Arron Finnon - DNS Tunnelling: It's all in the name!

hi guys um thanks for coming out and seeing me at uh half 9ish in the morning so I'm going to speak to you about DNS tunneling this is just really a uh a crash course if you've done DNS tunneling before you're not going to learn anything super new today I have to be honest with you but if you've just heard about it never really played about with it this is sort of like a like an introduction s okay okay so as I say DNS tunneling it does sound a little bit more complicated than uh than than it really is uh I promise you that you do not need a hard heart or a shovel or a drill or anything

like that but what you do need is a internet facing shell um and control over Port 53 however it's very likely that if you're not doing it in a test environment that it's going to be illegal um so behave yourself so per mine it's a question I do ask myself quite reg my name is Aaron fin um I'm currently a student University of AR Dand not sure for how much longer uh I've been a security consultant and an independent researcher for a little while and I'm a media hor I one of those podcaster types uh I currently have a show called f beon I've spoken on a few things over the years if you want to get

a hold of with me here's my contact details um you can find me on Twitter at fw1 n find my podcast at fix. co.uk so on and so forth so quick rough outline of what we're talking about today uh just some of the history involved a little bit of a technical overview a limited snapshot or some of the tools available maybe we'll have time to have a quick chat about those some of those uh sites that I've seen that uh some of those portals and stuff like that I've SE that maybe are a little bit vulnerable other things that we can do for the N counter measures and a little bit of Q&A of time to so without doubt

this is very illegal un ice it was on the the uh on your own test Network um however I really hate using szo quotes in in security talk it seems to be a cliche but I thought it's kind of very artly covered it and it's basically The Art of War teaches is not to rely on the likelihood of an enemy not coming but on our own Readiness to receive not the chances of his his not attacking but rather the fact that we had made our position unassailable and so I sort of meaning not if a hacker comes but when a hacker comes this why I think this stuff is important to learn about it's for you guys uh my intended

audience today uh for hackers and I don't mean this media blah blah blah what a hacker is what I mean is a a playful advocate of Technology uh a very good friend of mine Pete wood um from first base when I interviewed him for P public radio we talked about getting into the industry and he said to me uh he was you know part and partel of what you do is to take things apart it's in our makeup most hackers are that way um and that if you hadn't been electrocuted by 10 this probably probably isn't the right move for you um I'm happy to say that I was electrocuted tampering around the things by six and I can imagine I'm

not the only person in this room um anyway so moving on intro so in September 2000 uh an article came across the SL website uh and basically it was a bunch of uh German researchers had come up with a protocol called nstx um name server transfer protocol um however the concept kind of got um a little bit more media coverage when that little known researcher Dan Kaminsky started talking about it and he released a set of scripts in 2005 uh written in po that made DNS toning reasonably easy to to establish um I mean the fact of it is is that DNS tunneling enables you to do tcpip traffic over UDP over UDP protocol so it

has its own challenges although DNS tunneling can help you obtain free internet and stuff like that and I would argue that it's not free if you go to jail for it but it's also very effective at hiding things it's a very good covert channel uh it's good for stealing data um if you've got FTP and so on and so forth taken away uh you can establish a an SSH or SCP connection with data so on and so forth it also can be used for uh delivering shell CES uh reverse connecting back it's very good at traversing nuts it's an interesting concept and there is some tools not can about I believe in medit there's a tool

called DNS card as well that you can use to to um use for it so 1987 the domain name protocol came into existence replac a few rfc's so about 13 years later these German hackers that I was talking about were able to use a DNS tunnel provided by Microsoft's um PPP dialog update ser and they were able to uh obtain free internet basically and this was because Microsoft allowed DNS look Ops I came into existence after this um and it's based on ndx it has password authentication however I'm going to talk predominantly about um D giz DNS setup because it's incredibly easy to deploy so if you're wanting to play around in the test environment and and get this

thing set up I I always think that it's nice to get your hands on to something and be able to to get a working result quickly so that you can get a feel for what's going on so that's why I'm going for o DS uh it does have its problems but it's good so I'm sure most of you know how the domain name server systems and all of this works out but basically we have root servers that handle the Dooms and orgs um all of these sort of things uh and then these are broken down uh into other uh domain name servers that handle may be the subdomain so the rout will find example.com and a subdomain uh inbound.

example will be handled by different DNS server and they have a number of Records such as an a record and all these sort of stuff and the host name can be 255 Ops or you 255 byes um in addition we can send a DNS text file but that can also contain 255 bytes and it's within this 255 bytes they were able to encapsulate data and send it back and forward um so theoretically a fake main name Ser on the other end which will receive encoded responses decode them and re encode a response bar uh and this will be delivered by txt it's a very plausable Avenue when you look at it this way um this is what you would

probably see in one of the Zone files if you were doing DNS tunneling um so what really happens the trick really happens is that it comes into uh your request will come into a uh domain name server and it will use a recursive look up to another uh domain name server and it's the second domain name server that can do the decoding you can use D DNS and point directly to it as well um there is other settings I have lots and lots of tutorials this is kind of like u a beginning's guide so if you are wanting to link some further reading do give us a shout propop as an email props on Twitter there's about three pages of

Links at the end um when I set it up what I tend to use is I tend to use um a d DNS account however they don't allow you to do um recursive DNS look uh to delegate a domain name server uh on a free account you need a premium account for that however free DNS does allow you to do that um personally I quite like using a d DNS account to point home and have the fake DNS service sitting at the DNS because it it's got some very good update scripts so it makes it very portable if you you move your fake server somewhere else you can run some like DD clim or something like that without very with

with very little change you're your setup has been run now I have to admit on a Linux job so pretty much everything that I'm talking about today is based on a Linux of on two type system there is guides for doing on Windows they are in my uh my fur links so if you are a Windows person give us a shout um in the test environment if you running Windows you could always use a virtual machine be good but the tools that we have there a script in in D called on D.L profile as I said earlier on and this sits on the server and you have to have root permission to run because this said earlier on Port 53 is

a privileged Port um in addition as well if you are actually running a DNS server on the the the shell account that you're wanting to be this fake domain name service for DNS stuning um you're going to have to look at IP tables or something like that to to handle the fact that you've got two Services running off the same court just to get the right things dropped and set up uh so as you can see in my example here what happens is we load up the script po to local and this is the uh the inbound DNS through uh and we set the system running and it takes off then what we do is on our client we install

some of these tools uh like SSH there's a few packages I'll talk about in a second now how the response comes back is by a straight STD out butut out which is in itself not very helpful but we can use the proy command within SSH to run the client scrip that D in these ready which will receive all of the um encoded responses and re encode them back um the Upstream data so our client will be sending in base 32 um and our server will respond back in base 64 which allows um upper case and lower case ask characters and so on and so forth so we're able to transfer uh it just helps transferring the

data so we can see lat the response comes back is pretty much encoded um you can see an inbound look something similar to this um so quick recap of what we need to set up like a little setup in your house um need to install some packages as say based on De want to uh install screen because I have to be honest with you DNS tunneling can be flaky sometimes and if you're doing something you get cut off real pain in the B um couple of extra PE Library files I have a copy of the script um I have a copy the set up on my own website because it can be a little bit difficult

to find however I did find a version um from a gentleman Andreas SC who retook Dan kaminsky's work maybe two or three years later and kind of cleaned the code up and made it a little bit more stable so that's the verion I have available and that's just my side d//

DNS and if you want to go to the site where the guy's original work was it's just that on a client we need to install a couple of these um packages as I say basically some po handling DNS and some Bas to stuff uh and then this would be the type of command that we would run on our C this is just to set up an SSH connection there's other things that you can do that man documentation still a little bit sketchy but you do find guys about it but as a proof of concept and being able to Tunnel SSH is a handy thing to have as well able to proxy and so on and so forth and what's the

interesting thing here is when you're doing your connection um through the propery on your kind of your remote client you're actually sshing locally because your props even back so like a standard normal mistake for new people trying this would be to put um their their remote address that they're wanting to connect to but the software has already made the connection so it's actually a tongue to the Local Host it's strange but it does make sense in the end so recap of what I basically want basically so when you run this command what will happen is the SSH server uh will receive Connection by the proxy command stuff that we got through uh D DNS and then we do the standard

hand shap nice to say that connection is established um I do as I say earlier on the sort of speed that you can expect from this when you do this connection isn't particularly fast because as you can imagine if we can only send 255 bytes in any single request and only receive 255 bytes in any request even with some confu en coding we're limited to the speed that you can get and sometimes you'll see the speed probably not being much more than 10 11 KOB a second if that um interestingly enough though there has been some researches I can't remember which university they're from but they um they've been able to get up to 110

Kil a second with this setup but apparently the noise on the wire from a DNS server is about 2 or 3,000 times average so I think some anomaly detection might that off um so some of the other tools available um iing very established can be a little bit fiddly to get set up and working uh but in the long term I would probably look at running if you wanted to use this sort of stuff regularly I would probably look at running an IOD and c and how that works is that works up by setting up virtual interfaces um so that you can set up almost like a VPN connection um so as you can see even straight away we've got

more power for authentication and so on so forth a little bit more stable however it requires stuff to be put into the kernel and so on and so forth so a little bit gone it certainly wouldn't be where I started well it was where I started but it certainly wouldn't be my advice um netc cross is a little Java sort of based program that might be useful in restricting the virence I think it's Windows based uh and the little bit of playing about you can get these Java apps to speak to each other um over DNS tunneling as well and obviously the DNS cap tool is an Absolut amazing tool it's basically C for DNS

and we can use this to like I say to Tunnel shell codes and lots of awesome stuff like so some of the sites that I've seen during well not I've seen that my friend Bob has seen during his time we' discussed this is U Weatherspoon pops amazes me that we've had this problem for years and years and years and yet we still find Weatherspoon vulnerable we still find B concerns we might even find a university of Northeast Scotland vulnerable uh but I'm sure that would be f soon um someone told me Eastern trains was vulnerable as well but probably the most scariest thing I've not had a chance to check this out yet but I've

heard on the great time that T-Mobile on their 3G network allow unfettered um DNS requests scares me for two reasons firstly that's a throwaway um completely throwaway device when you think about it you don't have to top up you just get 3G SIM card 3G dongle and you are remote popping about using the 3 Network tunneled through their DNS uh you've got no bandwidth requirement also probably quite hard to trace unless you did something particularly nothing um and this it doesn't mean this that's to me worse than you know unsecured wireless networks you know you don't have to find something with this set up you can just plug it into your computer and move to somewhere else job

done and if you do do something not you can pretty much throw the throw the S card away and disc again it's very very easy to test if uh if you're like the environment that you're in is vulnerable um dig and go one of those two tools will do it for you if you get a private IP address you're Goose it's intercepted and it's dealing with an internal uh so if you use like dig and you get a public IP address you're in with a very good shout I actually haven't tried ping but I was thinking about this on the way down even if the ping doesn't go up if it does result have a sneaky feeling

that that probably is a key indicator as well um so things to remember an easy test on an environment that you're on like a captive portal that you might want to log on to uh no universe is in that sort use these sort of things you know McDonald's and this Cloud Network and all these stuff if you do a dick and you get a public IP address you left other potential users um apart from being a great covert Channel I mean how many people in here monitor DNS TR yeah it's you know and and why would you you know who ever told you you know where's the factor become so so important that's why I think it's it's

important to talk about Data Theft as well you may restrict SSH FP SFTP you may restrict a whole host of protocols but if I can tunnel over DNM I can take stuff out of your network now fair enough it might be a little bit slow but if I leave something running overnight I could take that sensitive document um not that I would cuz I'm a nice guy um and as I say the most scariest thing is the the the shell C stuff um I don't know how much you've had to drink or smoke or something like that to come up with an idea that what we should do is deliver show codes over DNS that sounds like 2:00 in the morning

walking back from the pop soci security to me like it works and it's effective um and it does it non voice and some proof the concept stuff uh their links are in my notes uh and met payloads as well there is aing down not have to play around with them too much so I can't answer that many questions about them but the most important thing is to talk about C meres which is unusual cuz I've done a few talks and normally counter measures are defense and depth and all of those great Buzz words we tend to use um but it's really I've got two three slides on this and the fact is that is there is

some things that we can do this is a very hard attack to to deal with we want to offer services to our user but those very services that we give are openers up to to potential attacks um so doing some statistical anomaly detection is a very good uh very good kind of key I mean a dead giveaway is is if you have 3 or 4 thousand times the increase in base data 2 encoded domain names um there's a good chance that someone's up to something because the whole point of the domain name system system is it to be readable and rememberable do you know what I mean so we're starting to see very strange domain name requests woring

um also monitor the amount of data that goes over 53 as simply as that you really shouldn't be getting 8 and a half gigs worth of data over that the one of the biggest problems I've seen with the IDS monitoring DNS is because you get so much stuff we usually like filter that out you just can't monitor you can't get IDE on because of the number of requests that you yeah I mean I think it's a it's a good point I'm not saying that that's a big indicated but you know when you say like uh you take a University campus how many Google lookups they get in a day you can't just say if a domain name

gets x amount of requests kill it you just it may sound a good idea when text speak to text but the reality of rolling that out is that you're going to have problems um but having a look and saying wow we've got 25 times the increase on what we would normally see in 53 maybe someone should have a look at it don't think there's a big problem that but you're right it is injecting the potential for more false positives but it's a weighing out you know what I mean fling up a long sub point out as well no one's going to have a subdomain of sort of 50 characters can yeah there is as I

say those sort of normally look Ops is a is a good stop but they're they they're not a silver bullet they're not going to in any way shape or form uh they're just going to give you a ground to have a look and say right there is may be something going on I need to investigate and I suppose that's all we can ask for I think that's you I mean can't really ask for much more than that if you are running like a 4 fre app this point consider having you dnf all and call I know this sounds stupid but we don't see it um seen it very much many organizations do this HTTP request

rewrite game and that's how they do it uh and but still allow the resolvement of external DNS go we've got you um so maybe you could use a b server locally uh to rout everything to an internal IP address and then once someone pays let them do external work JS um the other thing little bit crazy um maybe deny all txts um coming in uh it shouldn't massively impact the network hugely um in general it's really kind of only incoming male service must we need this and in in the environments that we see now we normally see a separation between what's handling mail Ser lookups and so on so forth but that might not be the

situation for you and fully appreciate um but that that's as far as it go you can't really kind of take any more uh Zone files away because it will have huge problems so in conclusion I haven't scratch the surface I just wanted to kind of give you a tester and and kind of give you some ideas um if you're not looking at DNS I did ask how many people are monitor on DNS and you get one hand off there's a great potential that maybe someone else is or will be oneing um the uses are limited the 3g connection stuff is massive um I do think so and as I said earlier on don't get fooled with this 10 11 kilobits a

second I do think we'll see some increases in it before DNX set probably wres this out so as just say here are some of the links do please feel free to drop me an email uh and I send them to you now I haven't got much time um I started a little bit late but I'm trying to keep it to half an hour so if there is a couple of quick questions if be more than welcome to answer them if I can't if I can't I'll find the answering email and you you back does d does d it signs the certificate I haven't had a huge chance to play with it I have to be honest with

you I don't think it massively if you have a legitimate domain name and you're doing this then you know signs you're not theoretically at the the the the the level that you're doing it you're not actually it's an implementation vulnerability rather than anything else it's how it works so there's certainly further research I think it's still early days for and I I have to be honestly haven't done a huge amount of research into DNS is just trying to go up to speed quickly with that but yeah I think it will throw some hurdles but I don't think it will kill so if I identify you set the server side what stops me from using it uh very good

point and this is uh that's it a nutshell uh you have to be careful that you don't share your fake domaining server bar you obviously need an account on the on the box but you yeah exactly but you still need to Shell account you need the username and the password but if you know those things yeah I you know if you knew my my setup my password there's nothing stopping you from but the same would be for any shell account in the same you know it it doesn't remove itself but the service there is no authenic there is no auth really apart from your SSH sort of stuff so you would be able to do some stuff is

a way into your network as well how do you compare these techniques with IC t for instance you pay to to be honest with you DN the reason if I'm honest with you that I looked at DNS St was a friend and I talked about lives two or 3 years ago um and I went and did a little bit of research afterwards and that's why I'm into the DNS stuff and it wasn't into the uh basically ping tunneling sort of stuff there is um but they're in kind of like the same part as far as I understand you know I haven't had massive experience with them but from what I understand it is a tough choice

it is a personal choice I mean a lot of people do from my experience ping gets blocked internally all the time and you know know I mean I have to be honestly everywhere I've been and played about and corporate Network termwise Ping's block so I think I think that would probably be one of the big advantages cuz people seem to think that ping means that you're allowing a attack of your network rather than ping being used as a tool so people do they attemp to block it so I would say that if I'm honest with you that may be availability wise people are not looking at it as much are some DNS providers such as open DNS

protecting AG no it's not their job to protect as far as I know uh it's not their job you know your Open DNS Open DNS is almost a is almost a position removed from this situation um you're doing the look up to your DNS server your fake DNS server and your box is doing the look off so as far as open DNS is concerned open DNS is claiming to be malare protecting your network yeah I mean this is not a malware attack I mean it could be used to deliver it could be used to deliver it could be used as a factor but it's an implementation situation I mean they're not in the communication in the middle

between um client and and Target they not no well they're they're they're not they're after they after the server it's the server that does the DNS only allow then you oh yeah you should have the potential to still get around I mean I can't the DNS doing statistical anomalies on base 32 and Bas 64 ined requests reest but it could be very possible it's a good idea uh I think I'm running out of time so I would like to thank you very much for bearing with me and and and I hope that it's been of interest if you find me sleeping somewhere that's because I've had two hours Ki