offensive: exploiting dns servers changes blackhat asia 2014
DESCRIPTION
Efective exploiting the changes of the DNS Server of a computer (via router hacking or other way...)TRANSCRIPT
![Page 1: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/1.jpg)
OFFENSIVE: Exploiting changes on DNS server
configuration
Leonardo Nve Egea
[email protected]@leonardonve
![Page 2: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/2.jpg)
• Security researcher since… (a lot of time) in SPAIN.
• Pentester, Incident investigator & security researcher.
• At the Offensive side (more funny).
• I love protocol level.
About me
![Page 3: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/3.jpg)
INTRODUCTION
![Page 4: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/4.jpg)
What.
![Page 5: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/5.jpg)
Why.
![Page 6: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/6.jpg)
EXPLOITATION (I)NORMAL PROCEDURE
![Page 7: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/7.jpg)
• CSRF/XSS.• Insufficient authorization.• SNMP/TFTP.• Default password + external administration.• Cracking wifi passwords + default password.• Command line DNS change.• Rogue DSLAM.• Malware.
How.
![Page 8: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/8.jpg)
What.
![Page 9: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/9.jpg)
• Metasploit.
• Dnsmasq.
• Bind server.
Tools.
![Page 10: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/10.jpg)
• Invisible proxy.– Burp suite, mitmproxy
• SSLstrip.• HTML injection.
– BeEF– Exploit kits
• Bouncing to known servers.– SSLsplit
• Fake web servers.– defacing.– Phishing
• Sniffing data.
Then.
![Page 11: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/11.jpg)
OBSTACLES OFNORMAL EXPLOITATION
![Page 12: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/12.jpg)
• SSL certificates (Critical).
Obstacles.
![Page 13: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/13.jpg)
• SSL certificate pinning / EMET (Critical).
Obstacles.
![Page 14: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/14.jpg)
• HSTS + Preloaded HSTS sites (Non critical).
Obstacles.
![Page 15: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/15.jpg)
• SSH signatures failure (Critical).
Obstacles.
![Page 16: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/16.jpg)
• POP3/SMTP Banner (Non critical problem).• FTP Banner (This can be critical).• Limited host interception.• Limited protocol interception.
Obstacles.
![Page 17: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/17.jpg)
• Limited of hosts interception.
• Time to study IP communication manners.
• Limited cleartext protocols interception.
• HTTPS.
• Accept the loose a lot of information.
Limitations.
![Page 18: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/18.jpg)
EXPLOITATION (II)IMPROVE THE ATTACK PROCEDURE
![Page 19: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/19.jpg)
• Discretion.
• Improve data acquisitions from time 0.
Objectives.
![Page 20: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/20.jpg)
• A DNS feature for high availability and Load Balancing:
Improve the attack.
![Page 21: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/21.jpg)
Improve the attack.DHCP REQ
DHCP RESP with Fake DNS Server
DNS A RequestDNS A Request
DNS Response
DNS Response = IP attacker server1 + IP attacker server2 + DNS RespShort TTL
SYN port=xxx
RST ACK port =xxx
SYN port=xxxSYN port=xxx
SYN ACK port=xxx
SYN ACK port=xxx
DATA
Victim Router Attackerserver
Real DNS Realserver
DATA
![Page 22: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/22.jpg)
• On port 80 the attacker can put a invisible proxy.
• The attacker can reject SSL ports always because the client will later connect to the real server.
• Other connections data will be forward through the evil server since the first moment.
• And there is a tool.
Improve the attack.
![Page 23: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/23.jpg)
• dns2proxy (still in beta).• Full in python (PyDNS).• Permit spoof, direct forwarding and add IPs to
the response.• Interact directly with iptables to forward
connections.
https://github.com/LeonardoNve/dns2proxy
Tool.
![Page 24: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/24.jpg)
Improve the attack.
![Page 25: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/25.jpg)
DEMO(or video if demo effect ;)
![Page 26: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/26.jpg)
• Limited of hosts interception.
• Time to study IP communication manners.
• Limited cleartext protocol interception.
• HTTPS.
• Accept the loose a lot of information.
Previous limitations.
![Page 27: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/27.jpg)
SSLStrip vs HSTS.
![Page 28: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/28.jpg)
Common SSLStrip usage
![Page 29: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/29.jpg)
• HSTS + Preloaded HSTS sites (Non critical).
Obstacles.
![Page 30: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/30.jpg)
• Strict Transport Security based in domain names predefined or not.
• Change HTTPS to HTTP.• Also change domain names to connect based on
predefined rules.• DNS Server can resolve based on these predefined rules.• HSTS.
https://github.com/LeonardoNve/sslstrip2.git
SSLStrip+ to defeat HSTS.
![Page 31: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/31.jpg)
DEMO(or video if demo effect…)
![Page 32: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/32.jpg)
SSL in general• You must take advantage with other factors/vulnerabilities
![Page 33: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/33.jpg)
• Downgrade attacks.• JavaScript infections.
http://media.blackhat.com/bh-us-12/Briefings/Alonso/BH_US_12_Alonso_Owning_Bad_Guys_Slides.pdf
• For decoding ciphered protocols, go there:
More posibilities.
![Page 34: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/34.jpg)
• With UDP the application have the control over the communication not the OS.
• If this application resend a lost UDP packet, we have it! If not…
• Dns2proxy is a PoC and only control TCP but it is really easy extend it too UDP.
UDP?
![Page 35: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/35.jpg)
Other scenario.
![Page 36: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/36.jpg)
• Improve DNS server configurations hijacks with two tools.
• Much information capture than typical attacks.
• Old protocols – Old security.• New protocols + Old protocols – Old security+• Solutions… DNSSEC.
Conclusions.
![Page 37: OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014](https://reader038.vdocument.in/reader038/viewer/2022110113/540feac48d7f72aa0e8b4577/html5/thumbnails/37.jpg)
THANKs.
Ramon Pinuaga
Jose Selvi
Abel Gomez
Olga Solera
Floren Molina
Farid Fadaie
Eugenio Delfa
Moxie Marlinspike
Miguel Hernandez
Hannibal Ngu
Maia Nve
dnspython.org crew
The man who first thought `Let’s put a default password. Then they can change it `