have you ever been in a situation when you are looking for menu option but you are not able to find it. Thankfully, MacOS offers you the search for menu options. This can be any menu option of any software on MacOS. Take Google Chrome for the example. Suppose I am looking for the menu option ‘Extensions’ and after checking the menus, I am not able to get it. In that case, I can use the search option to look for this option. Just click on Help menu and see the first option “Search”. Start typing the option you want
The post How to search for any menu option in MacOS appeared first on UseThisTip.
I made a Visual Studio Code Shortcut pdf from Microsofts Official Site into a wallpaper for VS Code users who need help remembering the shortcuts for different commands. Hope this helps some people out there and the size of the […]
The post Visual Studio Code Shortcuts Wallpaper appeared first on .
NOTE: I DID NOT ATTEMPT ANYTHING MORE THAN LOGGING AGAINST ANY OF THE DOMAINS I REGISTERED FOR THIS RESEARCH
For anyone who knows me, they know that I’ve been obsessed with DNS for a long time. However, in this post I will show results of something I can’t quite explain. It all started with the following hypothesis:
Windows systems make DNS/NetBIOS/LLMNR requests to find the domain controllers they logged into even when they are no longer attached to the domain.
This has already been proven with attacks like MS15-011 and other attacks that aim to bypass BitLocker Full-Disk Encryption. So I added a twist, I thought that maybe, just maybe, that Windows will automatically add a .com on to the end of these requests when attempting to find them. If I buy these domains then there is a chance I can gain code execution using Group Policy or supplying logon scripts (BAT files).
Why do I think this? Because of past Def Con talks like:
DEFCON 19: Bit-squatting: DNS Hijacking Without Exploitation
DEFCON 21 – DNS May Be Hazardous to Your Health – Robert Stucke
But… how on earth would you ever know what a internal domain controller is called? I started by searching for pastebin posts with %LOGONSERVER%. This netted a few results, but when I searched for the same thing on gist.github.com I found something pretty surprising:
Yes, I found a gist by what seems to be a Microsoft employee:
Another one: https://bugzilla.xamarin.com/attachment.cgi?id=5375
(To Microsoft, I’m fully willing to transfer the domain or null route it until it expires, whichever you prefer)
WE INTERRUPT THIS BLOG POST TO TALK ABOUT THE SERIOUS OSINT TREASURE THESE TYPES FILES AND ENVIRONMENTAL VARIABLES ARE
We will break down a few of the pieces that provide OSINT value:
COMPUTERNAME = ANDARNO-X1
USERDNSDOMAIN = REDMOND.CORP.MICROSOFT.COM
USERDOMAIN = REDMOND
USERDOMAIN_ROAMINGPROFILE = REDMOND
USERNAME = andarno
Full domain name, user and computer name help to identify what the naming schemes are internally.
ChocolateyInstall = C:\ProgramData\chocolatey
Chocolatey is in use and possible allowed in the domain. This tool has a few persistence options, and local privilege escalation paths.
SSH_AGENT_PID = 9316
SSH_AUTH_SOCK = /tmp/ssh-rbPyaDrkXVLz/agent.10020
Honestly I’ve never seen these options on a Windows box so I’m going to assume they are the result of Cygwin being installed and running with valid keys being in use. Again, another tool that provides possibilities for persistence beyond the standard Run keys.
C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\CommonExtensions\Microsoft\TestWindow
C:\Program Files (x86)\Microsoft SDKs\TypeScript\1.5
C:\Program Files (x86)\MSBuild\14.0\bin
C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\
C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\BIN
C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\Tools;C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319
C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\VCPackages
C:\Program Files (x86)\HTML Help Workshop
C:\Program Files (x86)\Microsoft Visual Studio 14.0\Team Tools\Performance Tools
C:\Program Files (x86)\Windows Kits\10\bin\x86
C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.6 Tools\
C:\Program Files (x86)\Git\cmd
C:\Program Files\Microsoft DNX\Dnvm\
C:\Program Files\Microsoft SQL Server\120\Tools\Binn\
C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\
C:\Program Files (x86)\nodejs\
Anyone who has ever done DLL hijacking / preloading will see a lot of opportunities in a PATH variable this gigantic.
There is a lot more fun to be had in similar output pasted across the Internet but lets get back to our regularly scheduled blog post. Here is the juice:
LOGONSERVER = \\CO1-RED-DC-11
This probably means that 01, 02, and so on exist as well, but I decided just to go with a simple PoC and use the DC that I knew existed. After registering c01-red-dc-11.com, almost immediately I started to get DNS requests:
The ns1 and www were mostly just Internet scanners, but I did see a bunch of interesting requests
101 total queries in the first 24 hours
27 unique servers querying
Query types: A/AAAA/ANY/CNAME/MX/NS/SOA/TXT
1 total query in the first 24 hours
1 unique servers querying
Query types: A
1841 total queries in the first 24 hours
777 unique servers querying
Query types: A/A6/AAAA/ANY/CNAME/DNSKEY/HINFO/MX/NAPTR/NS/PTR/SOA/SPF/SRV/TXT
I have no idea if any of these DNS requests were by real Microsoft domain joined systems but looking at the contents of the requests I assume that a few were.
I did this with a few other %LOGONSERVER%s and had similar DNS requests. I didn’t see many packets coming in over SMB/445 because most places where a user would be away from their domain block 445 outbound. I tested out obtaining code execution in my LAB domain SITTINGDUCK.INFO and actually had to set up a VPN to a VPS just so that my lab victim could make 445 requests to the Internet.
In my lab I was able to get authentication requests and code execution by using Impacket’s karmaSMB.py to send my victim a false Logon.bat very similar to the setup for MS15-011. Let me reiterate something:
I DID NOT ATTEMPT ANYTHING MORE THAN LOGGING AGAINST ANY OF THE DOMAINS I REGISTERED FOR THIS RESEARCH
Is this conclusive proof? Certainly not, but it’s a start and I’m interested in what ya’ll find.
Why might this work more than it has in the past? Because the only scenario where this is effective is when a Windows domain-joined machine has logged in to their real domain, and without logging out or shutting down (hibernate, or sleep are fine), is then connected to a network that allows 445 outbound. This is definitely becoming more commonplace as Windows becomes more friendly to actually successfully coming back from sleeping or hibernating (yes I’m bitter ;), it was actually my primary reason for buying a Mac).
How can you find the LOGONSERVER of your client? Well, it’s pretty easy to call someone up, pretend to be IT, and simply ask them what Domain Controller they are connected to ;-). Or.. if you are lucky you can find it pasted somewhere online.
One More Thing…
I also tried to think in generalities, and yes, I am the proud owner of DC01.com which gets about 20 requests per second…