Room362

Blatherings of a security addict

Linkedin NXDOMAINs - Purchased Pwnage

I recently asked a friend if I could have just a list of the domains in the LinkedIn dump, no passwords, not full emails, just domains. I run a program that I lovingly call “DeepMagic” and I feed it domains whenever I can. Well, this time when I tossed the list of domains into the engine it started spitting out tons of errors. There was a total of 9,436,804 unique domains names in the list, and for anyone who works with DNS that isn’t a very big number, so I didn’t think very much of it and didn’t know why it would choke on a list that small.

SMB/HTTP Auth Capture via SCF File

Recently saw a link to an SCF file. Didn’t know what those were so I went digging. Turns out they are a simple text based file that controls Windows Explorer. ;-) Here are the examples I found via the references: Open Explorer [Shell] Command = 2 IconFile = explorer.exe, 1 [Taskbar] Command = Explorer Open “Channels” page in IE: [Shell] Command=3 IconFile=shdocvw.dll,-118 [IE] Command=Channels This didn’t work for me at all, probably because Internet Explorer doesn’t have “Channels” anymore.

WPAD Persistence

Mostly just writing this so I can keep notes. Today I came up with the idea to forcibly put the WPAD entry into a Windows Domain’s DNS. For those who don’t know what this would do there is an entire Wikipedia article on the subject: https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol I did this via PowerShell pretty easily on one of the domain controllers like so: PS C:\> Add-DnsServerResourceRecordA -Name wpad -ZoneName sittingduck.info -IPv4Address 107.170.50.74 Where 107.170.50.74 is the Digital Ocean box I stood up external to my test domain.

Kerberoasting - Part 3

Previous works: There has been a number of different blog posts, presentations and projects that have happened before this post and I will reference a number of them during the post and at the end have a link to all that I know about. If you know of any works on this subject that I am missing please submit a comment below and I’ll will be sure to reference it. Attacker KB Link: (to be updated later) Common Findings DB Link: (to be updated later) Now we start cracking the tickets we have and hopefully one will break.

Kerberoasting - Part 2

Previous works: There has been a number of different blog posts, presentations and projects that have happened before this post and I will reference a number of them during the post and at the end have a link to all that I know about. If you know of any works on this subject that I am missing please submit a comment below and I’ll will be sure to reference it. Attacker KB Link: (to be updated later) Common Findings DB Link: (to be updated later) Now that we’ve listed all the tickets in a ton of different ways, we need to request the ones we want and get them to a point that we can start cracking them.

Kerberoasting - Part 1

Previous works: There has been a number of differnet blog posts, presentations and projects that have happened before this post and I will reference a number of them during the post and at the end have a link to all that I know about. If you know of any works on this subject that I am missing please submit a comment below and I’ll will be sure to reference it. Attacker KB Link: (to be updated later) Common Findings DB Link: (to be updated later) What are SPNs Service Principal Names (SPNs) are: a unique identifier of a service instance.

BlackHat USA 2016

Once again, @egyp7 and I will be teaching both our Metasploit Basics course as well as the Mastery Course.

Metasploit Minute

Metasploit Minute Season 6 is on the air! I know we have been away for a long while. The first episode is posted https://www.patreon.com/posts/5083466 each Monday a link will be posted on the Patreon site, or if you find RSS feeds easier, you can find it over at http://metasploitminute.com

Another Blogging Platform

Yes yes yes, I know, another platform, but guess what, it’s my blog, so ne-ner-ne-ner-ne-ner Hugo removed what I didn’t like about Octopress (the generating / pushing of content using a mix of branches and such) The reason I moved from Blogger was I just can’t stand having to log in and be online to make posts. I love things like MarsEdit for doing offline posts to services like Blogger, but I never could get the formatting right when I was done, especiall for code, so I’m back to a markdown based system.

2016 Shmoocon Hiring List

Created the 2016 UNOFFICIAL ShmooCon Hiring List. To get on the list is even easier now! Just complete the following form: http://goo.gl/forms/pbYI0TZ9dG (One small tip, first come first serve, so if you want to be on the top of the list it’s best to submit the best info you have vs waiting on anyone, I don’t change the list order for anyone.) Direct Link to Google Doc: https://docs.google.com/spreadsheets/d/15xqphPVEnH7o2urovHWjJiS1VCjdAqcPNB_HS0yRexU/