Room362

Blatherings of a security addict

2016 DerbyCon Hiring List

Created the 2016 UNOFFICIAL DerbyCon Hiring List. To get on the list is even easier now! Just complete the following form: https://goo.gl/forms/LW5b1xo4O9D8eVZU2 (One small tip, first come first serve, so if you want to be on the top of the list it’s best to submit the best info you have vs waiting on anyone, I don’t change the list order for anyone.) Direct Link to Google Doc: https://docs.google.com/spreadsheets/d/1qlJYhdxljG4f1vHhj5-Vyj5wiRb3YBjQJU4Cqh2cT6k/edit?usp=sharing

BlackHat/Def Con/BSides Talk Picks for 2016

Each year I make up a list the week before Blackhat and Def Con of talks that I “can’t miss” and some that I want to see (and use it for video watching afterwards for those I missed). This year I thought I would share that list here. I will be breaking them down by each day of the events by time slot. Any talk I have a 🌟 by, is a “Must see” for me.

Linkedin NXDOMAINs - Purchased Pwnage

I recently asked a friend if I could have just a list of the domains in the LinkedIn dump, no passwords, not full emails, just domains. I run a program that I lovingly call “DeepMagic” and I feed it domains whenever I can. Well, this time when I tossed the list of domains into the engine it started spitting out tons of errors. There was a total of 9,436,804 unique domains names in the list, and for anyone who works with DNS that isn’t a very big number, so I didn’t think very much of it and didn’t know why it would choke on a list that small.

SMB/HTTP Auth Capture via SCF File

Recently saw a link to an SCF file. Didn’t know what those were so I went digging. Turns out they are a simple text based file that controls Windows Explorer. ;-) Here are the examples I found via the references: Open Explorer [Shell] Command = 2 IconFile = explorer.exe, 1 [Taskbar] Command = Explorer Open “Channels” page in IE: [Shell] Command=3 IconFile=shdocvw.dll,-118 [IE] Command=Channels This didn’t work for me at all, probably because Internet Explorer doesn’t have “Channels” anymore.

WPAD Persistence

Mostly just writing this so I can keep notes. Today I came up with the idea to forcibly put the WPAD entry into a Windows Domain’s DNS. For those who don’t know what this would do there is an entire Wikipedia article on the subject: https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol I did this via PowerShell pretty easily on one of the domain controllers like so: PS C:\> Add-DnsServerResourceRecordA -Name wpad -ZoneName sittingduck.info -IPv4Address 107.170.50.74 Where 107.170.50.74 is the Digital Ocean box I stood up external to my test domain.

Kerberoasting - Part 3

Previous works: There has been a number of different blog posts, presentations and projects that have happened before this post and I will reference a number of them during the post and at the end have a link to all that I know about. If you know of any works on this subject that I am missing please submit a comment below and I’ll will be sure to reference it. Attacker KB Link: (to be updated later) Common Findings DB Link: (to be updated later) Now we start cracking the tickets we have and hopefully one will break.

Kerberoasting - Part 2

Previous works: There has been a number of different blog posts, presentations and projects that have happened before this post and I will reference a number of them during the post and at the end have a link to all that I know about. If you know of any works on this subject that I am missing please submit a comment below and I’ll will be sure to reference it. Attacker KB Link: (to be updated later) Common Findings DB Link: (to be updated later) Now that we’ve listed all the tickets in a ton of different ways, we need to request the ones we want and get them to a point that we can start cracking them.

Kerberoasting - Part 1

Previous works: There has been a number of differnet blog posts, presentations and projects that have happened before this post and I will reference a number of them during the post and at the end have a link to all that I know about. If you know of any works on this subject that I am missing please submit a comment below and I’ll will be sure to reference it. Attacker KB Link: (to be updated later) Common Findings DB Link: (to be updated later) What are SPNs [Service Principal Names](https://msdn.microsoft.com/en-us/library/ms677949(v=vs.85).aspx) (SPNs) are: a unique identifier of a service instance.

BlackHat USA 2016

Once again, @egyp7 and I will be teaching both our Metasploit Basics course as well as the Mastery Course.

Metasploit Minute

Metasploit Minute Season 6 is on the air! I know we have been away for a long while. The first episode is posted https://www.patreon.com/posts/5083466 each Monday a link will be posted on the Patreon site, or if you find RSS feeds easier, you can find it over at http://metasploitminute.com