Tag Archives: dns

Domain Controller/Active directory over Meraki VPN fix

If you have a Meraki setup that has Umbrella tied into it, and you can’t communicate properly with your *.local domain controller over the Meraki VPN, I have a potential fix for you. In my scenario, VPN clients could see the domain controllers and DC IP addresses were specified as DNS servers which would properly assigned to VPN clients. VPN clients could query DCs for external DNS names without any issues but any *.local communications or gpupdate related commands would fail. I troubleshooted it to the nth degree and discovered this fix:

Go to Security & SD-WAN, then to configure, and then to threat protection. Scroll down to the Umbrella protection section and specify your local domain name (mydomain.local) as an exception from being routed to Umbrella. Save your changes and hopefully this resolves your issue.

If you continue to have issues, double check that your VPN clients and see what DNS servers are getting assigned. Some individuals had to change the metric (hint lower the number, route print to find metrics of adapters).

Domain Blacklist

Currently, I’ve been using Pi-hole as a means of blocking ads, malicious websites, and other undesirable things in my own personal network. My Pi-hole setup is blocking 1,702,945 domains, so it can be a way of saving bandwidth and helping fellow network users on my network avoid known blacklisted malicious websites. Granted, it is not perfect and it will always be a game of cat and mouse, especially with methods like this, when it comes to blocking domains. But if you’re looking for a small weekend project for your home or small office, I strongly recommend looking into Pi-hole. It’s a better means of blocking in my opinion than the hosts file method especially with fixed location desktop computers (although, on a side note you could VPN into your network with mobile devices and still use your own personal Pi-hole). With that being said, I’m hosting another huge blacklist of domains/IPs on my google drive, in two formats. One only has the hosts, and the other has a hosts file format (i.e. 127.0.0.1     BadWebsite.com):

HostsOnly (28.1 MB) – sha1sum – 34a86bcb2b4dba37818fd7de39252b342b9c2f6d

https://drive.google.com/open?id=0BxZG1yRxL_q4aVlNU3N3eVhyRTQ

HostsLoopback (44.4 MB) – sha1sum – e3bdad79c32d7eed3e65c49df5788820e675b78d

https://drive.google.com/open?id=0BxZG1yRxL_q4VTQxRERNVmFkLVU

 

 

Bruteforcing subdomain names with John the ripper

A key phase in the steps to penetration testing is reconnaissance. Without reconnaissance, pentesters would be essentially blind.

In addition to this, pentesters have myriad of tools to help them with the recon phase.

When hunting down hosts that belong to an organization, dnsmap is a wonderful tool for finding subdomains.

After doing some experimenting with this tool, I stumbled upon a limitation. Dnsmap does not have the capability to read from stdin for keywords to use in the subdomain bruteforcing. It requires a word list. Well what if I want to use john the ripper?

So, I pondered to myself, “What’s wrong with just ‘host’ and ‘john’ in tandem to bruteforce subdomains?”. Well my friends, here’s an example:

john --incremental --stdout | while read words; 
   do host ${words}.google.com &> /dev/null; 
      if [ $? -eq 0 ]; 
          then echo "${words}.google.com"; 
      fi; 
   done

Of course you could change this to accordingly, but here’s it as a function and you could even add this to your .bashrc file.

function dnsbrute {
 if [ ${#} -lt 1 ];
   then 
      echo "I need a domain name...";
      return 1;
 fi
 john --incremental --stdout | while read words; 
   do host ${words}.${1} &> /dev/null; 
     if [ $? -eq 0 ]; 
        then echo "${words}.${1}"; 
     fi; 
   done
 return 0;
}

More to come as usual..

(I’m still dragging my feet on ettersploit.. 🙂 )

Circumventing pay-for-service wifi points

Ever want to access the internet without authenticating at your local college? Have you found yourself accessing wifi points at airports that require you to pay ‘X’ amount of dollars for service? Well my cheap friend, I have a solution for you!

I will for warn you, that this method is a bit slow and it does require *nix on both ends. Also this is for educational purposes only!

Firstly, you need an accessible server that is running ssh on it, along with a nifty program called ‘dns2tcp’. There are some other similar programs like iodine and such that can do this for you, but this walk-through is focused on the usage of dns2tcp. Also, you need a DNS name, which you can freely get via no-ip.com or dyndns.

File:

http://www.hsc.fr/ressources/outils/dns2tcp/index.html.en

Guide:

http://www.wains.be/index.php/2009/04/24/howto-setting-up-dns2tcp/

I followed this guide quite closely, and it actually did not end up working for me. The guide suggests to start the daemon via:

sudo /etc/init.d/dns2tcpd start

However, this did not work for me. By using netstat, I found that dns2tcpd was not even listening. Instead, I ended up using ‘/usr/local/bin/dns2tcpd’. But before I continue, I’ll post my dns2tcpd config file:

listen = 0.0.0.0
port = 53
# If you change this value, also change the USER variable in /etc/default/dns2tcpd
user = nobody
chroot = /tmp
domain = yourdomain.org
ressources = ssh:127.0.0.1:22

Change accordingly, and yes, ‘ressources’ is suppose to be misspelled.

Here is the command that has worked for me and I’m currently using to make this post possible:

sudo nohup dns2tcpd -f /etc/dns2tcpd.conf &

Verify that you’ve forwarded a port on your router to port 53 on your server, or if your server is in the DMZ, you shouldn’t have to worry about doing this.

Now, in a remote location that has restricted access (via redirecting every HTTP request to a login page), test that you’re server is visible via DNS by using a command like ‘host’. We’ll use my DNS name for this example:

host zitstif.no-ip.org
zitstif.no-ip.org has address 75.41.5.12

If this works, there’s a good chance you’re in business. Then, the next test you want to do is:

dns2tcpc -z zitstif.no-ip.org 75.41.5.12
Available connection(s) :
        ssh

If you see results like this, then chances are, this will work. Next, we need to do some DNS tunneling:

dns2tcpc zitstif.no-ip.org 75.41.5.12 -l 4444 -r ssh

If dns2tcpc is listening on port 4444, you now should be able to ssh into it and this will redirect you to your home server.

ssh -D 1234 user@localhost -p 4444

Once you’ve authenticated then you’re set to now setup firefox or a browser that supports SOCKS 4/5, to connect to your loopback interface on port 1234.

One big reason why I made mention of this, is because Hak5 had an episode showing how to do basically the same thing but they stated you had to pay for your own DNS service / name. My method works, and it’s also cheaper.