Popping the AU gov & military through DNS (NSEC) — a walkthrough

[Music] I've been looking at a whole bunch of DNS rfcs learned some pretty interesting things and I wanted to share them with you um given the name of this talk I'm sure some Spooks have snuck in just to make sure that I'm not leaking any military secrets good all righty hi everyone I'm Harrison I'm a senior security consultant at Cyber CX within the adversary simulation team if you ask people about me they'll say one of three things firstly who the hell is that guy secondly he doesn't shut up about the DNS stuff and thirdly Graphics design is his passion DNS the domain name system don't let it Simplicity for you because there's a lot that goes into it as you all know good

talks come in three parts this one will be coming in four so we've got the history and current context of DNS in today's world we're going to spoof federal government email then we're going to steal some of their data we're gonna have a look at DNS SEC and how it's potentially worse and having nothing at all and then we're going to look at the future of DNS and what's to come so before we do all that we need some context on DNS starting with its history DNS was created in 1983 by a guy called Getty Images um it was intended for people to remember internet hosts by a human memorable name rather than its IP

address so instead of remembering that that's not a ballad of p uh you can just remember the post name um but DNS is by no means new older protocols had name resolution baked in like mbtns and ellenma and then and then Anatomy Nemo joke um thank you Microsoft for your naming conventions as always but 99 of the time that you'll be using DNS you'll be translating a hostname into an IP address and this was certainly the author's intentions but it's since been expanded to doing stuff like storing txt records for proving domain ownership or MX records for doing email routing or DNS key records assigning DNS signatures but there's also a fault tolerant globally distributed web scale low light latency

database for storing jokes now this is a DNS inside joke I love inside jokes I um hope to be a part of one one day um I also wanted to see what my personal Windows PC uses DNS for so I pumped open Wireshark and they must Windows Microsoft must be doing updates over DNS now because I saw a whole bunch of requests to this thing um also my computer's been really slow recently I don't know why anywho um now DNS uses this whole recursive process for figuring out where to get your record from but in doing so you're trusting every single hop along the way but you don't need to you only need to trust the root zone or the DNS DNS dot

Zone and work your way backwards you can ask it about.com and then the.com servers will be able to tell you about say your service example.com Etc you work your way down but you can only ask the root zoneabout.com.net and all those tlds we've come note known to come in love so if you're asking about the dot Healthcare TLD for instance it'll tell you to piss off and ask some servers in the US which is funny because if they can't be the authoritative provider of healthcare and practice at least they can be the authoritative provider of healthcare and DNS now enough to send many stuff this is a security conference after all so let's talk about El CIA Triad is it available

yes DNS in and of itself is pretty good can it be used to affect other systems availability absolutely you may have heard of DNS amplification attacks sorry DDOS DNS amplification tax man that was a struggle uh is it uh confidential no it's unencrypted on the wire anyone can sniff it is it Integrity integral is that a word sure um no again it's plain text on the wire anyone in Tampa with it which is a concern because DNS is the root for identity on the internet every single online account you've ever made has been based in an email or a mobile number email surprise is rooted through DNS mobile numbers a little bit more nuanced the web server that you're creating the

web the account on is going to be talking to some apis to an SMS gateway which again group based in DNS now your Enterprise or your web app can have security tools up the Wazoo but your users are only as secure as the bridge they use to travel to your zone so me as an adversary I can print a five cent piece of paper and take users over to my very trustworthy very secure Island I may not even need to hijack the bridge I can hijack the island by waiting for your domain to expire and if to buy it up or I can socially engineer your registrar into transferring your DNS soon over to me

which is why locking your domain is so important now this is a big problem because people are trusting DNS with their medical records their payment information put it this way you can be typing your credit card information into ebay.com with a valid URL and a valid certificate and a padlock that's as green as the avocado my Victorian colleagues gluttonously slather on their toast every morning it doesn't matter because if I own DNS I own your life I own your credit card data I own your online identity and I own your health records now that's great Harrison but how often does DNS interception really happen well every time you connect to free Wi-Fi DNS is hijacked to redirect you to the login

page and I think that's an Evidence of someone manually setting their DNS recursive resolver only for their ISP to hijack it so who knows what the government is doing and making isps do and tracking your DNS connections you ever seen this thing just so that we're all on the same page that's the sun I know in about July of this year I forgot it existed after months and months of torrential rain thanks Sydney um do you know Rockets like space Rockets uh they often have multiple redundant computers and that's not because they're running Windows and there's going to be an update that you can't stop when it comes time for landing but because of cosmic radiation

from the universe they can flip bits in binary from a zero to a one or a one to a zero so here's windows.com in Ram white right um solar Cosmic radiation from the Sun hits it and windows is now windows so kind of just buy all the off by one bit domains and let the sun do its magic so that I can collect Microsoft credentials well of course there's nothing new Under the Sun and a researcher already gave that a go and they got traffic like this doing where Windows was doing its time clock update to Microsoft service but can we take a couple of minutes a couple seconds to appreciate the magic of this Cosmic radiation from the

universe has hit Ram in the precise memory location for a bit to be translated to hit this adversarial domain just at the right time that this request is being made now this is an ntp request but imagine it's more of a Windows Microsoft account you could probably catch credentials using there so to recap the I.T security industry has done a really good job of securing user endpoints with EDR OS hardening Etc on the other end we've done a really good job of securing Enterprises and web applications with word application firewalls and seams and everything and then we rely on DNS which is just a rickety Bridge connecting the two which has trolls underneath it listening to

traffic and diverting traffic and tampering with it and on top of all that you've got the hostility of the universe and I hope that paints a picture as to the criticality of DNS and how vital it is to the internet and its security so let's look at that a little bit more with spoofing government spoofing government emails now there's three email security measures that sit in DNS and they work hand in hand to prevent email spoofing the first is SPF and now I'm not talking about sunscreen sunscreen SPM dictates what IP addressed for a given domain can send email so here cloudflare has dictated that these IP addresses are allowed to send email on its behalf so if Gmail or Outlook gets

an email from out from cloudflare it'll look up these records cross-references if it matches it's likely come from a trusted source and it's sent to the inbox if it doesn't match it's likely been spoofed and it's sent to spam which is oh the other thing with SPF is you can't just look at the root record it's actually recursive so yes there are those IP addresses but there are also IP addresses for say salesforce.com so I wrote a tool which recursively unpacks SPF records so here Cloud flares instead of just the root record looks like all of this if we have a look at Gmail's SPF record it looks like this and if we have a look at

Hotmail it looks like this I'm sorry uh dqm brings public key cryptography to email so much like on a legal document you'll have someone writing a signature at the bottom to or then to buy it um dkm is the same principle just um in a manner that's unforgeable with public key cryptography now there's three parts to do Kim there is the private key that sits on the email server there is the public key sitting in DNS and there is the signature in the SMTP headers of the email so if data is tampered within the email the signature is no gonna no longer gonna match based on the public key and you can tell that it's been tampered

with and it's discarded but if the signature matches it's likely been delivered safely and it's sent to uses inboxes the problem with SPF indeed Kim so far is that the rses were a little bit unclear as to what to do with email that didn't pass so dmarc was proposed it's called domain-based message authentication reporting and conformance which is about the most boring sentence I've ever heard in my life so dmarc is the go no-go of email It's the final decider so here cloudflare says that any email that fails SPF or dkim should be rejected and also there should be a report sent to for these domains if you look at our authentication Primitives dkim is something the mail

server has no yes something that mail service has it's private signing key and SPF is something in the email server is its IP address which would make dmarc the downside that is the one that ultimately decides whether or not to let you in now Dimock has a very complicated decision tree as to whether or not to send an email to the inbox but it can be boiled down to these five cases now you'll notice that you only need a good SPF or a good dkim to pass dmarc and if you pass Demar you're delivered to the user's inboxes we don't care about the first one because we only need one or the other and we don't care about the last one

because we want to spoof the email and actually have it delivered so time for some actual real world practical attacks based on these three ideas of having a misconfigured SPF misconfigured Dima and Miss configure D Kim starting with bad SPF so that tool I wrote also cross-references every single IP range in the unrolled SPF record with all the IP ranges from public crap Cloud providers so Oracle AWS is your gcp yada yada it'll cross reference it and if there's a match it means I can obtain an IP address from within that range and spoof email for that domain so I had a client that had this and I use one of those Cloud IP Rotator scripts to get an

IP address within the trusted range which allowed me to send an email from it and because it was from a trusted IP address it was sent to the user's inbox which is why system administrators and Security Consultants need to seriously consider every single trusted IP range in that record otherwise you've got an impersonation condition on your hands next up is bad D mark now I had a client that was one of the asx-2 100 um companies that had a DMACC policy that looked like this now they're rejecting emails from their main domain policy equals reject but on subdomains they said don't worry about it sub domain policy equals none so I picked an interesting subdomain to

send emails from and I made sure it didn't have an SPF record which it didn't it didn't even have an a record email doesn't care you can pick whatever you want so I sent an email address sorry sent an email from that subdomain because it was from a trusted dmart location it was sent to the victim's inbox one wrong character in your DNS records can spell disastrous foreign organization number three bad D Kim this one actually required some brain power unfortunately because it really hurt um so the way this worked is that I had a grievance with one of the government departments so in my own time not a company time for the record I did what

any sane person would did do and I hacked them legally they had a responsible disclosure program don't worry about that now I had an email from this government Department in the past and it looked a bit like this and I noticed Two misconfigurations Can you spot them too late L equals 4096 means only sign the first 4096 bytes of the email I hope you can already see a problem with that the second misconfiguration was these headers and they weren't doing this thing called over signing but we'll get to that in a little bit because only the first 4096 bytes of the email are signed I can tack on whatever adversarial content I want after that

and it'll still be valid injecting custom headers is a little bit more nuanced here's a bit of theory for you there's a mismatch between the SMTP RFC and the dqmrfc SMTP works from the top down it'll find the first instance of a header and it will interpret that deakin works from the bottom up and the first header is sees in that direction it will use for signing so in other words your Gmail your outlook Etc is going to be interpreting that first header that's what's displayed to the user but dkm is going to be signing on the final head-on so we've got header injection and we've got content injection so I was able to spoof email

for a federal government Department thank you thank you except I wasn't because you'll notice that hi Harrison was in the first 4096 bytes so I've just drastically reduced the range of people I can make victims of this misconfiguration until I went back to the original email did some more thinking and I realized well I can inject custom headers can't I attack one and you content type boundary and have the original content still skip skipped over now it's still in the email Source the signature is still generated based off that so dmac passes and the emails delivered Here's the final proof of concept custom headers custom content and I was able to send arbitrary subjects to addresses from addresses

dates and content from this government Department if we dig into it we can see that SPF fails because surprise I didn't have access to a government IP address we would have bigger problems if I was able to do that but because of the misconfigurations with the signature policy I passed ekim and because you only need one of SPF or dkm dmar class and it was delivered is that organization organization Department thank you me they were so embarrassed that they didn't want me to call them by name so I've had to redact them throughout the talk now Swift email is no joke I've had colleagues try to brush me off because it's just a low or an informational wall

no for a corporation if you can spoof email you can fish internal users you can fish external users you can tarnish their reputation by sending out some doggy stuff get them banned in IP reputation databases and you can also spoof accounts billable and receivable to maybe make some money out of it for the government it's a lot worse you can pitch government employees you can fish the public you can threaten deportation and use that to extort someone to do whatever you can request identity documents and the last one's pretty major given the current tension around the world if I can send emails on behalf of the government I'll let your mind go crazy alrighty section number three D and Nest sec

a traditional address lookup with regular DNS looks like that you request it you get your answers Cena sec in long long long story short as a signature that you can verify to make sure that those records weren't tampered with in transit but in my opinion DNS SEC is a misnomer it's currently called domain name system Securities if it was renowned today it'd probably be called DNS auth or authentication or authenticity now we're going towards the end of the day I can feel everyone's a bit groggy so we're going to do some audience participation um so far for the talks I've attended people have only been asked to raise their hand or not but no one has asked you to stand up and

do 10 star jumps now I'm not going to but what I will do is we're going to say this together on one you ready three two one DNS act does not encrypt records instead the objective now that we're all a little bit more awake there's actually one person left in this room it's still a little bit groggy I can see him up the back is the cameraman so I hope this could be some extra time all right but I mean there's a reason that Google uses DNS SEC and Facebook and Banks and eBay use it right

oh um well here's some Rapid Fire Reasons Why organizations may choose not to use dnsa firstly it uses cryptography from 20 years ago it's pretty garbage only very very recently did they approve elliptic cryptography Genesect is government controlled pkai now the root of DNS is protected by a non-government organization but guess who owns.com.net and 99 of the internet um and it's not like the US government has ever been known to uh sort of seize domains willy-nilly have they uh dinner set isn't seen another user we've done a great job with TLS letting the end user know whether or not their connection is secured with TLS but me as an end user I have no idea

whether the underlying DNS resolution was secured Genesect has poor software support and that might be because DNS stack deployment is so minimal only three percent of.com domains use DNS Tech which contributes to this chicken in the egg problem no one uses DNS SEC because there's no software support for it because no one uses DNS Tech etc etc Genesect also means giving across your keys if you want to delegate part of your Zone you can use NS records to give it to a third party maybe a marketing department to do stuff willy-nilly uh but with Genesect that means giving your Zone signing Keys over to them pretty dangerous in a sec can also lead to creating a

denial of service condition on on yourself if you implement it incorrectly Bad Keys and signatures can be cased in DNS for weeks at a time pretty nasty there have been some pretty major sites over the years that have gone down due to DNS deployment failures they have even been whole tlds if cloudflare who are in the business of DNS and DNS SEC with hundreds of Engineers can't get it right what hope do our small and medium businesses here in Australia have they can't even get TLS right Genesect is also heavy all those signatures contribute to massive answers which can amplify those DDOS conditions we talked about earlier now we're going to take a breather those

are my arguments so far and in a little bit after my drink we're going to go through the two final ones the first is that DNA SEC doesn't protect the final mile okay what what does that mean there's no one know because I um so here's the user asking for the a record of cloudflare.com it recursively resolves and gets the answer back to them so let's see what part of this process DNS SEC protects the whole bit right well no just this part which means I as an adversary as long as I'm sitting between the recursive resolver and the end user can still tamper with traffic protected by dnsa so the recursive resolver might be

1.1 or Google's 8. in most cases for people in Australia it will be their isps DNS server um or an internal Network it might be their active directory controller but again there's like five to ten different hops between those two points and if I'm in the middle of any of them DNS SEC means nothing to me even the RFC is like well that's not our problem stuff you so Genesect only really protects against bgp hijacks in core internet infrastructure but if I'm in a position to do that I'm going to be doing far more Insidious things than just tampering with end user DNS traffic well I'm not in the middle needs to do to tamper with DNS protect traffic is

toggle this single bit so it's not even that complicated this is a fun one this is my favorite I've done a lot of research into this do you remember from around 2004-ish um all the ax FR DNS Zone transfer issues me personally I didn't I wasn't born yet um well they're back with DNS SEC if you use DNS SEC you have to use a protocol that I'm about to introduce now DNS traditionally has two negative answers there's NX domain if the name doesn't exist and there's no data if the name exists but not the record type you're looking up exists what's this well even if the nsac worked perfectly end to end I is a man in the middle could still

say NX domain X domain X domain and still toss them even if I can't tamper with the underlying records well the Genesect authors thought about this and they said we need some kind of measure to make sure that we can still sign null data so we need to insert some kind of data that we can sign on Native records so if I look this up blockchain.stanford.edu doesn't exist so again NX domain error but this is gratuitously returned to me so what does that mean well dnssec is saying that there is nothing between blocky and blue Mac backup so if you try and look up any name in between there it's not going to exist not only

that but it tells me exactly what records are available for blocky I don't even have to guess you got your little in first SEC cogs in your brain going if we can get adjacent names can't we just linearly walk every single range well yes obviously that's a rhetorical question um if we again look at Stanford and we look up non-existent domains iteratively alphabetically we get blue Mac backup blue MacBook 12 blood blood center www.bloodcenter etc etc but Dina SEC doesn't just work on domains and subdomains it works on domains until these so here in the dot mum Zone I can enumerate every single name your choice your girlfriend your boy your dating I didn't plan this

and I've got a little bit of an analogous Point DNS is great and I've been talking about that but as we all know you know security conference humans are the weakest link and I'd just like to point that out in this presentation here because there are two people in this room that shouldn't be they snuck in they socially engineered I didn't know they had the heart to do it but somehow my parents have sweet talk organizers into being let in give everyone a wave hi Mom hi Dad

not only are they good social Engineers they're also good OS centers because I didn't tell them what time my talk was so clearly they looked it up online you got a job when we get back right but you don't you can't just enumerate subdomains and domains you can actually go to the root DNS Zone and enumerate tlds so you get AAA bar Abbott if you continue you'll get.com.com dot EU Etc I wrote a tool yeah I did I already saw that does this for you automatically you no longer need to use dig to look up every single range individually but Dennis people got together and they were like this whole plain text range thing sounds like a terrible idea so

Anzac 3 was introduced tldr it's Char one hashes the adjacent names which is a step in the right direction but it's not quite there where you can no longer linearly walk all the ranges but we still get and can crawl the hash Rangers uh which is great because they're shell one and hashtag just go to white paper very academic and boring I'm going to speed over it but I had a look at the prevalence of nsec and NSYNC 3 records on the internet tldr I managed to craft 44 of all and SEC 3 domains on the internet I appreciate fully that that doesn't sound impressive you have www you have blog dot Etc they're very easily cracked

these not so much and for whatever reason there's a whole bunch of junk in people's domains um again another thing to point out is Paypal they were using nsac the plain text protocol while I was doing my research I wrapped up went back to them they've changed the insect three I like to think that was me I'm going to lay claim to that but I thought that was pretty cool um so 44 is demonstrably more than you can get with your traditional methods certificate transparency logs brute forcing Etc so not to show my tool but if you have an insect three Zone you are better off running that than doing your traditional DNS group forcing

why should you care well if I can enumerate your entire Zone I can find records you probably didn't intend to make public for whatever reason system administrators put sensitive records in a public database hoping you're not going to find it Well you might find secret.admin.portal.example.com for instance government agencies beware told you those books are somewhere I can still smell them um if you can walker.gov.mil you might find something spicy um and if a domain is say a software as a service provider they might set up a sub domain for each of their clients if I'm a competitor I can probably crawl those and steal their clientele list with their hearts they were like guys insect three terrible protocols can you

see what you're introducing here um and they introduced an idea called dinner SEC likewise or otherwise called as minimally covering records so rather than giving you the exact range at runtime it generates a response that's a very very slim thin Slither so I looked up a non-existent domain between blog and whatever the next thing is and all it returned to me was this backslash zero zero zero so it's still RFC compliant because it's giving me a Range that there are no records within but it's not actually disclosing the actual names in the zone which is a great solution what does the future of DNS and dnsa look like well I don't know I'm not a

fortune teller but I've had to guess you may have seen DNS over TLS or DNS over https where they work from the end user up rather than dnssec which is the root zones down then there's DNS over Tor but generally people like their web pages to load within 10 minutes then there's DNS curve which is dnsc just reimagined 20 years later incorporating all of the failures into this new thing now I've been all doom and gloom and fud on DNS SEC some of you may ask it it's still worth implementing today is there any marginal benefit to it I would heavily heavily warn against implementing it yourself with blind or whatever I'm not paid to say this but in

my research cloudflare were the only ones that address the security problems that I identified earlier so should an organization Implement DNS sec in 2022 I think the answer is pretty clear that you should do your own research and form your own opinion to recap we've had almost 200 slides in the last 30 minutes we had a look at how DNS is the root of Internet identity and security which is fine because it's not like it's some rickety Bridge connecting you know two really secure Islands next to each other there's also trolls that may be listening and tampering with traffic but even if that were the case it is but just for the narrative um doing a sec is meant to prove that

right solve that right well no not exactly in fact it can even make things worse with Zone disclosures dos conditions and finally we had a look at how just a few little errors in your DNS records can lead to some pretty dire consequences so Security Consultants and system administrators I played with you because my colleagues won't listen spirit I thought for DNS and also slap some sunscreen on your RAM to protect you from Alien Hackers from stealing your credentials with the power of the sun thank you

thank you