the configuration file C:\ProgramData\ssh\sshd_config
  • Remove the “#” at the beginning of the line #PubkeyAuthentication yes to uncomment it:PubkeyAuthentication yes
  • Locate the line that starts with #PasswordAuthentication yes and remove the “#” at the beginning of the line to uncomment it and change it to NO: PasswordAuthentication no
  • Add the “#” at the beginning of the line AuthorizedKeysFile PROGRAMDATA/ssh/administrators_authorized_keys to comment it out:#AuthorizedKeysFile PROGRAMDATA/ssh/administrators_authorized_keys
  • Save the changes and close the configuration file.
  • Restart the service
# Restart the sshd service
Restart-Service sshd

Step 3: Configure the Administrator for key-based authentication

After the configuration is complete, you need to configure the public key.

Optional: If you don’t have a public/private keypair use this command to create the files on your client:

ssh-keygen -t rsa -b 4096
  • Open the Explorer and go to C:\Users\<Username>\
  • Create a folder .ssh
  • Create a text file (without extension!) authorized_keys
  • Open the file in notepad
  • Paste your ssh-rsa public key in this authorized_keys file (this is the content of id_rsa.pub)
  • Save the file
  • Remove the inheritance so that only the user and system has full permission

Step 4: Test OpenSSH

To test if OpenSSH is installed and configured correctly, follow these steps:

  • Open a Command Prompt window.
  • Type “ssh username@<server>” and press Enter.
  • If the connection is successful, you should see a welcome message.

Congratulations! You have successfully installed and configured OpenSSH on your Windows 2022 server and configure it securely with key-based authentication.

Optional: change CMD to Powershell

If you want to connect directly in PowerShell instead of the default command use this PowerShell command

New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force

Happy connecting 🙂

NTP Error: the computer did not resync because no time data was available

When it comes to configuring your Primary Domain Controller (PDC) or local Network Time Protocol (NTP), you’ll find a a lot of information online.

But in a nutshell this is what you have to do:

w32tm /config /manualpeerlist:"<IPTIMESERVER>,0x1" /syncfromflags:manual /reliable:yes /update
net stop w32time
net start w32time
w32tm /resync /rediscover

But if the timeserver isn’t reliable you get the error:

The fix is really easy. Remove the /reliable:yes option

w32tm /config /manualpeerlist:"<IPTIMESERVER>,0x1" /syncfromflags:manual /update

And then after the w32tm /resync /rediscover:

Off course you only want to remove the /reliable:yes in a lab environment. Otherwise change the NTP server to a reliable one.

TCPDump alternative Windows

Are you in a situation where you need to capture and analyze network traffic, but don’t have Wireshark or TCPDump at your disposal? Don’t worry, there’s still a solution. Enter pktmon.

While it may not be the most sophisticated tool out there, pktmon is a viable option for monitoring traffic in real-time. With its lightweight and efficient design, you can quickly capture and analyze packets without the need for any additional software installations.

So, how exactly does pktmon work? It uses the Windows Filtering Platform (WFP) to capture network traffic at the packet level. This allows you to examine specific details about each packet, such as its source and destination address, protocol, and payload.

But what makes pktmon really stand out is its ability to filter traffic based on specific criteria. For example, you can use it to only capture traffic from a specific IP address, port, or protocol. This makes it a powerful tool for troubleshooting network issues or identifying potential security threats.

While pktmon may not be the most robust traffic monitoring tool out there, it’s certainly a valuable option to have in your arsenal and its already installed 🙂 So the next time you find yourself in need of capturing and analyzing network traffic, give pktmon a try – you might just be surprised by what it can do.

#start the traffic capture
pktmon start -c
#stop the traffic capture
pktmon stop
#convert the file so you can view it in notepad
pktmon etl2txt <etl file>

More info: https://learn.microsoft.com/en-us/windows-server/networking/technologies/pktmon/pktmon-syntax

Happy sniffing 🙂

Use TOR proxy with any linux command

There is an easy way to use the The Onion Router for any command under linux

First install TOR and proxychains4

$ sudo apt install tor proxychains4

You can configure proxychains.conf but the default config is good 🙂

$ sudo nano /etc/proxychains.conf

Then start the tor service

$ sudo systemctl start tor

And check your ip:

$ proxychains4 curl ifconfig.me

You can use any command you want. So if you want your firefox browser over tor:

$ proxychains4 firefox

To refresh your TOR IP simply restart the TOR service

Happy proxying 🙂

Git SFTP

I was working for an elementary website of a friend of mine. I pushed the website to GitHub so it’s was way easier to maintain the site.

But I thought it must be easier than transferring all the changes every time by an FTP program. So I found git-ftp and of course FTPS didn’t work out of the box 😉

Windows

What you have to do to enable GIT FTP (on Windows)

First start an ssh sessions from powershell

ssh username@SOMEHOSTNAME

This will add the public key to you known host. Otherwise you will get this error later

fatal:  Can't access remote 'sftp://SOMEUSER:***@SOMEHOSTNAME'. Network down? Wrong URL? exiting...

You can see this with the -vv parameter

git ftp init -vv

Now it’s time to install git-ftp

  • First go to c:\program files\git
  • Then run git-bash as administrator

And install git-ftp (bin is an alias for program files)

$ curl https://raw.githubusercontent.com/git-ftp/git-ftp/master/git-ftp > /bin/git-ftp
$ chmod 755 /bin/git-ftp

No go to your project and enter these commands

git config git-ftp.user SOMEUSERNAME
git config git-ftp.url sftp://SOMEHOSTNAME/public/sites/SOMEWEBSITE/
git config git-ftp.password SOMEPASSWORD
git ftp init

And the next time you make a change you only have to do

git ftp push

Linux (Debian)

For linux the steps are much easier.

First start an ssh sessions from bash

ssh username@SOMEHOSTNAME

This will add the public key to you known host. Otherwise you will a error later.

Now install ftp-git

$ sudo apt install git-ftp

No go to your project and enter these commands

git config git-ftp.user SOMEUSERNAME
git config git-ftp.url sftp://SOMEHOSTNAME/public/sites/SOMEWEBSITE/
git config git-ftp.password SOMEPASSWORD
git ftp init

And the next time you make a change you only have to do

git ftp push

When you get an errors like these:

zo 19 dec 2021 23:11:50 CET: Retrieving last commit from sftp://******:***@s*******/public/sites/*********/.
*   Trying *********:22...
* Connected to ******* (********) port 22 (#0)
* Found host ******** in /home/******/.ssh/known_hosts
* Set "ecdsa-sha2-nistp256" as SSH hostkey type
* Closing connection 0
curl: (79) Error in the SSH layer

zo 19 dec 2021 23:11:50 CET: fatal: Could not get last commit. Use 'git ftp init' for the initial push. Can't access remote 'sftp://******:***@********'. Network down? Wrong URL? exiting..

Then try the --insecure parameter

git ftp push -vv --insecure

Happy uploading 🙂

DHCP Test Tool

I had to check my DHCP configuration for a Dell Wyse Thin Client. But when you configure specific options like 161 and 162 you don’t see that options in a Wireshark capture during a Windows DHCP request.

Luckily for us CyberShadow created a great tool to test some specific DHCP settings an he even make it open source: https://github.com/CyberShadow/dhcptest

This DHCP tool have 2 great features:

  1. You can do a request for specific DHCP option
  2. You can send a vendor class so in my case I can pretend to be a Wyse Thin client.

DHCP Request Option

This will only work when you have configured Global DHCP settings.

dhcptest.exe --query --request 161

DHCP Vendor Class

First I had to figure what the vendor class was. I checked this on the DHCP server:

Or on a Thin client itself:

Then run this command:

dhcptest.exe --query --option "60=wyse-1000"

And you will get Vendor Specific Information in Hex.

You can do different things to translate the Hex into readable data.

  1. Compile the open source yourself yourself and create a output in a string
  2. Use a (online) hex convertor
  3. Open wireshark during the capture. Wireshark will translate this for you 🙂

Compile the tool

  • Download the git repo
git clone https://github.com/CyberShadow/dhcptest.git
  • Edit the file (add these 2 lines)
161 : DHCPOptionSpec("File Server", OptionFormat.str),
162 : DHCPOptionSpec("Root Path to the File Server", OptionFormat.str),
dmd dhcptest.d

This will create a exe for you and will translate the Hex to readable format.

Happy sniffing!

Windows network package capture without installing anything (on the server)

I like Wireshark. But I don’t like to install software on a server for troubleshooting purposes. Especially when you need software like PCAP to sniff some network data.

But what you can do is capture data data with netsh, copy the data to your workstation, convert the data so you can read it with wireshark and do you thing.

Capture the data

Run this command to capture the data (elevated command prompt)

netsh trace start capture = yes ipv4.address = x.x.x.x

And stop the capture when you are done

netsh trace stop

Copy the files to you computer

Convert the capture

Download the etl2pcapng converter from the MS Github repo: https://github.com/microsoft/etl2pcapng

Convert the data

etl2pcapng.exe NetTrace.etl out.pcapng

You can open the out.pcapng file and do you thing.

Happy Troubleshooting!

Slow initial RDP connection

For me, this was a pain in the ass for a long time. When I connect to a Windows server through RDP/RDS it sometimes takes more than 2 minutes to connect to a server. Today after some waiting, and waiting and some more waiting I did a deep dive with Wireshark to figure out why it was so slow.

My setup

  • Azure domain joined Windows 10 device (Laptop)
  • Connection over a Cisco Anyconnect VPN
  • Remote Desktop Manager (Devolutions)
  • Native RDP client
  • MremoteNG

Remote VS local

I know for sure the issue should be in my setup. Because when I connect first to a jump host (RDP) and then connect to other domain-joined servers everything was connected almost immediately after I put in my user credentials.

What to do (TL;DR)

There are four things you have to modify to speed up the initial remote desktop connection speed:

  1. Disable SSL / TLS1.0
  2. Disable Netbios on the VPN network adapter
  3. Disable automatic proxy settings in Windows
  4. Change the credential to domain.local\admin or [email protected] instead of domain\admin

Disable SSL / TLS1.0

No, you don’t have to negotiate what protocol you have to use to connect a server. Use TLS1.2 or I don’t want to connect with you 😉 So:

How to

  • Start > Run > Regedit
  • Go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
  • If the TLS 1.0 and Client folders doesn’t exists create these keys
  • Create a 32 DWORD value with the name Enabled
  • Value data: 0 (Hex)
  • Restart the client
Enabled = 0

Disable Netbios on the VPN adapter

What I was seeing in my Wireshark capture is that RDP was trying to broadcast to get information over NETBIOS. You have a DNS server so you don’t need a legacy broadcast protocol! Unfortunately, I don’t have any screenshot of the capture but you can always check yourself 😉

How to

Change the VPN Adapter and reboot the computer:

Disable Netbios

Disable the proxy

After connection to a server with RDP and you enter the credentials Windows is trying constantly to WPAD.domain.local to autoconfigure itself. WPAD stands for Web Proxy Auto-Discovery and I think you never want to autoconfigure a MITM ehh proxy device. You always want to have full control of your device. So, disable this to speed up the connection and make your device more secure.

Wireshark Capture WPAD A record

How to

  • Go to settings
  • Search for proxy
  • Switch the Automatically detect settings to Off
  • Restart Windows
Turn WPAD off

Change the login name

I found out that this is the most annoying and time consuming one. I always use DOMAIN\User when I connect to a server. But this is what happens:

Domain.Domain.TLD

Kerberos is doing a DNS query on _kerberos._tcp.dc._msdcs.domain.domain.tld and of course he will never can find that double domain A record. But if you change the logon name to domain.tld\admin or [email protected] Kerberos will find the A record and connects immediately 🙂

Top speed!

Kerberos

And even now it’s possible to tune the Kerberos authentication further and fix the last KRB5KDC_ERR_PREAUTH_REQUIRED error you can see in the screenshot. Maybe next time but for now I’m happy with the initial connection speed 🙂

Happy hack ehh… connecting!

OWASP ZAP Proxy with Android on Genymotion

It can be fun to reverse engineer some android applications. I think it’s better to do this on your workstation instead of your phone because it’s way more flexible and you don’t ruin your phone when you break things 😉

In my case, I use Debian 11. But of course, you can do this with any OS.

Requirements

  • An app you want to debug
  • OWASP ZAP Proxy
  • Genymotion
  • NPM
  • APK Export (Android App)

OWASP ZAP Proxy

I use the snap package for ZAP because it’s easy to install and you’ve always the latest version.

$ sudo snap install zaproxy --classic

Start ZAP and export the dynamic certificate (tools > options)

Dynamic SSL Certificate
  • Click on the save button an place the file somewhere on your disk.

You can check if the OWASP ZAP is running with:

$ netstat -tulpen | grep 8080
tcp6       0      0 127.0.0.1:8080          :::*                    LISTEN      1000       89190      14016/java    

Genymotion

Now the proxy is in place it’s time to install genymotion for the android emulation. First install virtualbox.

Install virtualbox APT keys

$ wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -
$ wget -q https://www.virtualbox.org/download/oracle_vbox.asc -O- | sudo apt-key add -

Edit the /etc/apt/sources file and add this line:

deb [arch=amd64] https://download.virtualbox.org/virtualbox/debian bullseye contrib

Update the repo and install virtualbox

$ sudo apt-get update
$ sudo apt-get install virtualbox-6.1
  • Now go the the genymotion website and download the latest bin file
Download Genymotion
  • Make the file executable and run the installer
$ chmod +x genymotion-3.2.1-linux_x64.bin 
$ ./genymotion-3.2.1-linux_x64.bin
  • Follow the wizards, create an genymotion account and create a new virtual device. In my example I used a google Pixel 3 with Android 10.
Overview virtual devices

Now it’s time to configure the proxy within the android device!

Configure proxy in Android

Start the created virtual genymotion android device and copy the certificate file we create earlier with a simple drag and drop.

drag & drop the certificate file
Succesfull copy
  • Now we can can configure the proxy in the wifi settings.
  • Go to settings > search for certificate and install the certificate.
settings > find >certificates
Import the certificate

Edit the wifi connection, add the proxy and restart the wifi.

  • Edit the Wifi
  • Go to the advance options
  • Set the proxy to Manual
  • The IP is always: 10.0.3.2 This is the “localhost” setting for the genymotion host server
  • Port 8080
Genymotion Proxy Settings

When you (re)connect the the wifi you have the accept the proxy error (but this is a good thing).

Sign in the the wifi
Accept the warning

Now you will see all the traffic. But only the traffic for the apps who respect the android HTTP_PROXY settings. So this is what you can do when an app don’t respect this setting:

Rebuild the APK with APK-MITM

Now everything is in place. So the last thing we need to do is rebuild the APK file so we can proxing all the network traffic. So:

  • First export the APK file trough the APK Export
  • Place the APK somewhere on your disk
  • Install npm (at least version 14)
$ curl -sL https://deb.nodesource.com/setup_14.x | sudo bash -
$ sudo apt-get install nodejs npm
  • Install java
$ sudo apt install openjdk-17-jre openjdk-17-jdk 
  • And rebuild the APK
$ npx apk-mitm SomeAppName.apk 
Some nice MITM patching

And here we go!

Everything is in place now. So the only thing you have to do is drag & drop the *-patched.apk file to genymotion, install this file and you are fully in control 🙂

ZAP Proxy with MITM Apk

Happy hacking!