An HTTP downloader with peer-to-peer and cache server capabilities. It uses a global control plane with content-based addressing and fallback to URL-based addressing.
Cache servers
Microsoft Connected Cache (formerly Delivery Optimization In-Network Cache aka DOINC)
There are currently two types of on-premises cache servers
- Standalone: nginx on Azure Edge for Linux on Windows (EFLOW), targeted at ISPs or cloud-only environments
- SCCM Distribution Point: IIS on Windows
Both appear to be orchestrated by .NET services, but the standalone one can operate as a single container.
Cache servers are accessed with
http://<CacheServerIP>/<path>?cacheHostOrigin=<hostname> and can be tested with /mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com
Cloud service
This first-party doc has a helpful explanation of control plane services. Besides that, I’ve only found one prior work on the Delivery Optimization P2P protocol (Swarm) and control plane. Content can be queried with
$Geo = irm "https://geo.prod.do.dsp.mp.microsoft.com/geo"
$KeyValue = irm $geo.KeyValue_EndpointFullUri
$ContentPolicy = irm "$($KeyValue.ContentPolicy_EndpointUri)/content/<contentId>/contentpolicy?altCatalogId=<url>"$KeyValue.Client_RegisteredCallersFilterList has an interesting list too. MLModelDownloadJob is likely related to Core AI Platform.
BeginLoadRange.*
.*CheckReachable
DoLoadFile
EdgeUpdate DO Job
IntuneAppDownload
MDMSW Job
Microsoft Component Updater DO Job
Microsoft Office Click-to-Run
MLModelDownloadJob
MSIX HttpsDataSource Download
Msk8sDownloadAgent
Windows Dlp Manager
WSXExperiencePackDownloadJob
WU Client Download
Xbox XVC Streaming
Windows Recovery Media Creator
TODO download tracker? could use https://apps.microsoft.com/api/Reco/GetComputedProductsList?gl=US&hl=en-us&listName=TopFree&pgNo=1&noItems=24&filteredCategories=AllProducts&mediaType=apps as a content index
A group of DO peers (swarm) can be joined with
$contentId = "test"
$altCatalogId = "http://tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/25058c77-27b0-4c38-a174-f86b72f86dc9" # surface
$altCatalogId = "http://tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/c6b8cf6e-335a-4658-be1b-cae7575dd1ed" # company portal
$Geo = irm "https://geo.prod.do.dsp.mp.microsoft.com/geo?doClientVersion=10.1.0.12"
$KeyValue = irm "$($Geo.KeyValue_EndpointFullUri)?doClientVersion=10.1.0.12"
$ContentPolicy = irm "$($KeyValue.ContentPolicy_EndpointFullUri -replace '{contentId}', $contentId)?altCatalogId=$altCatalogId"
$Arrays = irm "$($KeyValue.Discovery_EndpointFullUri -replace '{contentId}', $contentId)?partitionId=0&CountryCode=US&altCatalogId=$altCatalogId"
# $Swarm = irm "$($Arrays[0].CollectiveArray)join/" -Method POST -Body @{AltCatalogId=$altCatalogId}
# $Swarm
$psObject = $psObject = @{
# ContentId = "e2797dcfc9adc3d026152f00465e4e04f643675d"
AltCatalogId = $altCatalogId
PeerId = "e08e8e26fd833d4097b3a62b66adc67b00000000"
ReportedIp = "192.168.1.8"
SubnetMask = "255.255.255.0"
Ipv6 = "fe80::240c:cca8:88ed:fdce"
IsBackground = "0"
ClientDialectVersionMajor = "10"
ClientDialectVersionMinor = "1"
ClientDialectVersionBuild = "0"
ClientDialectVersionRevision = "12"
Uploaded = "0"
Downloaded = "0"
DownloadedCdn = "0"
DownloadedDoinc = "0"
Left = "73473792"
JoinRequestEvent = "1"
RestrictedUpload = "0"
PeersWanted = "255"
GroupId = ""
Scope = "1"
# UploadedBPS = "0"
# DownloadedBPS = "0"
Profile = "768"
Seq = "0"
}
$Swarm = irm "$($Arrays[0].CollectiveArray)join/" -Method POST -Body ($psObject | ConvertTo-Json) -ContentType "application/json"
Intune
Microsoft Store traffic is cached, and encrypted Intune Win32 Apps too. They use Azure Storage fronted by a CDN like http://swdd02-mscdn.manage.microsoft.com/6ecd274d-26f9-49e2-b29c-60a001eaa538/2c9f680a-1d14-4b9c-9dde-868f4aa488bd/31e53840-fa0f-474c-870e-5169ce97380b.intunewin.bin
Tenant ID isn’t part of the URL, but app ID is. I forget the exact part.
When downloading a win32 app, the Intune Management Extension retrieves content metadata from the Intune service, which includes an UploadLocation of the encrypted intunewin and a DoFileId which is the DO ContentId. The ContentId incorporates Intune metadata like tenant/app/instance, unlike other IDs which appear to be deterministic.TODO what’s the algo?
The DO cloud service only returns data from the content ID, not the URL unlike Store apps, which causes download failures if the ID is null.
irm "$($KeyValue.ContentPolicy_EndpointUri)/content/501FCB7D-A970-4E34-A753-4B48FE5D8BEF_6ecd274d-26f9-49e2-b29c-60a001eaa538_03f2334f-03e3-43c8-9db5-24d8979ebafd_fade6ecb-833a-4664-9794-c873ac4734ef-intunewin-bin_a91660a8-1dde-485b-98fa-514e6616d515_1/contentpolicy"
ContentId : DO-pnfBh6zEGx3sxf6WBId825S6VQpwJTWIaAWU-cBsHD0=
HashOfHashes : pnfBh6zEGx3sxf6WBId825S6VQpwJTWIaAWU/cBsHD0=
PiecesHashFileCdnUrls : {https://swdd02.manage.microsoft.com/6ecd274d-26f9-49e2-b29c-60a001eaa538/03f2334f-03e3-43c8-9db5-24d8979ebafd/fade6ecb-833a-4664-9794-c873ac4734ef.intunewin.bin.phf}
ContentCdnUrls :
IsSecure : False
IsInternal : False
Policies : @{ForegroundQosBps=6710886; BackgroundQosBps=2621440; MaxCacheAgeSecs=86400; ExpireAtSecsSinceEpoch=; DownloadToExpire=86400}
Rank : 0The win32 DO API requires both the ContentId and Uri despite the documentation, so I had to modify PSDODownloader to support both at once.
thebabush/wudo-reversing: Windows Update Delivery Optimization reverse engineernig (github.com)
Chapter 2 - Black Box Research (sygnia.co)
DOing More Harm: Part 2 | REMY HAX
TODO Intune msix testing
Local service
Delivery Optimization has a win32 API used by the winget CLI, which is the only official public Delivery Optimization client implementation that I’m aware of. But I want to allow arbitrary endpoints, and their implementation uses C++ so I couldn’t just patch their code.
I tried Vanara.PInvoke.DOSvc for PowerShell interop, but its signatures weren’t compatible with direct loading. Wrapping in a module didn’t work either due to some implementation bugs. These were likely regressions because there was an old unit test, but I couldn’t fix all of them. They’ve now been fixed in a pre-release version.
After more digging I found DODownloaderDotNet by Shishir Bhat, which looks like a sample CLI tool in C# for Microsoft IT. It was pretty easy to patch and publish to PowerShell gallery.
Install-Module PSDODownloader
Get-DORequests
Invoke-DORequest -Uri http://dl.delivery.mp.microsoft.com/filestreamingservice/files/52fa8751-747d-479d-8f22-e32730cc0eb1 -OutFile download.exeTODO lookup error messages on https://github.com/microsoft/win32metadata/blob/main/generation/WinSDK/RecompiledIdlHeaders/um/deliveryoptimizationerrors.h
Update-MarkdownHelp .\docs
New-ExternalHelp .\docs -OutputPath . -ForceWindows Registry Editor Version 5.00
[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization]
"Migrated"=dword:00000001
"RequestInfoType"=dword:00000000
[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config]
"KVFileExpirationTime"=hex(b):a6,4d,dc,c8,80,ec,da,01
"Geo_EndpointFullUri"="https://geo.prod.do.dsp.mp.microsoft.com/geo"
"GeoVersion_EndpointFullUri"="https://geover.prod.do.dsp.mp.microsoft.com/geoversion"
"PrivateRegMigrate"=dword:00000001
[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings]
"DownloadMode"=dword:00000003
"DownloadModeProvider"=dword:00000008
[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Trace]
[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage]
"UploadMonthlyInternetBytes"=hex(b):75,f9,67,0f,00,00,00,00
"UploadMonthlyLanBytes"=hex(b):95,a7,6a,04,00,00,00,00
"DownloadMonthlyInternetBytes"=hex(b):38,9e,77,0f,00,00,00,00
"DownloadMonthlyLanBytes"=hex(b):00,00,00,00,00,00,00,00
"DownloadMonthlyLinkLocalBytes"=hex(b):00,00,00,00,00,00,00,00
"DownloadMonthlyCdnBytes"=hex(b):43,1f,ef,3b,00,00,00,00
"DownloadMonthlyCacheHostBytes"=hex(b):00,00,00,00,00,00,00,00
"DownloadMonthlyGroupBytes"=hex(b):00,00,00,00,00,00,00,00
"DownloadMonthlyRateFrBps"=hex(b):77,3e,20,00,00,00,00,00
"DownloadMonthlyRateBkBps"=hex(b):60,4d,9e,00,00,00,00,00
"DownloadMonthlyRateFrCnt"=dword:00000002
"DownloadMonthlyRateBkCnt"=dword:00000004
"MonthID"=dword:00000008
"SwarmCount"=dword:00000002
"CacheSizeBytes"=hex(b):38,9e,56,03,00,00,00,00
"PeerInfoCount"=dword:00000000
"CDNConnectionCount"=dword:00000000
"LANConnectionCount"=dword:00000000
"LinkLocalConnectionCount"=dword:00000000
"GroupConnectionCount"=dword:00000000
"InternetConnectionCount"=dword:00000000
"DownlinkBps"=dword:00000000
"DownlinkUsageBps"=dword:00000000
"UplinkBps"=dword:00000000
"UplinkUsageBps"=dword:00000000
"FrDownloadRatePct"=dword:0000005a
"BkDownloadRatePct"=dword:0000002d
"UploadRatePct"=dword:00000064
"MonthlyUploadRestriction"=dword:00000000
"UploadCount"=dword:00000001
"PriorityDownloadCount"=dword:00000000
"PriorityDownloadPendingCount"=dword:00000000
"NormalDownloadCount"=dword:00000000
"NormalDownloadPendingCount"=dword:00000000
"CPUpct"="6.415663"
"MemoryUsageKB"=hex(b):50,15,00,00,00,00,00,00
"UploadMonthlyGroupBytes"=hex(b):00,00,00,00,00,00,00,00
"UploadMonthlyLinkLocalBytes"=hex(b):00,00,00,00,00,00,00,00
"CacheServerConnectionCount"=dword:00000000WSL can send queries but response won’t be routed back, only visible in wireshark
dig @224.0.0.251 -p 5353 _microsoft_mcc._tcp.local PTR +norecurse +noadflag +noedns
https://geo.prod.do.dsp.mp.microsoft.com/geo?doClientVersion=10.1.0.13&profile=768&callId=2910957318
https://kv501.prod.do.dsp.mp.microsoft.com/all?doClientVersion=10.1.0.13&countryCode=AU&profile=768&CacheId=7
https://geo.prod.do.dsp.mp.microsoft.com/geo
https://geo.int.do.dsp.mp.microsoft.com/geo
https://geo.dev.do.dsp.mp.microsoft.com/geo
https://kv201.int.do.dsp.mp.microsoft.com/all
https://kv501.prod.do.dsp.mp.microsoft.com/all
Import-Package Vanara.PInvoke.DnsApi
Content ID is “New CCM for file _urzLURQ3ufy6RmLGh3MMnnHuHMV8otyXRTEtq9cTt8=”?
retrieval: CCM discovering for a27b3dc26a92405146358a67d6162fecd0abdf2c
Valid cache sources:
1800c322f char const* const var_150_1 = "DHCP:";
1800c323b char const* const var_148_1 = "Services:";
1800c3247 char const* const var_140_1 = "Sharding:"; CacheHost control plane response, possibly ISP MCC?
1800c3253 char const* const var_138_1 = "DNS-SD:";
Uses Win32 DnsServiceBrowse function, so we can test with Vanara’s unit tests
https://grouper.ieee.org/groups/1722/contributions/2009/Bonjour%20Device%20Discovery.pdf
vscode://file/D:\repos\Vanara\UnitTests\PInvoke\DnsApi\DnsApiTests.cs:159
https://github.com/aatlasis/Pholus
location /filestreamingservice/files/c6b8cf6e-335a-4658-be1b-cae7575dd1ed/pieceshash {
default_type application/json;
return 200 '{"MajorVersion":1,"MinorVersion":0,"HashOfHashes":"example","ContentLength":73473792,"PieceSize":1048576,"Pieces":["YmjR9NM8nlkwrwyd5V8ukvU2tXoqaVLSrZ3NXqRVj7g=","5ohOPKh0s8xV2C8mscOh0/XUngZ4juYMML89ZZrERWE=","+GGb6sTqKmjvuCO0krRZWiPQTY1kU1SUaqagd3jK5DQ=","TPXeo5f/0NjdwJbrR6mZ/KQf1QuC/wwB5wgmHFvoxQs=","mDa/VP2XcuukwdcHDJsFheKtiDooUVI0EacZnczQlRo=","g0D+uxqhyS2SWQbFHDcfCx2m0sN2M2w7kN7Ojz6Hk0I=","gYRJ+/q+295VMI89bK9R1crMLgifS6tEmvDp//u37vM=","vlD6rehwp76yeQqM6AL24WLqDy5kasvWYARfBfCzLMY=","7RHV22P96l3KztUo1xU+G1KajeVLzmXQdbuEu2Z6tpQ=","+zwoTwPpduLgaWgejr4/uoOlj8tUt0RC2j0qDO+N3BM=","cvuKfCTv25puqHS0qujv/DPSAqgKidHgoFa6Ar8+PBo=","Wz92sW54MURr+uHSkuYgcOCWaDhlzNC/bvRNLAyi/fg=","cyjcD53VA1bYPy/MwVt/EFxVyIreykMiMblfs+DscKU=","aM+mxokScgU8d3F82Fzo22F5e0EsN+oSnS0p6Ivnaq0=","OGziKr+5apmsehE7r12XcDSc5koDYsFbmdSMGV7QIPg=","6+mpCrWG+C9B8BlsYnPjrVvzHza7fdIJSF33WE02uns=","8b8WbWQYNBNU3U57dw0tS3B5bQfwPr6HkGX1wIgzpIQ=","PbmMFVezfH0A4TOc4M3fAYgkWEiIWbYCI04aiXir4+U=","5dmlKdMBw+nmdCBP8MXmghElHf+im2psV/zsDAwcFfE=","mvlgTn//kFRjMz+1vZGBUIMJIvlJxPdkH03eLFetJGc=","oxE4JuC9JwFLMMaDcwHvSbgk3rCzCU11tRXVuXe5HfA=","gY2byLZJx+4+iyI/BiKku5ND/NW1ZOSHSqUq4i4aTbQ=","U3+Ah+TRGnBgV7UTM2chvIdsVpsc6kh/JXME7QClCQQ=","lbz8lrfDJwJk4abkVqRDspQPAHJJiNctUIo9sbsRCKE=","Y12oBGGAswlH5qsTXZi6t9b4LQa5oq7M0szEKvRr3Es=","5wZ0XPp+jbMdkLQdp9K9iW69LgD8Lec+hUE0ESYAiFM=","7SUf+HMZTqPmGVaZ3RR2lqYmawPQzzad0IXIFdb0sMo=","jV8PWwZb8TyItX2tz0hRL4ZKEIPrjWAFQxEkCjHiXho=","KIIap8S2Zd7EK2s8TOTdfujTK7J62jLxTtHA6R2umzQ=","1mgRm3lQDM91avEn3p5DbPF9XUO3Gc6CdUNKKyXpwGo=","ttsqFjtJHIhNQz0pmkq16z/dn+ixmMwLQj9AuUk/JZ0=","D0kl8LcBeVfv3CphAH4f4eMnSIpqXi6XoaWmz4UCFJA=","dDPdVDKLeELOxIgtqUF4sq2DfQJJT6ZBm8mjW4QNElo=","7m8MfQzf7SDGOnrnq4/Q8uSusIRGu1WE7seKOyWrDvw=","BG9WmtyOuWus/N0R+vqqyIZ3lPGRI3lu+ieM8USyWzE=","b6xp4J3ZIo7dOMLV3y5Q7Uv8fVrY9s4MBTIhTllWuwI=","BRqU4vlcxdWmXSae/9byx6NAEkHsx3FUjnPIMWKWysg=","3eomRn3yuEetq6zzPuUKdYZtAVB2cOzEAt3zrG59i5w=","cbA956tTOFqtdTVzk1L0LF3OVNR6tkVXs7Yc/ecPeD4=","SWxe0enQFIoIFKZtjM/IkTIG5dHIOULfS0LlYYLBiFk=","JPTkA6qL/+GGcJMl9Q+ohC4FH2Vf6vfcmtflXYb5GwQ=","hZtt1i+HKkVawZz7JPobdbgBjENOql/LlSYulVjJE+0=","r2lp1QUXT287YbIL191+S3VASGVILFSKEQfDskHOTkI=","wWdY3CgjC8PHGdCAws9IpQvP+6zWBEC/ThNNdn2opI8=","ia4iImOcH8zCGkXlwjNZFHbhvPf6mQJRy7CQOTd4bxI=","srpzW+Q8yyIbI3ib/ma6S9wR6DXjLaOMWa9udeCY6+g=","Zw+pSep5cDKSjpT2qbeJ5TZk7Ce7YaoEqFKxm3aah1A=","67kw3MvK8Db6oNUQEqw13ASxRSP5hTO5bmz02ZM1dlQ=","nc+ijVXQoMrIioSXXURSn34CsrvM7lbCOet81sgAjIc=","SiRaZZhJf/3mZgEI8NZvU+V7TmYC3Gx+EvkA7DO21TE=","lDKS3aScvcYrk6h66XDnfbHy9ZEnKR9ZLecPcZr5TpM=","aZwcJ4U6fUnI3ZiW5XU7xturFWBl6v+ofqB4kv4rw8k=","Y5+BoSXA7HPEQscC/zxk4UB7MzeY6KZfis/ITu9u568=","ARGbth2lZW/8ut2kfkFW640bsCkCL7CF2GHkK5a2T/s=","PbI+znebEfB/9snAZOvjkA4mmvV32CTPNa3QBVODmqU=","2AhWLvpuqIOwk5Fy6/eQcEfJHbpf+1e1tpB3L0vTxfY=","Cll3hyelarbr+hfLk79xYnqssAKbN9amMBHjXBv3qEU=","eSyvl8VXOVpumHyEVp2eC0QoNnUVtFpviMb4KOZDT5s=","2evLstu2ADl5x9ffq/XUU2MA+KJyZw42x3yvDqTohJE=","LXZvmZYVW7NpqeWHnZfvs3ru8ClUzGxRzQX7z7T7WRg=","qMFZSZNZfAaawCJG+96AwjkIVepV/OOiI0+XwAQ89og=","3AjfefA5r0U9LjY3f3nOH56wJ72yrwPLfN8jMGwSItE=","JqY46J0OU0opcuQ8jw1ESvSpmot0X5MN++ASU32SJX8=","h28EsMAhvfKYU8p7tJsASWkAJgJr4OT/H0fVA2M5kBU=","WLowcfrfZiKlVslmIhkVRX0DDi/ZLtBGHJRB06HiKqo=","56Ex0ENmE3GU17lFfzBAFlOE1rsn60bP5ESPc9n5omA=","iSUkaa10/K0iWYSAlvroZi1JZVSZZEABctljR+cb3pY=","Lx1L5bSpAYx9BZd5wBhgOyEMvbGNoUTQ7i+3SqEb9q8=","GRfMlAlW0vqTez8lMGcSkiJCC0Wos8urKuE3sR/sftk=","ebc0sYK/0VhkThDtbYgfWygcXiPt3G8V6Ee5Zcz+uvk=","/v8wDGtfMhnOD98823FUqHFauBvizEsfFmpQsbvrdzg="]}';
}
return 200 '{"MajorVersion":1,"MinorVersion":0,"HashOfHashes":"example","ContentLength":34,"PieceSize":1048576,"Pieces":["lwNZmN/ezTZciFrht39kHBSZyfbBHDeqQpS1wosp1DY="]}';
location /filestreamingservice/files/c6b8cf6e-335a-4658-be1b-cae7575dd1ed {
return 206 'EICAR-STANDARD-ANTIVIRUS-TEST-FILE';
}
If mDNS doesn’t respond quickly enough, pieceshash will be served from cloud
28/08/2024 11:37:12 AM 12308 5028 4 Info Redirecting to the following URL: http://google.com/ CHttpAgent::_OnRedirect 1128
28/08/2024 11:37:13 AM 12308 4004 4 Info Redirecting to the following URL: http://www.google.com/ CHttpAgent::_OnRedirect 1128
28/08/2024 11:37:13 AM 12308 23044 4 Info hr: 80d06809, httpCode: 200, errorCount: 0, fileId: 64b11788eb6bc1425010f420fcec34474246e719_TyKInVOD3EqWEUDwvQP8OguE2hJV7bHsEH+y0K0Ag5Q=__1_PHF, sessionId: 8ad60fb8-777b-44aa-8968-f657f3c3b193, url: http://www.google.com/, isHeadRequest: 0, requestOffset: 0, requestSize: 0, responseSize: 20502, serverIp: [2404:6800:4006:80f::2004]:80;, headers: HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Date: Wed, 28 Aug 2024 11:37:09 GMT
Content-Type: text/html; charset=ISO-8859-1
Expires: -1
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Server: gws
Set-Cookie: AEC=AVYB7col-Fwtq76xvMhKNXDdBGEL997IE9sS9d3pn4zR9fxerpfBBHMx8xc; expires=Mon, 24-Feb-2025 11:37:09 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Set-Cookie: NID=517=xrUygJtaax0BXaPl3cUT8iglc1OqRsvRjhBdPHI-YI0tD9SBXBnAQCLITTZiKL-SClTEM7uWHh7kc7eyStVjpPhy638krCvfs5Flz-EtIIN1almoOpPQ3GZxB6KUU7UGNElSC5a3XyDJBKH1MB-3YyijrkShJFczgEblr3DRGAAqSa3lA0Ey1FM1; expires=Thu, 27-Feb-2025 11:37:09 GMT; path=/; domain=.google.com; HttpOnly
… CTelemetryLogger::TraceErrorCdnComm 975
WinHTTP implementation, uses Windows LEDBAT LEDBAT Background Data Transfer for Windows - Microsoft Community Hub
Winsock IOCTLs (Winsock2.h) - Win32 apps | Microsoft Learn
if (code < HTTP_STATUS_REDIRECT_METHOD + 1) {
if (code != HTTP_STATUS_REDIRECT_METHOD) {
if (((((code == HTTP_STATUS_OK) || (code == HTTP_STATUS_OK + 1)) ||
(code == HTTP_STATUS_ACCEPTED)) ||
((code == HTTP_STATUS_PARTIAL || (code == HTTP_STATUS_NO_CONTENT)))) ||
(code == HTTP_STATUS_PARTIAL_CONTENT)) {
return 0;
}
if (((code != HTTP_STATUS_AMBIGUOUS) && (code != HTTP_STATUS_MOVED)) &&
(code != HTTP_STATUS_REDIRECT)) {
return -0x7fe6ffff;
}
}
return -0x7fe6fffd;
}What is IsServicesContentVerificationEnabled and the DO-Timestamp, DO-Content-Sig header?
Undocumented SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMDNS
Purplecon talk
p2pwn: hijacking Microsoft’s global torrent network
instead of “abusing”?
tell us what this talk is about, and why people should come see it. write this in a way that people new to security would appreciate. to appear on the website
Torrenting is only for pirates, right??? Turns out Microsoft’s little-known torrent network has grown to over a billion devices, including game consoles and even IoT. Let’s look under the hood to discover some novel attacks, and discuss practical defense strategies in a cloud-native world.
dox urself and tell us your story
Tom enjoys (bre|m)aking tech of all kinds. He’s currently building automated endpoint management at devicie.com, and has worked to protect devices and clouds across industry, government, and higher ed. He also runs a Kubernetes homelab and a popular CTF.
He’s fond of pastel green and plant-related puns.
talk description, including: an overview, structure, and a description of any tooling, flowcharts, spreadsheets, or mixtapes you plan to release
This is my first CFP, so not sure if this is enough detail - happy to provide more, and I’d love feedback :)
Goal: attendees learn about a little-known Windows/IoT feature, some novel attacks/tools, plus mitigations for it and features like it
Context: what’s a torrent network and why did Microsoft build one? what’s it used for today?
Details: high-level arch diagram - cloud services, peering. links for learning more - protocols like MS-DO/Teredo, recent Linux support (IoT)
Attack 1: why poisoning content during peering is hard, several mitigations like checksums. show a passive mDNS-based AitM instead - track downloads like Windows/Defender updates and determine exploitability of target. also trigger arbitrary GET with HTTP 302, room for future research? and link to remy’s torrent tracker idea using cloud service instead of AitM (https://remyhax.xyz/posts/do-harm/). plus link to ghidra/windbg setup for DoSvc
Attack 2: arbitrary file upload to network via Microsoft Intune - free P2P malware distribution with encryption, firewall allowed, no TLS inspection, disk writes from SYSTEM. even bypasses ZTNA like Zscaler. yay for multi-tenant cloud! release scripts for upload/download
Mitigations: show GPOs, firewall rules, detections. but network security is hard in a cloud world. discuss broader mitigations - mDNS, IPv6 tunnelling, segmentation
free text input
idk if this talk fits the vibe, and it’d be my first public talk too. but regardless I’m keen for the con. thanks for reviewing :)
The problem - moving lots of files. Windows updates etc
Avoided by caching on enterprise networks (SCCM/WSUS). What about consumer?
Windows 10, version 1511 - Delivery Optimization. Peer to peer swarms
Scooby pull mask off meme
Classic msft - proprietary torrenting
Architecture diagram - control plane, assets, clients, Connected Cache (NDA)
Peer-to-peer file distribution, fallback to traditional HTTP hosting
Download flow
- Find region → discover services and config. ratelimits, timeouts, VPN adapter regex - fun recent feature. don’t want to peer over those
- Content policy
- Get metadata from peers - piece hashes
Content
Find files in Windows 11, version 23H2 (22631.4037) amd64 - UUP dump
How’d I come in? troubleshooting printers and mDNS/IPP
Defender logs - weird requests. hold on a second…
but I thought MCC was configured by admin? MCC docs screenshot
nope lol. wireshark screenshot. add to download flow diagram
serve arbitrary content…
- blackhole
dl.delivery.mp.microsoft.comotherwise it might load before cache - pieceshash - failes
fails hash check. that would’ve been too easy.
see what’s downloaded. what does DO download? docs screenshot
snoop on apps/devices/patches. PoC for finding Windows version, Windows downgrade attacks from defcon? IPv6 vuln?
slow loris style? delay download so we can exploit in background
Intune… but it’s encrypted. lob apps too?
wait a minute - earlier we said msft control content. but Intune is arbitrary* data…
DO payloads typically bypass IPS/IDS for performance reasons, and the service will write data to disk
greetz
- remy
- jthvai
- goggan
local network: {
device1: "" {
icon: https://icons.terrastruct.com/azure%2FCompute%20Service%20Color%2FVM%2FVM-windows.svg
}
device2: "" {
icon: https://icons.terrastruct.com/azure%2FCompute%20Service%20Color%2FVM%2FVM-windows.svg
}
device3: "" {
icon: https://icons.terrastruct.com/azure%2FCompute%20Service%20Color%2FVM%2FVM-windows-non-azure.svg
}
device1 -> device3: pieces {style.animated: true}
device2 -> device3: pieces {style.animated: true}
}
cloud: regional services {
KeyValue\nservice/config discovery
Content Policy\n+ PHF URL + HashOfHashes
Discovery\npeer grouping
Arrays\npeer discovery
}
Geo: "region discovery" {
near: center-right
}
# Geo.shape: cloud
Geo -> local network.device3 <-> cloud
CDN: {
# shape: cloud
icon: https://icons.terrastruct.com/azure%2FNetworking%20Service%20Color%2FCDN%20Profiles.svg
}
CDN -> local network.device3: " Pieces Hash File (PHF)\n + pieces" {
style.animated: true
}
# github: {
# icon: https://icons.terrastruct.com/dev/github.svg
# dev
# master: {
# workflows
# }
# dev -> master.workflows: merge trigger
# }
# github.master.workflows -> aws.builders: upload and run
# aws: {
# builders -> s3: upload binaries
# ec2 <- s3: pull binaries
# builders: {
# icon: https://icons.terrastruct.com/aws/Developer%20Tools/AWS-CodeBuild_light-bg.svg
# }
# s3: {
# icon: https://icons.terrastruct.com/aws/Storage/Amazon-S3-Glacier_light-bg.svg
# }
# ec2: {
# icon: https://icons.terrastruct.com/aws/_Group%20Icons/EC2-instance-container_light-bg.svg
# link: layers.ec2
# }
# builders -> builders
# }
# local.code -> aws.ec2: {
# style.opacity: 0.0
# }
# layers: {
# ec2: {...@ec2}
# }
# scenarios: {
# hotfix: {
# title.label: Hotfix deployment
# (local.code -> github.dev)[0].style: {
# stroke: "#ca052b"
# opacity: 0.1
# }
# github: {
# dev: {
# style.opacity: 0.1
# }
# master: {
# workflows: {
# style.opacity: 0.1
# }
# style.opacity: 0.1
# }
# (dev -> master.workflows)[0].style.opacity: 0.1
# style.opacity: 0.1
# style.fill: "#ca052b"
# }
# (github.master.workflows -> aws.builders)[0].style.opacity: 0.1
# (local.code -> aws.ec2)[0]: {
# style.opacity: 1
# style.stroke-dash: 5
# style.stroke: "#167c3c"
# }
# }
# }