NOTE: I DID NOT ATTEMPT ANYTHING MORE THAN LOGGING AGAINST ANY OF THE DOMAINS I REGISTERED FOR THIS RESEARCH For anyone who knows me, they know that I’ve been obsessed with DNS for a long time. However, in this post I will show results of something I can’t quite explain. It all started with the following hypothesis: Windows systems make DNS/NetBIOS/LLMNR requests to find the domain controllers they logged into even when they are no longer attached to the domain.
Ever have one of those topics that you know you’ve looked up 100 times but never can remember the answer? I was having one of those moments in a recent conversation on the NoVA Hackers mailing list (If you want to join please read the instructions before requesting to join) The question came up as to what effect “Password Required: No” means in a net user UserName is. As usual, MSDN isn’t very helpful:
With all of the scanning / noise on the Internet, it’s nice to get rid of a large chunk of it simply by blocking an entire country’s worth of IP space. To do that you can simply use a kernel module for iptables called “xtables-addons”. On Debian/Ubuntu it’s pretty easy to get going, just apt-get install the needed perl library and the addons themselves: apt-get install libtext-csv-xs-perl xtables-addons-common !Warning: This does require proper linux headers to be available to compile the kernel module.
First off, this is dead simple and shouldn’t work, but it does. Also, there is no possible way that I’m the first one that has identified this, but here it is (trust me, I tested it so many ways to confirm it because I couldn’t believe it was true) TL;DR USB Ethernet + DHCP + Responder == Creds Thesis: If I plug in a device that masquerades as a USB Ethernet adapter and has a computer on the other end, can I capture credentials from a system, even when locked out (yes, logged in, just locked).
Created the 2016 UNOFFICIAL DerbyCon Hiring List. To get on the list is even easier now! Just complete the following form: https://goo.gl/forms/LW5b1xo4O9D8eVZU2 (One small tip, first come first serve, so if you want to be on the top of the list it’s best to submit the best info you have vs waiting on anyone, I don’t change the list order for anyone.) Direct Link to Google Doc: https://docs.google.com/spreadsheets/d/1qlJYhdxljG4f1vHhj5-Vyj5wiRb3YBjQJU4Cqh2cT6k/edit?usp=sharing
Each year I make up a list the week before Blackhat and Def Con of talks that I “can’t miss” and some that I want to see (and use it for video watching afterwards for those I missed). This year I thought I would share that list here. I will be breaking them down by each day of the events by time slot. Any talk I have a :star2: by, is a “Must see” for me.
I recently asked a friend if I could have just a list of the domains in the LinkedIn dump, no passwords, not full emails, just domains. I run a program that I lovingly call “DeepMagic” and I feed it domains whenever I can. Well, this time when I tossed the list of domains into the engine it started spitting out tons of errors. There was a total of 9,436,804 unique domains names in the list, and for anyone who works with DNS that isn’t a very big number, so I didn’t think very much of it and didn’t know why it would choke on a list that small.
Recently saw a link to an SCF file. Didn’t know what those were so I went digging. Turns out they are a simple text based file that controls Windows Explorer. ;-) Here are the examples I found via the references: Open Explorer [Shell] Command = 2 IconFile = explorer.exe, 1 [Taskbar] Command = Explorer Open “Channels” page in IE: [Shell] Command=3 IconFile=shdocvw.dll,-118 [IE] Command=Channels This didn’t work for me at all, probably because Internet Explorer doesn’t have “Channels” anymore.
Mostly just writing this so I can keep notes. Today I came up with the idea to forcibly put the WPAD entry into a Windows Domain’s DNS. For those who don’t know what this would do there is an entire Wikipedia article on the subject: https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol I did this via PowerShell pretty easily on one of the domain controllers like so: PS C:\> Add-DnsServerResourceRecordA -Name wpad -ZoneName sittingduck.info -IPv4Address 107.
Previous works: There has been a number of different blog posts, presentations and projects that have happened before this post and I will reference a number of them during the post and at the end have a link to all that I know about. If you know of any works on this subject that I am missing please submit a comment below and I’ll will be sure to reference it.