One Article Review
| Source |  RedTeam PL |
|---|---|
| Identifiant | 8618460 |
| Date de publication | 2024-12-01 15:56:58 (vue: 2024-12-01 15:08:31) |
| Titre | BadWPAD wpad.software case and DNS threat hunting |
| Texte | In this blog post I would like to show an interesting example of badWPAD attack which resulted in leaking browser history over DNS queries. More detailed description of these kind of attacks with WPAD file has been already presented in one of the last blog entries [https://blog.redteam.pl/2019/05/badwpad-dns-suffix-wpad-wpadblocking-com.html]. WPAD TLDs First of all we checked TLD list from IANA [https://data.iana.org/TLD/tlds-alpha-by-domain.txt] for first level of wpad domains: 101.37.23.113 wpad.bike 104.18.54.241 wpad.mobi 104.18.55.241 wpad.mobi 104.199.123.6 wpad.ac 104.24.104.177 wpad.online 104.24.104.228 wpad.army 104.24.105.177 wpad.online 104.24.105.228 wpad.army 104.24.120.45 wpad.space 104.24.121.45 wpad.space 104.25.51.128 wpad.world 104.27.176.234 wpad.site 104.27.177.234 wpad.site 104.27.188.57 wpad.co 104.27.189.57 wpad.co 104.28.10.19 wpad.kz 104.28.11.19 wpad.kz 104.31.74.75 wpad.exchange |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | $b64 $dns $url c return c crc crctable for var || b10 isinnet isplainhostname shexpmatch x b10 case dword for if imax return send throw var x for if return s switch var wpad */* */ad */ad/* */adclick */adclick/* */adlog */adlog/* */ads */ads/* */adv */adv/* */adx */adx/* */banner */banner/* */banners */banners/* */click */click/* */clicktag */clicktag/* */js *annonse* *bannerid=* *casino* *forex* *reklame* *retag* *tag* *trade* ///g /wpad 0/8 022055 0228452040 0290886594 04:59:45 0629157453 068345 069509 0732271113 0879792614 0x3f 0xedb88320 0xff 100 101 102 104 105 106 111 112 113 115 116 118 119 120 121 123 126 127 128 130 132 135 136 137 138 139553 142 144 146 147 148 152 154 154741 158 160 164 167 168 169086 172 173 176 177 178 182 183 184 185 187 188 189 189898 192 194 195 196 197 198 199 1;done 200 2013 2018 2019 202 203 205 2052769965 208 209 212 213 214 216 218 221 222 227 228 229 230 234 236 236:58172; 23:33:23 240 241 242 245 247 248 249 253 255 2801559110 2900 2>/dev/null 2>/dev/null;echo;done 3217376901 3327419475 5a7541c1 60dbf39b690718bac46bd570af840e26 630062 656565 689704 69:8081 719376 810081 856603 881477 884339 886454 895606 929062 95cd0c06766471f5c189bc7f5e356d0e ;do =0; === >>> ^wpad abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789+/ able about above accept accept: accipiter activity actor adbureau additional address admin administrators adnxs ads adserv* advertisements advertising after agency agent agent: ahr0chm6ly91cgrhdguuz29vz2xlyxbpcy5jb20v ahr0chm6ly93d3cuymluzy5jb20v ahr0chm6ly93d3cuz3n0yxrpyy5jb20v ahr0chm6ly9jbgllbnrzzxj2awnlcy5nb29nbgvhcglzlmnvbs ahr0chm6ly9jzg4ub25lbm90zs5uzxqv ahr0chm6ly9vchrhbm9ulmjsb2iuy29yzs53aw5kb3dzlm5ldc ahr0chm6ly9wbgf5lmdvb2dszs5jb20v ahr0chm6ly9zc2wuz3n0yxrpyy5jb20v ahr0chm6ly9zywzlynjvd3npbmcuz29vz2xlyxbpcy5jb20v airforce alert alerting alerts alive all almost alpha already also always analysis analyzed another any appear application application/octet approach arab are argument arguments army around as14061 as200130 asap asia asn asp assets associates attack attacker attacks auction auto autoproxy aware awk b10 b54 b64 badwpad band barcelona base64 based because been behaviour below berlin bet bike bing bio bits biz black blob blog blue bluestreak boutique browser browsing business but byte bytes c&1 cafe calculate can capital captured casa case case: cases casino cat cdn center cert change channel character charat charcodeat check checked chrome chrome: chrome://net chunk chunks cidr city cli click client clients clientservices cloud code college collision com com/ com/questions/18638900/javascript communication community computer connect connection: const consulting contained contains contains: content content: cool core could count counter counting crc crc32 crctable crctable; create currently dance dat dat*”: data date: dating decryption defective delivery democrat depends description design detailed details detect detecting detection developers devolution diagnosis different differently digital digitalocean direct direction directly directory disabled discovery display dns dnsresolve doesn dog doh dom domain domains domains: don done dots download drp due during dword each easily echo education else email employees en#127 enabling encode encoded energy engineer engineering engines ent enterpris |
| Tags | Malware Threat |
| Stories | APT 32 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.