StreamDivert is a tool to man-in-the-middle or relay in and outgoing network connections on a system. It has the ability to, for example, relay all incoming SMB connections to port 445 to another server, or only relay specific incoming SMB connections from a specific set of source IP’s to another server. Summed up, StreamDivert is able to:
Pre-compiled binaries for StreamDivert can be downloaded here.
How do you use StreamDivert? Run the the tool with administrative privileges:
streamdivert.exe config_file [-f] [-v]
The config file contains entries for streams you want to have diverted. En example config file:
//Divert all inbound TCP connections to port 445 (SMB) coming from 10.0.1.50 to 10.0.1.49 port 445
tcp < 445 10.0.1.50 -> 10.0.1.49 445
//Divert all inbound TCP connections to port 445 (SMB) coming from 10.0.1.51 to a local SOCKS server
tcp < 445 10.0.1.51 -> socks
//Divert all inbound TCP connections to port 445 (SMB) coming from fe80::f477:846a:775d:d37 to fe80::20c:29ff:fe6f:88ff port 445
tcp < 445 fe80::f477:846a:775d:d37 -> fe80::20c:29ff:fe6f:88ff 445
//Divert all inbound TCP connections to port 445 (SMB) to 10.0.1.48 port 445
tcp < 445 0.0.0.0 -> 10.0.1.48 445
//Divert all inbound UDP connections to to port 53 (DNS) to 10.0.1.49 port 53
udp < 53 0.0.0.0 -> 10.0.1.49 53
//Divert all inbound ICMP packets coming from 10.0.1.50 to 10.0.1.49
icmp < 10.0.1.50 -> 10.0.1.49
//Divert all outbound TCP connections to 10.0.1.50, port 80 to 10.0.1.49 port 8080
tcp > 10.0.1.50 80 -> 10.0.1.49 8080
//Send all packets going to 10.0.1.50 port 80 and prefer interface 9 to send them. If the interface does not exist or is not up, the packets are send from the default interface.
tcp > 10.0.1.50 80 -> 10.0.1.50 80 interface 9
//Force all packets going to 10.0.1.50 port 80 over interface 9, or drop the packets if the interface does not exist or is not up.
tcp > 10.0.1.50 80 -> 10.0.1.50 80 force interface 9
//Divert all outbound UDP connection to port 53 (DNS) to 10.0.1.49 port 53
udp > 0.0.0.0 53 -> 10.0.1.49 53
The [-f] flag, when present, will modify the Windows Firewall to add an exception for the application to properly redirect incoming traffic to another port. The [-v] flag control the logging verbosity. When provided, StreamDivert will log details about redirected packets and streams.
Help! My packets/ connections are not correctly diverted!
One thing to keep in mind when configuring diverted connections is that you don’t have conflicting diverted streams. Given the following example config file:
icmp < 0.0.0.0 -> 10.0.1.50
icmp > 10.0.1.49 -> 10.0.1.48
Those two diverted streams will conflict with eachother, as packets for the first diverted stream will also be picked up by the second packet ‘diverter’. Generally you will only run into these issues with UDP and ICMP and using wildcards.
Also note that diverting an IPv4 to an IPv6 address and vice versa is not supported for UDP and ICMP traffic.
Docker is a powerful open-source containerization platform that allows developers to build, test, and deploy…
Docker is one of the most widely used containerization platforms. But there may come a…
Introduction Google Dorking is a technique where advanced search operators are used to uncover information…
Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…
What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…
Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…