Bypassing SmartScreen on Web Browsers

“He was messing around with his piehole “ ohh joel tsk tsk tsk 😂😂😂

I don't mind having them put warnings when I try access a supposed "dangerous" link, but now they don't even present the option to advance anyway. This makes me worry about the future where you can't access something because someone of a higher power said No, not because it is dangerous, but because they don't want people to access.

you could also set up a small tcp server that always returns true and add it on the hosts of your co-worker... now he's gonna have the red screen for every site he browses 😂

One possible thing MS and/or Google could do is that if it can't reach the destination of the safe browsing/smart screen DNS, it flashes an error on the screen warning about this nefarious behaviour of your local network, before it lets you to interact with any page. If you didn't do this, you might want to investigate.

I always had a weird feeling AVs blocking Bloodhound and even maybe mimikatz. I always thought about AVs that protect me from being compromised but in those cases it limits my usage of the machine. Yea, they can be used to compromise OTHER accounts and machines but it's weird that they limit me doing it even in a non AD joined machine. I want AVs to protect me from compromise and then not to moralize about what I want to do with my life!

Thank you, i have just built a Defender hunting query to notify us if the hosts file is modified and or if a request to a Microsoft or google domains returns an IP that's not publically routable (as its then been hijacked or sinkholes), many thanks.

It's def a neat trick to stick in the tool belt and also as a mental exercise to possible defeat other security look up based measures.
I think a good question here is why doesn't Microsoft and other big tech companies bypass DNS for these type of things?

Eeww dude what are you using? Edge?

Yeah man another great video 🎉

You can also block the call to their connection test server and you device will have internet access but the Network Icon will change to "No internet access"

Thank you for this😃 i leant something new today

I have definitely learned a lot from you and Ryan Montgomery. As well as from David Bombal and Network Chuck. Thanks for all you do and keep them coming.

You should always update windows John...

Microsoft traditionally says that local administrator access being required for anything nullifies any merit to it as a vulnerability.

Thanks for more formation ⚡🐦‍🔥❤️‍🔥

you think the browser would notify you "hey some wierd stuff is going on with your dns settings we cant access smartscreen/url screening but your connected.. 🤔
it could just check another dns name for internet check and use those domains its checking as a sanity check for tampering

doesn't need to go and investigate every url just sinkhole the whole smartscreen and its subdomains with wildcard thats just saves time, unless someone wants fine grain control

It does render the feature totally useless but it would require an attacker to have access in the first place. Even then, what would be the point of modifying a victim's host file if you already got access to the victim and smart screen doesn't even check for example, file transfers over ALL TCP sessions.
I can't really see a hacker root a victim and change their host file so that the victim can download "malware" freely. It wouldn't serve the hacker any real purpose unless they are terribly bad and try to use browsers for downloading their files.
It's a cool thing to break features in browsers but nothing more than that in my opinion.
Good find though!

This is a little bit of an issue, and good to know, but it takes a lot more in a real world scenario, and if you can do this, you can probably do something much more meaningful.

Just disable it in Edge settings.

This is exactly how I get all my streaming and other things to work on ✈️ Internet. Try it out next time you're flying

Thanks for the video! But is there a way to bypass the verification of phishing site that was made, for example, by security team of a company to educate the personnel? It is possible of course to distribute those changes to hosts file to all assets, but this can be dangerous, since no verification will be made for real malicious sites.

Did they really contact Microsoft? 😂it's really a basic attack. I also wouldn't call it a security bug. What do you want them to do? Prevent you from downloading any file until you fix your network? Yeah, doesn't make sense.

Algorithm boost go!!!

I'm curious about the CRDOWNLOAD file.
While it is a temp file, I am guessing to check there is enough space to complete the download, in this instance, does it download the whole file? Or does it check with google/microsoft before completing the download and then flag it?
If it does, can the extension be changed to give the original file?

I am still waiting for xz video

If I need to download blocked files, I simply wget, or curl them.

Invoke-webrequest?

Anyone know where I can get that hacker/hunter shirt he is wearing?

please do a pihole video

John thought on youtube was being hacked

Interesting.

Maybe you could use this for a man in the middle attack, though if you already have a man in the middle thing going, I think there might be worse things you can do.

great video ! , 10 hours later its patched XD

OTW

Hey don't be mad at google, bloodhounds are good boyyyys! 🐶

Bloodhound😂

Smartscreen blocking downloaded files from opening is dead simple to get around with some DIR /R shenanigans too. Just modify the zone datastream to a 1, or delete it altogether and problem solved 🤣

microsoft try to not mess with their users challenge (impossible)

Doing a MITM or honey pot would allow you to block those as well.

1

Thanks for the shout!
And you got it right - Hell - E

This man is relentless ❤🔥

Cool, but is it not more easier to turn it of the SmartScreen ? Maybe by registry or in edge itself? Or is it to avoid the message pops up you turn off SmartScreen ?

how ur that smart ❤

After watching his videos i learnt many things including how to be daring and crazy because this gave me inspiration 🤣
I love his content

this is not an issue, it's a feature

Am I correct in thinking that this could be a risk in public networks as well?

what if a new malware turned off smartscreen using this to then download other malware.

You might want to change thumbnail It looks like the video is banned

can you call the download in terminal to avoid the download via browser? or does it still flag it?

great Video

Brave browser ftw.

🤞🏾

The fact that Microsoft blocked their own website is beyond me

" yES"

This is just yet another example of why i only use Windows exclusively for gaming and Linux for everything else cos with Linux i get much better privacy and security and complete control of almost everything on my computer without having to jump through hoops.

useful technique could be used to find malware, but I would use wget or curl for download bit? sorry Linux convert 80)

very interesting analysis..loved the video

John just in case if you don't have admin rights on a laptop like your office laptop in that case that Joe solution is more scalable than that of yours. But, still you are the King.

Isn't the hosts file a bad option nowadays, because Windows regularly reset hosts files?

Not recommended, but good to know.

nice work john

I wish to see what data browser sends to these addresses

Very interesting, great video bro 👍

Pi-hole can also be ran in a Docker container

Nice no more Meet circle crap.

Classic host file trick

informative

I could see a scammer using this. If they get the local user to run a script or command to modify the host file, they can then have them download malicious files.

Hi John, are you planning to do a live demo about the most recent Palo Alto CVE related to Globalprotect RCE?

please tell how to bypass verify browser from Cloudflare

starts @5:00 mins boring bs needs to be cut out!

no1 would need to do this esp a victum pointless video!