Emoji usage in your domain

Joe McCormack
Nov 9, 2017 · 3 min read

This morning, recrudesce mentioned that it might be possible to name a file with an emoji character. Since then, we’ve all had a bit of fun and taken off with the idea. Below is some of the use cases for how you could utilize emoji in your environment.

Files

Files can be named using emoji. This was the first discovery, and the quickest.

Image for post
Image for post
Image for post
Image for post
Image for post

User Accounts

Recrudesce then tried a local account, and posted their success as well.

Image for post
https://twitter.com/recrudesce/status/928655243595874306

The lunacy had to be bridged to other people to find out if this worked within a domain. Since I had a test lab domain up and running, I decided to give it a shot.

Image for post
Image for post
Image for post
Domain Admin!

Passwords

The account in question was also configured with complexity requirements for the password, so of course we had to try that out. The account requirements for the BMULLEY\🍌account were the standard Windows policy. Naturally, I had to attempt including some 🍌 in my password.

The interesting piece of all of this was that the 🍌 emoji didn’t appear to count toward any complexity requirements. “🍌banana1” was not a valid password, even though it contained an emoji, lowercase letters, and a number. Similar results for “🍌Banana”. Interestingly, when a 🍌 is pasted into a password field, TWO dots show up. I’m uncertain the implication of that at this time. The banana does appear to count toward length requirements though, as “🍌🍌🍌🍌🍌!Aa” is a perfectly valid password according to my current AD policies.

The largest challenge of utilizing emoji in your password is how to input the character without utilizing copy and paste. If anyone can give me specific instructions on how to input a banana using an alt code or anything (specific to Windows 10) then hit up the comments.

Bloodhound

Since the topic came up in the context of the tool Bloodhound, of course I needed to attempt this. Since I already had a domain administrator, all I needed to do was run the ingestor and see what it threw in the Bloodhound UI.

Image for post

Success! Now the only challenge, is where do we go from here? Filenames, service names, account names, “uncrackable” passwords, it’s even been suggested to name the entire domain something with an emoji in it.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store