DNS attacks, past, present, and future

without further ado Nick McKenna all right thank you thank you for having me all right so as I said I'm gonna be talking about DNS attacks past present and future so Who am I I'm Nick McKenna I break things I'm a student I'm here to talk about some things I've broken if you want to email me you can the proud I'm talking about a tool that I created it'll be on that github it'll be a link at the end all right so rogue DNS and that's kind of where this where this all starts so Robi Ness I'm sure many of you know it but if you don't it is where you intercept the annoucer quest and reply

with malicious responses so you try to go to google it responds with some other IP so why it's awesome excuse me why it's awesome for an attacker primarily it's it's very quiet and the main reason why it's the best type of interception attack is because it's low data so whereas with most most types of data interception you'd have to handle all of the data which would if you have lots of lots of clients that would be you'd need lots of infrastructure lots of bandwidth the nice thing about DNS is it's low bandwidth you just have to intercept a couple bites and the send back a couple bites so it's very easy the alternatives are very loud very

data-intensive so that's why DNS it's pretty great and that's that's what kind of caught my eye so the past in the present I'm going to be talking about two two botnets that did DNS rogue DNS attacks so the first one DNS change her get infected I believe four million people it did this by just using like registry calls to change the DNS server of a client so kind of rather low-tech not very interesting what they did to monetize it was they replaced ads so you would they basically ran their own ad network that worked by intercepting other ad networks whoops then Soho and this is this is what really got me interested in this and what I find the

most interesting so how it would work is it would send two CS it would do CSRF against your router so it would just try 10.0 0.1 and been advant it we just tried lots and lots of default passwords and it was a little bit more delicious instead of doing ads it would do fishing on bank accounts like bank pages if spread via malvert izing so you'd have a piece of JavaScript that just sends lots of iframes or no this sends lots of requests and it would also sometimes have iframes pretend to be Google Analytics so this is how it basically work so it's spread via CSRF in ads suggest lots and lots of iframes and as

or just a JavaScript loops that would try default passwords and ip's it would then become it become your dns server via DHCP so your router it's your routers DNS server so via DHCP it will become your DNS server then it would redirect and then of course step 5 profit so you might not be able to see this very well but it pretends to be Google Analytics just a lot of iframes and then it would also set a secondary DNS server so that their I guess they're not being that mean this is the JavaScript version that is it would just try a bunch of different requests ok so the process is so firmware hacking so this is kind of getting into the future

but also some stuff that we seen before so in attacks like Murray it is kind of exploiting either vulnerabilities in the firmware or just bad passwords so how this would typically work you would decompile the firmware you would look for vulnerabilities and they were to write an exploit you would find a way to fingerprint this and then scan so yeah so so for propagation part 2 and this would involve back during firmer and I've seen this attack in the wild or at least heard of it but not very frequently but I think that it will over time become much more popular so it's where people use either authentication bypass exploits or other exploits to get

into a routers web interface and then use that to flash the firmware and from there you can put whatever you want in the firmware so what do you do after that what is an attacker to do after they become clients DNS provider and this is kind of where where I started getting kind of creative and thinking about cool things you could do so but first kind of a backtrack so when you think about security and what it means to look at security you're really looking at largely the difference between how you want a technology to work and how it actually works and for people like this man the middle attacks are seen as something very leet very

hard to do and something done by say nation-states but that's it's not really true and they in looking at how lots of different sites and applications are built I found that most people aren't really thinking of man the middle text is something that is done commonly or something that's feasible so for that reason I built something called DNS SSL strip and what it is is it's a simple implementation of SSL strip using DNS so it's two parts it's a DNS server and then it's a web service so DNS server is DNS mask just so it's very easy to set up it's very easy to add manual exceptions so it's very quick very easy to install that's

why I used it the web server I wrote it in flask the main reason because it's not PHP and it's good for doing low-level stuff and you can have a function that is just when we receive this page we do this with it so so how it works I'll get to the demo in a minute so so so show the demo in a second but what it does is it takes it takes the headers so it takes the so you send a request to the DNS server it will respond with the with the IP of the web server and then the web server will receive it it will take the the host header and then it will find

its actual IP and set a legitimate request to it so even if it's an SSL site and it uses HSTs it will still work against it if you can somehow get them to send an HTTP request to that domain so here's a demo of that I'm doing it against Wells Fargo but uh surprisingly it works against every major American bank or I guess unsurprisingly

um and it's a little bit hacky in this so I couldn't get or at the time I did the demo I broke SSL concurrency so instead of create a new SSL session I just send it to an HTTP site and then intercept it and then redirect to the SSL site where they would log in again but it does when it actually works it does do SSL interception so it will create an SSL session with the host and just relay it back to the client over HTTP okay so right here it goes to wellsfargo.com up top is the flash server at the bottom is the DNS server so you saw when I went there it sent the

DNS request right here I'm logging in and then you'll see just the post request here so typically what would end up happening is dn SSL strip would forward that to Wells Fargo in an SSL session so you're sending it to the HSTs back login page and then it would create an SSL session with it and return the response but there we go we took the password from it my password one so that's kind of gist of it and it does work against as I said every major American US bank so that's fun all right so what's happening here I kind of explained it some but here's some diagrams so the client that sends a request to the DNS server the DNS server

sends their response and the response will be the IP of our flash server so then we send a request to the flash server the flat server and this is the SSL strip aspect of it we'll send it back and replace everything that's HTTP with just HTTP so then you're sending more and more HTTP requests that it can intercept okay so then the second part of it is intercepting SSL and having your own session so you can play it back so what we do here whoops sorry and in doing this website okay so what we're doing here is we are sending the request to to the Wells Fargo login page which has it forces SSL it's HSTs

although it doesn't implement it very well so after we go to the home page we it responds and it'll say go to HTTP slash their login page so at that point we can intercept it then the flash server asks the actual wills Fargo server hey where am I going with this and then it goes so so then Wells Fargo replies back with the body of the HTML body in its own SSL session then it feeds that to the to the victim over HTTP so we can continue messing with their traffic and you can do that indefinitely so Penn test also known as the future the reason I'm saying pen tests not the future is because I guess

this isn't supposed to me to be me giving criminals ideas so pen tests so what you can do with these type of attacks or at least what I what I found interesting that you can do with them so infecting boxes and I have another demo but I didn't have time to include it in this which is exploiting or exploiting a vulnerability in apt where I had a VLAN of like ten boxes running semi-modern pretty modern versions of Debian and then I used a recent exploit in the app in apt Howard sign is packages where you could just intercept a request to say the Debbie and update server and then say this needs to be patched here's where you get

the patch and then it would include a it would include malware in it and it would exploit the the signing vulnerability so you'd have you'd infect one router and then from that you'd infect everything that gets its DNS from that so you could conceivably use that in a setting like a data center and I think that that would be very interesting to see if you do that in a pen test let me know so full control of all their traffic if you install an SSL cert on their box so from there you could do a search you can do SSL signing on-the-fly kind of like your own DIY deep packet inspection and that's if you have an SSL

cert on their box you can kind of defeat this with serpentine but not not quite stealing passwords kind of like I showed it recently it's pretty good at stealing passwords even if the login page that even if this where the passwords are being sent is SSL and HSTs or TLS rather you can still intercept it if we're there if we're there getting the form from is not so masking the command and control servers I'm not going to talk about that much but that is something one could do because you can just communicate data over DNS and if it's your own DNS server you can just retrieve the responses so as I mentioned earlier about using using DNS we're not

using it using apt your work in context would be that you got into a router somehow and you want to get RCE and I kind of explained it earlier so the cat and mouse of this so kind of what the attackers can do and what the offender's could do so if you're starting with the attackers having an external DNS server this is rather easy to block you can just say hey only use these external DNS servers and lots of places will do that however they will not do that with internal DNS service so where the attacker could go from there is they could just if they're already in a router they could probably flesh some

firmware that would have its own DNS server running on it that they could do the attack from and then the so the the blue team from there could conceivably do just monitoring of DNS like that so monitor local DNS or white listing DNS and then I'm sure that there are lots of Red Team people that have much better much more clever ideas than I do so some fixes as I said black hole and external black one but white listing your DNS monitoring DNS and then so the next two are kind of ideas that I've been thinking of and I haven't seen them implemented anywhere but I think that they would successfully fix this and I

think it also be used for useful for antivirus and browsers to implement something like this so if you have a bad DNS server and you have your sending requests to it and it's ended bad responses you could look at it cross reference a bunch of other DNS servers and then if none of them give you the same response you can probably tell that something's out there and you could investigate that so I'm working on making an open dd-wrt mod that does that so if you have a bad DNS server either being used by a client or by your router it can look at these and then it can say hey this is bad this is good etc so SSL

everywhere and always so as I tone earlier if you you can only really be attacked at least using HTTP if you don't use SSL at some point so if you use SSL always an all your requests this kind of fixes that so there are plugins like SSL everywhere that would be useful for things like this so proxying so lots of companies they will proxy all the traffic out from there you can sort through it and look at the DNS requests and you can do something like the craft cross-referencing I was talking about so then DN SSL strip if you want to see more about it or see the code you can go there if you have any questions you can

email me there and that is it thank you [Applause] thank you very much Oh before you go thank you thank you from b-sides and Fitbit and thank you from Nick thanks very much we will have another short break and I will let you know when the next speaker is up momentarily