Published: 29 Dec 2016 - 07:35 EST
NOTE: I DID NOT ATTEMPT ANYTHING MORE THAN LOGGING AGAINST ANY OF THE DOMAINS I REGISTERED FOR THIS RESEARCH
For anyone who knows me, they know that I’ve been obsessed with DNS for a long time. However, in this post I will show results of something I can’t quite explain. It all started with the following hypothesis:
Windows systems make DNS/NetBIOS/LLMNR requests to find the domain controllers they logged into even when they are no longer attached to the domain.
This has already been proven with attacks like MS15-011 and other attacks that aim to bypass BitLocker Full-Disk Encryption. So I added a twist, I thought that maybe, just maybe, that Windows will automatically add a
.com on to the end of these requests when attempting to find them. If I buy these domains then there is a chance I can gain code execution using Group Policy or supplying logon scripts (BAT files).
Why do I think this? Because of past Def Con talks like:
- DEFCON 19: Bit-squatting: DNS Hijacking Without Exploitation
- DEFCON 21 - DNS May Be Hazardous to Your Health - Robert Stucke
But… how on earth would you ever know what a internal domain controller is called? I started by searching for pastebin posts with
%LOGONSERVER%. This netted a few results, but when I searched for the same thing on gist.github.com I found something pretty surprising:
Yes, I found a gist by what seems to be a Microsoft employee:
- has been deleted - w00tw00t!!
(To Microsoft, I’m fully willing to transfer the domain or null route it until it expires, whichever you prefer)
WE INTERRUPT THIS BLOG POST TO TALK ABOUT THE SERIOUS OSINT TREASURE THESE TYPES FILES AND ENVIRONMENTAL VARIABLES ARE
We will break down a few of the pieces that provide OSINT value:
COMPUTERNAME = ANDARNO-X1 USERDNSDOMAIN = REDMOND.CORP.MICROSOFT.COM USERDOMAIN = REDMOND USERDOMAIN_ROAMINGPROFILE = REDMOND USERNAME = andarno
Full domain name, user and computer name help to identify what the naming schemes are internally.
ChocolateyInstall = C:\ProgramData\chocolatey
Chocolatey is in use and possible allowed in the domain. This tool has a few persistence options, and local privilege escalation paths.
SSH_AGENT_PID = 9316 SSH_AUTH_SOCK = /tmp/ssh-rbPyaDrkXVLz/agent.10020
Honestly I’ve never seen these options on a Windows box so I’m going to assume they are the result of Cygwin being installed and running with valid keys being in use. Again, another tool that provides possibilities for persistence beyond the standard Run keys.
Path = C:\Users\andarno\git\VSIXSuppression\packages\Nerdbank.GitVersioning.1.1.2-rc\build\NativeBinaries/amd64 C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\CommonExtensions\Microsoft\TestWindow C:\Program Files (x86)\Microsoft SDKs\TypeScript\1.5 C:\Program Files (x86)\MSBuild\14.0\bin C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\ C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\BIN C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\Tools;C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319 C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\VCPackages C:\Program Files (x86)\HTML Help Workshop C:\Program Files (x86)\Microsoft Visual Studio 14.0\Team Tools\Performance Tools C:\Program Files (x86)\Windows Kits\10\bin\x86 C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.6 Tools\ C:\Users\andarno\tools\ConEmuPack C:\Users\andarno\tools\ConEmuPack\ConEmu C:\WINDOWS\system32 C:\WINDOWS C:\WINDOWS\System32\Wbem C:\WINDOWS\System32\WindowsPowerShell\v1.0\ C:\Program Files (x86)\Git\cmd C:\WINDOWS\system32\config\systemprofile\.dnx\bin C:\Program Files\Microsoft DNX\Dnvm\ C:\Program Files\Microsoft SQL Server\120\Tools\Binn\ C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\ C:\Program Files (x86)\nodejs\ C:\Users\andarno\.dnx\runtimes\dnx-clr-win-x18.104.22.168-beta7-12328\bin C:\Users\andarno\.dnx\bin c:\users\andarno\tools C:\Users\andarno\AppData\Local\Code\bin C:\ProgramData\chocolatey\bin C:\Users\andarno\AppData\Roaming\npm
Anyone who has ever done DLL hijacking / preloading will see a lot of opportunities in a PATH variable this gigantic.
There is a lot more fun to be had in similar output pasted across the Internet but lets get back to our regularly scheduled blog post. Here is the juice:
LOGONSERVER = \\CO1-RED-DC-11
This probably means that 01, 02, and so on exist as well, but I decided just to go with a simple PoC and use the DC that I knew existed. After registering
c01-red-dc-11.com, almost immediately I started to get DNS requests:
ns1.co1-red-dc-11.com wap.co1-red-dc-11.com www.co1-red-dc-11.com mail.co1-red-dc-11.com m.co1-red-dc-11.com co1-red-dc-11.com
www were mostly just Internet scanners, but I did see a bunch of interesting requests
- 101 total queries in the first 24 hours
- 27 unique servers querying
- Query types: A/AAAA/ANY/CNAME/MX/NS/SOA/TXT
- 1 total query in the first 24 hours
- 1 unique servers querying
- Query types: A
- 1841 total queries in the first 24 hours
- 777 unique servers querying
- Query types: A/A6/AAAA/ANY/CNAME/DNSKEY/HINFO/MX/NAPTR/NS/PTR/SOA/SPF/SRV/TXT
I have no idea if any of these DNS requests were by real Microsoft domain joined systems but looking at the contents of the requests I assume that a few were.
I did this with a few other
%LOGONSERVER%s and had similar DNS requests. I didn’t see many packets coming in over SMB/445 because most places where a user would be away from their domain block 445 outbound. I tested out obtaining code execution in my LAB domain
SITTINGDUCK.INFO and actually had to set up a VPN to a VPS just so that my lab victim could make 445 requests to the Internet.
In my lab I was able to get authentication requests and code execution by using Impacket’s karmaSMB.py to send my victim a false
Logon.bat very similar to the setup for MS15-011. Let me reiterate something:
I DID NOT ATTEMPT ANYTHING MORE THAN LOGGING AGAINST ANY OF THE DOMAINS I REGISTERED FOR THIS RESEARCH
Is this conclusive proof? Certainly not, but it’s a start and I’m interested in what ya’ll find.
Why might this work more than it has in the past? Because the only scenario where this is effective is when a Windows domain-joined machine has logged in to their real domain, and without logging out or shutting down (hibernate, or sleep are fine), is then connected to a network that allows 445 outbound. This is definitely becoming more commonplace as Windows becomes more friendly to actually successfully coming back from sleeping or hibernating (yes I’m bitter ;), it was actually my primary reason for buying a Mac).
How can you find the LOGONSERVER of your client? Well, it’s pretty easy to call someone up, pretend to be IT, and simply ask them what Domain Controller they are connected to ;-). Or.. if you are lucky you can find it pasted somewhere online.
One More Thing…
I also tried to think in generalities, and yes, I am the proud owner of
DC01.com which gets about 20 requests per second…