Bypassing SmartScreen on Web Browsers
Рет қаралды 55,604
15 күн бұрынjh.live/keeper || Keeper Security offers a privileged access management solution to deliver enterprise grade protection all in one unified platform -- keep your users, your data, and your environment secure with Keeper! jh.live/keeper
Learn Cybersecurity - Name Your Price Training with John Hammond: nameyourpricetraining.com
📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥KZfaq ALGORITHM ➡ Like, Comment, & Subscribe!
@JoeHellethemayor 14 күн бұрын
Thanks for the shout! And you got it right - Hell - E
@sussteve226 14 күн бұрын
hi
@sigitas909 13 күн бұрын
As of this comment, JH didn't share the link for that article. Can you link a brother up?
@onemoreguyonline7878 13 күн бұрын
Hi Joe!
@MaysaAhmed-jz7sp 3 күн бұрын
@@sussteve226 ٢
@mclarenf1gtr99 14 күн бұрын
I don't mind having them put warnings when I try access a supposed "dangerous" link, but now they don't even present the option to advance anyway. This makes me worry about the future where you can't access something because someone of a higher power said No, not because it is dangerous, but because they don't want people to access.
@L2002 14 күн бұрын
you can literally just use any other browser that doesn't have safe browsing, nothing to worry.
@angeleeh 13 күн бұрын
on chrome, just type 'thisisunsafe' and will let you through
@ThemePro24 14 күн бұрын
Err, seems overly complicated when you can: Open "App & browser control" settings Choose "Reputation-based protection settings". Toggle off the switches for "Check apps and files" and "SmartScreen for Microsoft Edge".
@JoeHellethemayor 14 күн бұрын
The point of the issue wasn't that there is some other way to do it. It is that SmartScreen fails open when it can't call home, rather than falling back on something else to handle it.
@funil6871 14 күн бұрын
@@JoeHellethemayori learned a lot from your pivoting course, thank you for that… you really motivated me
@SaintSaint 14 күн бұрын
@@JoeHellethemayor Yep. the whole idea is.. WAIT YOU"RE THE GUY FROM THE VIDEO *HIGH FIVE*. okay. back to reality. The whole idea is that, given a compromised DNS, you can not just redirect people to malicious pages... but you can make the pages acceptable in browsers. It's a big given, but it's still useful info.
@RodrigoPhysicist 14 күн бұрын
you could also set up a small tcp server that always returns true and add it on the hosts of your co-worker... now he's gonna have the red screen for every site he browses 😂
@CZghost 14 күн бұрын
That's just evil, man! :D
@Spiderfffun 14 күн бұрын
oh dude I really want to do this now i would integrate this in my troll tool and it would be so funny
@L2002 14 күн бұрын
you need admin rights?
@funil6871 14 күн бұрын
That is the punishment people deserve for using edge in the first place 😂
@SaintSaint 14 күн бұрын
@@L2002 yes.
@b3twiise853 14 күн бұрын
“He was messing around with his piehole “ ohh joel tsk tsk tsk 😂😂😂
@5iddd 14 күн бұрын
Thats crazy
@GustavoPinho89 14 күн бұрын
Security researchers always be testing stuff with their pieholes.....
@vuufke4327 13 күн бұрын
hope he wasn't doing it on company time
@ThisIsJustADrillBit 14 күн бұрын
This man is relentless ❤🔥
@arjunraghunadhan3611 14 күн бұрын
After watching his videos i learnt many things including how to be daring and crazy because this gave me inspiration 🤣 I love his content
@CZghost 14 күн бұрын
One possible thing MS and/or Google could do is that if it can't reach the destination of the safe browsing/smart screen DNS, it flashes an error on the screen warning about this nefarious behaviour of your local network, before it lets you to interact with any page. If you didn't do this, you might want to investigate.
@ramseyibe2844 13 күн бұрын
Thank you for this😃 i leant something new today
@heeshsusnwo666qsbwsjsjeuhwsns 14 күн бұрын
Yeah man another great video 🎉
@SzaboB33 14 күн бұрын
I always had a weird feeling AVs blocking Bloodhound and even maybe mimikatz. I always thought about AVs that protect me from being compromised but in those cases it limits my usage of the machine. Yea, they can be used to compromise OTHER accounts and machines but it's weird that they limit me doing it even in a non AD joined machine. I want AVs to protect me from compromise and then not to moralize about what I want to do with my life!
@ThatBlueFalcon 13 күн бұрын
It's within a security tool's interest to block downloads of attacker tools, including Bloodhound and Mimikatz. If an attacker gained user priveleges on a host and Microsoft allowed users to freely download hacking tools from Github, that'd be a very convenient loophole to onboard tools. It's much better to download and use those tools using a sandbox environment without Defender/security features enabled, or even better just stick to a Kali distro where this wouldn't be an issue
@BryanLu0 13 күн бұрын
How does the AV differentiate between you using these tools and an adversary on your machine using them? It can't
@chrisjinks5414 14 күн бұрын
Thank you, i have just built a Defender hunting query to notify us if the hosts file is modified and or if a request to a Microsoft or google domains returns an IP that's not publically routable (as its then been hijacked or sinkholes), many thanks.
@Hybrid_Netowrks 10 күн бұрын
John just in case if you don't have admin rights on a laptop like your office laptop in that case that Joe solution is more scalable than that of yours. But, still you are the King.
@claudiafischering901 14 күн бұрын
Cool, but is it not more easier to turn it of the SmartScreen ? Maybe by registry or in edge itself? Or is it to avoid the message pops up you turn off SmartScreen ?
@BryanLu0 13 күн бұрын
It's the fact that other people could block these urls and cause smartscreen to fail
@86ajmn 13 күн бұрын
It's def a neat trick to stick in the tool belt and also as a mental exercise to possible defeat other security look up based measures. I think a good question here is why doesn't Microsoft and other big tech companies bypass DNS for these type of things?
@ancestrall794 14 күн бұрын
Very interesting, great video bro 👍
@aabdulr 12 күн бұрын
This is exactly how I get all my streaming and other things to work on ✈️ Internet. Try it out next time you're flying
@torsec6048 13 күн бұрын
nice work john
@cyber_space09 14 күн бұрын
Thanks for more formation ⚡🐦🔥❤️🔥
@demonagito666 4 күн бұрын
can you call the download in terminal to avoid the download via browser? or does it still flag it?
@lfcbpro 14 күн бұрын
I'm curious about the CRDOWNLOAD file. While it is a temp file, I am guessing to check there is enough space to complete the download, in this instance, does it download the whole file? Or does it check with google/microsoft before completing the download and then flag it? If it does, can the extension be changed to give the original file?
@mollthecoder 13 күн бұрын
It's the browser temporarily saving info about the file, which can be used to start off where you left off if, for example, you lose internet for a moment. It can also be used for pausing/unpausing file downloads. That's what I know about CRDOWNLOAD, although I must admit I don't know a ton about it.
@TechnicalHeavenSM 10 күн бұрын
very interesting analysis..loved the video
@logiciananimal 13 күн бұрын
Microsoft traditionally says that local administrator access being required for anything nullifies any merit to it as a vulnerability.
@amaurisrodriguez9914 13 күн бұрын
Hi John, are you planning to do a live demo about the most recent Palo Alto CVE related to Globalprotect RCE?
@xYarbx 13 күн бұрын
If you would know the licensing costs to Palo Alto you would not be asking this. It's pretty much among the lines if you need to ask how much it is you can't afford it. When I was in Uni that does co-operation with their development team we had discounted licensing to PA-220 and even price for that was eye watering.
@patrickreuvekamp 13 күн бұрын
Am I correct in thinking that this could be a risk in public networks as well?
@wildstorm74 13 күн бұрын
If you mean, you have trouble trusting open source software/code. I wouldn't blame you, you should be careful. That's why most people use RPIs and Visual computers when playing around, but even then. Should still be sus of it.😒
@KyleRice 14 күн бұрын
great Video
@luketurner314 13 күн бұрын
Pi-hole can also be ran in a Docker container
@funil6871 14 күн бұрын
Great john
@Crysal 14 күн бұрын
You can also block the call to their connection test server and you device will have internet access but the Network Icon will change to "No internet access"
@mattjohnson6276 13 күн бұрын
Anyone know where I can get that hacker/hunter shirt he is wearing?
@paritoshbhatt 13 күн бұрын
informative
@ToniMorton 10 күн бұрын
you think the browser would notify you "hey some wierd stuff is going on with your dns settings we cant access smartscreen/url screening but your connected.. 🤔 it could just check another dns name for internet check and use those domains its checking as a sanity check for tampering
@ToniMorton 10 күн бұрын
i think a solution would be a notification explaining your dns settings may have been altered or something just in the case of malware but i guess av is kinda the limit here? hmmm i feel like the browser could totally help notify the user of tampering here tho
@usaidkbf 14 күн бұрын
how ur that smart ❤
@rohit.vikram 13 күн бұрын
Algorithm boost go!!!
@L2002 14 күн бұрын
Did they really contact Microsoft? 😂it's really a basic attack. I also wouldn't call it a security bug. What do you want them to do? Prevent you from downloading any file until you fix your network? Yeah, doesn't make sense.
@xdestino 14 күн бұрын
yea. i agree. still cool to see
@ankanroy2 13 күн бұрын
doesn't need to go and investigate every url just sinkhole the whole smartscreen and its subdomains with wildcard thats just saves time, unless someone wants fine grain control
@Serpensin 14 күн бұрын
If I need to download blocked files, I simply wget, or curl them.
@andrejs.smirnovs 14 күн бұрын
Thanks for the video! But is there a way to bypass the verification of phishing site that was made, for example, by security team of a company to educate the personnel? It is possible of course to distribute those changes to hosts file to all assets, but this can be dangerous, since no verification will be made for real malicious sites.
@mollthecoder 13 күн бұрын
If the company makes the phishing site for personnel only then it really shouldn't end up on a SmartScreen or Safe Browsing list.
@Spiderfffun 14 күн бұрын
This is a little bit of an issue, and good to know, but it takes a lot more in a real world scenario, and if you can do this, you can probably do something much more meaningful.
@professional.hacker. 14 күн бұрын
OTW
@RyderCragie Күн бұрын
Just disable it in Edge settings.
@msalih 14 күн бұрын
I wish to see what data browser sends to these addresses
@carsonjamesiv2512 14 күн бұрын
Interesting.
@davisjansons7384 14 күн бұрын
please do a pihole video
@6pfk 12 күн бұрын
useful technique could be used to find malware, but I would use wget or curl for download bit? sorry Linux convert 80)
@6pfk 12 күн бұрын
Oh! could block Microsoft spyware?????
@Boxersteavee 4 күн бұрын
what if a new malware turned off smartscreen using this to then download other malware.
@rainbowdoesinfosec 14 күн бұрын
Classic host file trick
@draugr7693 14 күн бұрын
This is just yet another example of why i only use Windows exclusively for gaming and Linux for everything else cos with Linux i get much better privacy and security and complete control of almost everything on my computer without having to jump through hoops.
@L2002 14 күн бұрын
you know that the security of SmartScreen/Safe Browsering in Windows and Linux are same?!
@thesoftone 13 күн бұрын
i use linux for everything because proton is awesome :3 the only instance of windows i will allow on my laptop is the stripped-down edition of win11, locked down in ~300gb of storage space to make sure i can have both D2 and fl studio alongside it
@Sourpusscandy 14 күн бұрын
Eeww dude what are you using? Edge?
@notyoursanymore9027 14 күн бұрын
😂😂😂😂
@Peccavi75 13 күн бұрын
Invoke-webrequest?
@user-ow1vi4op4u 13 күн бұрын
" yES"
@cmarines7 14 күн бұрын
I have definitely learned a lot from you and Ryan Montgomery. As well as from David Bombal and Network Chuck. Thanks for all you do and keep them coming.
@younjesus4087 14 күн бұрын
You should always update windows John...
@nordgaren2358 13 күн бұрын
It's a VM used for demos...
@onemoreguyonline7878 13 күн бұрын
Isn't the hosts file a bad option nowadays, because Windows regularly reset hosts files?
@Pem7 10 күн бұрын
🤞🏾
@BunnyKhatri-pd8zm 13 күн бұрын
I am still waiting for xz video
@FusionDeveloper 13 күн бұрын
Not recommended, but good to know.
@crunchied8 14 күн бұрын
John thought on youtube was being hacked
@cybersecadventures01123 14 күн бұрын
Bloodhound😂
@infinite_flesh 10 күн бұрын
China is using strong firewall to protect its cyberspace.. How can we enter or control chinese internet ? I wish you make video about that
@harze6818 12 күн бұрын
great video ! , 10 hours later its patched XD
@brbl415 7 күн бұрын
this is not an issue, it's a feature
@sameulbasheer2006xpc 14 күн бұрын
please tell how to bypass verify browser from Cloudflare
@Sammysapphira 13 күн бұрын
You don't
@mollthecoder 13 күн бұрын
You won't see it up here as a KZfaq tutorial, because Cloudflare is way more serious. If you're able to bypass Cloudflare, then they would likely pay a good amount of money for you to tell them how. Or it might get sold to a government for even more money than Cloudflare would pay, in which case it would be even better kept under wraps.
@sussteve226 14 күн бұрын
Nice no more Meet circle crap.
@thesoftone 13 күн бұрын
microsoft try to not mess with their users challenge (impossible)
@m4rt_ 14 күн бұрын
Maybe you could use this for a man in the middle attack, though if you already have a man in the middle thing going, I think there might be worse things you can do.
@grimsquirrels 13 күн бұрын
Brave browser ftw.
@SocialIPO 14 күн бұрын
You might want to change thumbnail It looks like the video is banned
@unknownentity5354 14 күн бұрын
I could see a scammer using this. If they get the local user to run a script or command to modify the host file, they can then have them download malicious files.
@mollthecoder 13 күн бұрын
If they get the user to run a malicious script with administrator privileges then there's no need to convince the user to download more files from their browser - the script itself could download any necessary files.
@themirrazz 13 күн бұрын
The fact that Microsoft blocked their own website is beyond me
@paillat 13 күн бұрын
Wdym
@wardrich 14 күн бұрын
Smartscreen blocking downloaded files from opening is dead simple to get around with some DIR /R shenanigans too. Just modify the zone datastream to a 1, or delete it altogether and problem solved 🤣
@DavidAlvesWeb 14 күн бұрын
Hey don't be mad at google, bloodhounds are good boyyyys! 🐶
@cleitongbr 14 күн бұрын
1
@robottwrecks5236 14 күн бұрын
Doing a MITM or honey pot would allow you to block those as well.
@JNET_Reloaded 14 күн бұрын
no1 would need to do this esp a victum pointless video!
@nordgaren2358 13 күн бұрын
Maybe if you watched the first five minutes of the video, you'd know what use cases it's for?
@JNET_Reloaded 14 күн бұрын
starts @5:00 mins boring bs needs to be cut out!