Room362

Blatherings of a security addict

BlackHat/Def Con/BSides Talk Picks for 2016

Each year I make up a list the week before Blackhat and Def Con of talks that I “can’t miss” and some that I want to see (and use it for video watching afterwards for those I missed). This year I thought I would share that list here. I will be breaking them down by each day of the events by time slot. Any talk I have a 🌟 by, is a “Must see” for me.

Linkedin NXDOMAINs - Purchased Pwnage

I recently asked a friend if I could have just a list of the domains in the LinkedIn dump, no passwords, not full emails, just domains. I run a program that I lovingly call “DeepMagic” and I feed it domains whenever I can. Well, this time when I tossed the list of domains into the engine it started spitting out tons of errors. There was a total of 9,436,804 unique domains names in the list, and for anyone who works with DNS that isn’t a very big number, so I didn’t think very much of it and didn’t know why it would choke on a list that small.

SMB/HTTP Auth Capture via SCF File

Recently saw a link to an SCF file. Didn’t know what those were so I went digging. Turns out they are a simple text based file that controls Windows Explorer. ;-) Here are the examples I found via the references: Open Explorer [Shell] Command = 2 IconFile = explorer.exe, 1 [Taskbar] Command = Explorer Open “Channels” page in IE: [Shell] Command=3 IconFile=shdocvw.dll,-118 [IE] Command=Channels This didn’t work for me at all, probably because Internet Explorer doesn’t have “Channels” anymore.

WPAD Persistence

Mostly just writing this so I can keep notes. Today I came up with the idea to forcibly put the WPAD entry into a Windows Domain’s DNS. For those who don’t know what this would do there is an entire Wikipedia article on the subject: https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol I did this via PowerShell pretty easily on one of the domain controllers like so: PS C:\> Add-DnsServerResourceRecordA -Name wpad -ZoneName sittingduck.info -IPv4Address 107.170.50.74 Where 107.170.50.74 is the Digital Ocean box I stood up external to my test domain.

Kerberoasting - Part 3

Previous works: There has been a number of different blog posts, presentations and projects that have happened before this post and I will reference a number of them during the post and at the end have a link to all that I know about. If you know of any works on this subject that I am missing please submit a comment below and I’ll will be sure to reference it. Attacker KB Link: (to be updated later) Common Findings DB Link: (to be updated later) Now we start cracking the tickets we have and hopefully one will break.

Kerberoasting - Part 2

Previous works: There has been a number of different blog posts, presentations and projects that have happened before this post and I will reference a number of them during the post and at the end have a link to all that I know about. If you know of any works on this subject that I am missing please submit a comment below and I’ll will be sure to reference it. Attacker KB Link: (to be updated later) Common Findings DB Link: (to be updated later) Now that we’ve listed all the tickets in a ton of different ways, we need to request the ones we want and get them to a point that we can start cracking them.

Kerberoasting - Part 1

Previous works: There has been a number of differnet blog posts, presentations and projects that have happened before this post and I will reference a number of them during the post and at the end have a link to all that I know about. If you know of any works on this subject that I am missing please submit a comment below and I’ll will be sure to reference it. Attacker KB Link: (to be updated later) Common Findings DB Link: (to be updated later) What are SPNs [Service Principal Names](https://msdn.microsoft.com/en-us/library/ms677949(v=vs.85).aspx) (SPNs) are: a unique identifier of a service instance.

BlackHat USA 2016

Once again, @egyp7 and I will be teaching both our Metasploit Basics course as well as the Mastery Course.

Metasploit Minute

Metasploit Minute Season 6 is on the air! I know we have been away for a long while. The first episode is posted https://www.patreon.com/posts/5083466 each Monday a link will be posted on the Patreon site, or if you find RSS feeds easier, you can find it over at http://metasploitminute.com

Another Blogging Platform

Yes yes yes, I know, another platform, but guess what, it’s my blog, so ne-ner-ne-ner-ne-ner Hugo removed what I didn’t like about Octopress (the generating / pushing of content using a mix of branches and such) The reason I moved from Blogger was I just can’t stand having to log in and be online to make posts. I love things like MarsEdit for doing offline posts to services like Blogger, but I never could get the formatting right when I was done, especiall for code, so I’m back to a markdown based system.