NOTE: I DID NOT ATTEMPT ANYTHING MORE THAN LOGGING AGAINST ANY OF THE DOMAINS I REGISTERED FOR THIS RESEARCH

For anyone who knows me, they know that I’ve been obsessed with DNS for a long time. However, in this post I will show results of something I can’t quite explain. It all started with the following hypothesis:

Windows systems make DNS/NetBIOS/LLMNR requests to find the domain controllers they logged into even when they are no longer attached to the domain.

This has already been proven with attacks like MS15-011 and other attacks that aim to bypass BitLocker Full-Disk Encryption. So I added a twist, I thought that maybe, just maybe, that Windows will automatically add a .com on to the end of these requests when attempting to find them. If I buy these domains then there is a chance I can gain code execution using Group Policy or supplying logon scripts (BAT files).

Why do I think this? Because of past Def Con talks like:

But… how on earth would you ever know what a internal domain controller is called? I started by searching for pastebin posts with %LOGONSERVER%. This netted a few results, but when I searched for the same thing on gist.github.com I found something pretty surprising:

Microsoft

Yes, I found a gist by what seems to be a Microsoft employee:

(To Microsoft, I’m fully willing to transfer the domain or null route it until it expires, whichever you prefer)

WE INTERRUPT THIS BLOG POST TO TALK ABOUT THE SERIOUS OSINT TREASURE THESE TYPES FILES AND ENVIRONMENTAL VARIABLES ARE

We will break down a few of the pieces that provide OSINT value:

COMPUTERNAME = ANDARNO-X1
USERDNSDOMAIN = REDMOND.CORP.MICROSOFT.COM
USERDOMAIN = REDMOND
USERDOMAIN_ROAMINGPROFILE = REDMOND
USERNAME = andarno

Full domain name, user and computer name help to identify what the naming schemes are internally.

ChocolateyInstall = C:\ProgramData\chocolatey

Chocolatey is in use and possible allowed in the domain. This tool has a few persistence options, and local privilege escalation paths.

SSH_AGENT_PID = 9316
SSH_AUTH_SOCK = /tmp/ssh-rbPyaDrkXVLz/agent.10020

Honestly I’ve never seen these options on a Windows box so I’m going to assume they are the result of Cygwin being installed and running with valid keys being in use. Again, another tool that provides possibilities for persistence beyond the standard Run keys.

Path =
C:\Users\andarno\git\VSIXSuppression\packages\Nerdbank.GitVersioning.1.1.2-rc\build\NativeBinaries/amd64
C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\CommonExtensions\Microsoft\TestWindow
C:\Program Files (x86)\Microsoft SDKs\TypeScript\1.5
C:\Program Files (x86)\MSBuild\14.0\bin
C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\
C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\BIN
C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\Tools;C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319
C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\VCPackages
C:\Program Files (x86)\HTML Help Workshop
C:\Program Files (x86)\Microsoft Visual Studio 14.0\Team Tools\Performance Tools
C:\Program Files (x86)\Windows Kits\10\bin\x86
C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.6 Tools\
C:\Users\andarno\tools\ConEmuPack
C:\Users\andarno\tools\ConEmuPack\ConEmu
C:\WINDOWS\system32
C:\WINDOWS
C:\WINDOWS\System32\Wbem
C:\WINDOWS\System32\WindowsPowerShell\v1.0\
C:\Program Files (x86)\Git\cmd
C:\WINDOWS\system32\config\systemprofile\.dnx\bin
C:\Program Files\Microsoft DNX\Dnvm\
C:\Program Files\Microsoft SQL Server\120\Tools\Binn\
C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\
C:\Program Files (x86)\nodejs\
C:\Users\andarno\.dnx\runtimes\dnx-clr-win-x86.1.0.0-beta7-12328\bin
C:\Users\andarno\.dnx\bin
c:\users\andarno\tools
C:\Users\andarno\AppData\Local\Code\bin
C:\ProgramData\chocolatey\bin
C:\Users\andarno\AppData\Roaming\npm

Anyone who has ever done DLL hijacking / preloading will see a lot of opportunities in a PATH variable this gigantic.

There is a lot more fun to be had in similar output pasted across the Internet but lets get back to our regularly scheduled blog post. Here is the juice:

LOGONSERVER = \\CO1-RED-DC-11

This probably means that 01, 02, and so on exist as well, but I decided just to go with a simple PoC and use the DC that I knew existed. After registering c01-red-dc-11.com, almost immediately I started to get DNS requests:

ns1.co1-red-dc-11.com
wap.co1-red-dc-11.com
www.co1-red-dc-11.com
mail.co1-red-dc-11.com
m.co1-red-dc-11.com
co1-red-dc-11.com

The ns1 and www were mostly just Internet scanners, but I did see a bunch of interesting requests

mail.co1-red-dc-11.com

m.co1-red-dc-11.com

co1-red-dc-11.com

I have no idea if any of these DNS requests were by real Microsoft domain joined systems but looking at the contents of the requests I assume that a few were.

Analysis

I did this with a few other %LOGONSERVER%s and had similar DNS requests. I didn’t see many packets coming in over SMB/445 because most places where a user would be away from their domain block 445 outbound. I tested out obtaining code execution in my LAB domain SITTINGDUCK.INFO and actually had to set up a VPN to a VPS just so that my lab victim could make 445 requests to the Internet.

In my lab I was able to get authentication requests and code execution by using Impacket’s karmaSMB.py to send my victim a false Logon.bat very similar to the setup for MS15-011. Let me reiterate something:

I DID NOT ATTEMPT ANYTHING MORE THAN LOGGING AGAINST ANY OF THE DOMAINS I REGISTERED FOR THIS RESEARCH

Is this conclusive proof? Certainly not, but it’s a start and I’m interested in what ya’ll find.

Why might this work more than it has in the past? Because the only scenario where this is effective is when a Windows domain-joined machine has logged in to their real domain, and without logging out or shutting down (hibernate, or sleep are fine), is then connected to a network that allows 445 outbound. This is definitely becoming more commonplace as Windows becomes more friendly to actually successfully coming back from sleeping or hibernating (yes I’m bitter ;), it was actually my primary reason for buying a Mac).

How can you find the LOGONSERVER of your client? Well, it’s pretty easy to call someone up, pretend to be IT, and simply ask them what Domain Controller they are connected to ;-). Or.. if you are lucky you can find it pasted somewhere online.

One More Thing…

I also tried to think in generalities, and yes, I am the proud owner of DC01.com which gets about 20 requests per second…

::evil laugh::