search

mandiant / flare-fakenet-ng

FakeNet-NG - Next Generation Dynamic Network Analysis Tool
Apache License 2.0
1.8k stars 361 forks source link

Implement Microsoft NCSI #23

Closed strictlymike closed 6 years ago

strictlymike commented 7 years ago

Implement Microsoft NCSI as described at Appendix K: Network Connectivity Status Indicator and Resulting Internet Communication in Windows Vista

I noticed the following traffic with a Windows 7 client and did a little research.

04/25/17 11:57:40 AM [        DNS Server] Received A request for domain 'www.msftncsi.com'.
04/25/17 11:57:40 AM [        DNS Server] Responding with '192.168.19.222'
04/25/17 11:57:40 AM [          Diverter]   pid:  6535 name: python
04/25/17 11:57:40 AM [          Diverter]   pid:  6535 name: python
04/25/17 11:57:40 AM [    HTTPListener80] Received a GET request.
04/25/17 11:57:40 AM [    HTTPListener80] --------------------------------------------------------------------------------
04/25/17 11:57:40 AM [    HTTPListener80] GET /ncsi.txt HTTP/1.1
04/25/17 11:57:40 AM [    HTTPListener80] Connection: Close
04/25/17 11:57:40 AM [    HTTPListener80] User-Agent: Microsoft NCSI
04/25/17 11:57:40 AM [    HTTPListener80] Host: www.msftncsi.com
04/25/17 11:57:40 AM [    HTTPListener80]
04/25/17 11:57:40 AM [    HTTPListener80] --------------------------------------------------------------------------------
strictlymike commented 7 years ago

Bump: common enough to be seen multiple times.

strictlymike commented 6 years ago

Quick easy test (using PowerShell):

$clsid = New-Object Guid 'DCB00C01-570F-4A9B-8D69-199FDBA5723B'
$type = [Type]::GetTypeFromCLSID($clsid)
$obj = [Activator]::CreateInstance($type)
$obj.IsConnected, $obj.IsConnectedToInternet
strictlymike commented 6 years ago

PR #73 closes this.