One of our latest escape methods is the capability send Domain Name System (DNS) queries via a broadcast ethernet packet. We call this the Broadcast DNS escape. Our hypothesis was that DNS server or cache could pick those up from the network and happily redirect it to another network.And our hypothesis has been proven right. We present you two stories of Broadcast DNS finding real issues in real networks.Active Directory, Hidden ServerOur client updated Beacons on their site to the latest versio...