First-year Mines student brute-forced campus DNS subdomains in Rust, then port-scanned the LAN to find 36 unprotected cameras and most campus projectors wide open.
Key Takeaways
DNS PTR records mapped IPs back to hostnames across the entire campus /16, giving a full device inventory without zone transfer access.
Rust with AF_XDP socket bypass hit ~300k ports/second on one core; a Python async baseline was orders of magnitude slower.
A Tokio async stack memory leak ballooned to hundreds of GB of RAM until writer handles were batched rather than accumulated indefinitely.
Aggressive DNS brute-forcing caused a ~15-minute campus-wide outage when the DNS server broke under load; IT traced it because the student talked openly about it.
36 PTZ cameras and nearly every campus projector were accessible via default-credentialed APIs, reverse-engineered from the web interface; Palo Alto DPI blocked RTSP/RTMP streams but not HTTP control APIs.
